Skip to content

Back To The Basics: How awareness and basic cyber safeguards can protect your business

C

ompanies across the U.S. continue to fall victim to cyber attacks that can be prevented by awareness and basic safeguards.  In this ValorrInsight, we dive into common attack methods and some simple actions you can take today to protect your tomorrow.  

Author: Jeff White, Chief Security Officer, CMMC-RP

Picture this…… Sarah, your corporate controller receives a text message three days before Christmas, from Jean, her CEO.  In this message, Jean mentions that due to time constraints in her meeting schedule, Jean is unable to get gift cards for her family.  As a result, Jean kindly asks that Sarah purchase three (3) three-hundred-dollar gift cards and provide the gift card codes upon completion.  

Sarah, a last-minute shopper herself understands hectic work schedules and last-minute gift giving.  In the spirit of helping her boss out, Sarah purchases the gift cards with her corporate credit card.  Sarah immediately texts her Boss the gift card codes, however Sarah receives no response back from Jean.  Two days later, Jean calls Sarah asking about a $900 transaction on her corporate card.  Bewildered, Sarah mentions that she was just doing what Jean had asked her.  Upon further investigation, Sarah was ultimately scammed by someone impersonating her boss.  Sound familiar? 

How about Tim, a tech savvy and successful Entrepreneur, with a knack for spotting fraud from a mile away.  Upon finishing a long day’s work, Tim receives an odd email from his bank.  The email reads “We have recently noticed suspicious banking activity, which require your transaction verification.”  In this email, Tim was told to click on the included link to validate the transactions.  The sender looked legitimate in every regard; it came from the bank’s fraud department, included a link to the banks webpage and even included the last four of Tim’s checking account. 

In a rush to leave the office, Tim attempted to resolve the bank matter; Tim clicked the link, but was unable to login to the website receiving a message “404, the website you are trying is unavailable at this time” …In pushing this immediate concern aside, Tim let the weekend past by before any follow up action with his bank.  Monday morning, Tim was distraught when he was told by the Banks Fraud and Investigation team, that Tim had incurred $9,000 dollars in unauthorized charges.  How could this happen, Tim thought, I’m a tech savvy expert with an eye for detecting these things?

Think that these same scenarios can’t happen to you?  Don’t be too sure. 

Cybercrime: Exposing The Human Element

While the above stories are fictious, they serve to represent the clear and present danger to you, your business, and your company assets.  Let’s look at how the threat actors featured above leverage the ‘human element’ for financial gain. 

In the first scenario, the criminal used a position of power coupled with a sense of urgency to get Sarah to perform the requested actions.   Naturally, an employee would listen to their CEO for direction, primarily due to their position of leadership.  Having knowledge that her bosses’ task was of importance and time sensitive, Sarah trusted that purchasing the gift cards, as instructed, was the right thing to do.  Intertwined in example is also an element of relatability.  As many of us can relate, meetings run long and well, sometimes there just aren’t enough hours in a day to complete the little ‘To-Do’s’.  Sarah too understood that the holiday rush leaves little time to check off those last-minute items. 

Like our first scenario, our threat actor #2 used trust and immediacy to elicit the intended actions.  After briefly inspecting the emails for what he knew as elements of fraud, Tim knew he needed to act quickly to stop any additional fraudulent activities on his bank account.  If anyone were to notify him of suspicious banking activity, it would have been the banks internal fraud team.  After all, the email came from an internal company email address, or so he thought. 

In incorporating these lessons learned, its important to remind ourselves that no matter one’s education, level of successes, or even tech savviness we can all fall prey to a cybercrime.   

Reducing Cyber Risk At The Ground Floor: Simple Steps To Protect You and Your Business.

It is with this in mind, that we stress the importance of returning to the ‘Basics of cybersecurity’.  Those somewhat meaningless safeguards that can make the difference between being a curtain of security for your business or being a victim of cybercrime.  Below we highlight some simple steps you can Immediately implement to reduce your likelihood of cyber exposure:

  • Verify then trust:
    • Individuals should consistently operate with a ‘Verify then Trust’ mindset when connected to the internet. Whether you are checking email or reading an article, one should preform effective due diligence in researching what’s in front of them, before trusting its’ accuracy.  For example, if you receive a message and it seems suspicious, take a second pick up the phone and call the sender to verify.  A second wasted through a follow up call could prevent hours/days of future headaches for you and your business. 
  • If its too good to be true it probably is!
    • Most of us have seen the show ‘Who Wants to Be a Millionaire’. After all who wouldn’t want free money right?  Emails promising you to be the next heir of a fortune, better known as get rich quick schemes, almost never pan out.  As such, if someone promises you something to good to be true, trust your gut…it probably is.  In keeping with this theme, never provide any sensitive information about you, your finances, or your business dealings over unsecured email, especially to someone you don’t know.
  • Password Security
    • Long passwords are hard to create and even easier to forget; we get it! As a result, we recommend using a trusted ‘password vault or password manager’.  While we remain vendor agnostic, some product considerations may include Last Pass and 1Password.  These tools allow you to create, store and protect sensitive information to include passwords and safeguard this information through one long password.  As always, any passwords should be:
      • At least 8 but recommended to be 12 characters: the longer the better. Cyber criminals hate guessing games
      • Never write your passwords down. While your office manager may be trustworthy, we don’t truly know who everyone inside their office is.
      • Enforce Multi Factor Authentication (or MFA) whenever possible. From bank accounts to email logins, this safeguard provides layered protection, if indeed your password is compromised.  With MFA enabled, criminals now need to know both your password and your multi factor ‘token’ or ‘number’ (this rotates typically once every 30 seconds).
  • Avoiding unsecured wireless networks
    • When connecting to a ‘Wi-Fi’, ensure that a password is required to connect. Typically displayed as a lock symbol (  ) secured networks reduce the likelihood that unauthorized individuals can gain valuable information regarding your online activity.  Security on these types of networks apply certain level of masking or ’encryption’ to your internet browsing. 
  • Utilize a VPN when preforming sensitive transactions
    • Under no circumstance should any individual conduct any sensitive transactions such as online banking, through use of only a public network. To perform such online activities, users should instead utilize a VPN service, such as NordVPN or PIA while on any public network (to include secured networks).  VPN allow for greater privacy, in most cases, through the application of enhanced encryption techniques.
  • Don’t click untrusted links or attachments
    • If you come across a suspicious message (email or text), don’t click any link or open any attachments. Instead proceed to verify the message contents with either the sender directly, or through contacting your IT support staff (when applicable). 

The Valorr Team looks forward to providing additional cyber tips to keep both you and your business secure now and in the future. Stay tuned!

*For more tips and tricks to remain cyber informed, please visit our additional Valorr Insights at https://valorradvisors.com/insights/