Cyberattacks on organizations can happen in lots of different ways, but most hackers choose to bait victims through digital communications channels. The primary reason is that they are easy to breach. Fraudulent links can be sent via text message, email, messaging apps, or even social media – making not just your organization but each one of your staff members a target. If a single employee makes the mistake of clicking a malicious link, it will be a big payday for the hackers – and a big loss for you (revenue, intellectual property, and reputation to name a few). In this month’s blog, find out what methods you need for robust digital communications security to protect your organization today.
Securing Email
Get on the Cloud
Email is still the primary method for communicating with clients, vendors, and prospects. It is important that you use a reputable email service. If you are still holding on to an on-premises email solution, I strongly encourage you to move to a cloud email provider. They have the resources and dedication to keep their services not only online but also secure. Arguably, the two best or most common email hosting services in this area are Microsoft and Google.
Upgrade
In addition to the base email offering available from these providers, I also recommend upgrading to the more secure version of their service. For Microsoft, this is Microsoft Defender for Office 365, and for Google, it is Advanced Protection Program. These programs add a variety of built-in and configurable security protections that can not only help reduce spam but also targeted attacks on your email users.
Multi-Factor Authentication
If you have not already, I highly recommend enabling multi-factor authentication (MFA) on your email. This sounds complicated but given most every worker today has a smart phone, deploying this technology is easy; plus, it adds a significant layer of security to your organization. Some people are disenchanted when they think that you need the multi-factor passcode every time you look at your email, but that is not the case. Computers and phones can use MFA one-time passcodes on their devices, and it is saved for a period of time. However, each new device will need to re-authenticate using MFA.
Encryption
One additional layer of security that you should consider is email encryption. If you are using your email systems for sending sensitive data to clients or vendors, then consider adding this option to your email platform. This service enables you to encrypt sensitive data which is triggered by using a Keyword or other rules to send the email with encryption when going to an outside party. Once the message arrives at the outside party, they must use a secure system to retrieve the email and its contents. This is highly encouraged especially if you are sending to non-business client systems like Gmail, Yahoo!, or AOL type users.
Digital Communications Security Training
Ransomware and Business Email Compromise (BEC) attacks happen every 11 seconds, according to cybersecurity experts. This statistic is very alarming and continues to worsen. Users of all types are being targeted, from individuals to multinational corporations. The severity of the attacks and the ransom vary considerably, but there is one common factor. Most all cyberattacks begin with a breach in digital communications security. Specifically, a user lacking the necessary training.
Digital communications security training is a type of training implemented in organizations to get staff more knowledgeable on identifying and avoiding cyberattacks. IT professionals (whether internal staff or outsourced) send emails, texts, or chats to your employees attempting to get them to send sensitive data or take actions that would compromise your security. If the user does fall prey to the mock attack, then this is reported back to the organizer so the user can be provided additional, targeted training on what to look for in the future so as not to be susceptible to the same attack a second time. Users also need a method to report anything they suspect to be suspicious to further confirm the training is effective. Some key components of digital communications security training should include:
Examine Email Addresses
Phishing addresses look like the real deal, so be proactive and pay close attention. What should have been a “.com” might be a “.co.”
Hover Over Hyperlinks
Before clicking on any link sent through email, texts, or social messaging, hover over it to see the URL. If it is not something that looks familiar, it is better not to click than risk the danger.
Check for Spelling & Grammar Errors
These are common telltale signs of a phishing email. Official correspondence from reputable entities gets proofread and spell-checked before being sent out. Messages rife with mistakes are most likely the work of hackers trying to get into your system.
Ignore Emails Requesting Passwords
Trusted companies will not request your password or other personal information through email messages. If you get a message that asks for such, it is best to ignore or block it.
Policies and Procedures
It is important to formalize polices as they relate to communications security. There are employees who have claimed they did nothing wrong according to company policy when sending sensitive or secure data to an outside agency. Be sure to identify what can and cannot be emailed from your systems. Your policies should cover things like:
Customer Data Protection
In industries like healthcare, banking, and many more, companies collect customer data that must remain confidential. When this information gets out, it can cause problems for both the client and the company. Educate your users on what constitutes customer data and what polices are around protecting it.
Intellectual Property Protection
Industrial espionage is a real thing. Many big corporations would pay to see information from their rivals to find out what new products or trends the competition is working on. This practice is quite common in the automotive and pharmaceutical industries. Define what IPP is and the penalties for disclosing this information without following the proper procedures.
Internal Communication Protection
Internal communication involves massive amounts of information meant only for those in your office. This confidential information is what a ransomware attacker would love to control because they can get large sums of money by holding the data hostage. Make sure you have disclosures in your email signatures that identify what to do if an outside party receives ICP and review with your employees what is and is not appropriate communication to send to outside parties.
Many of the Business Email Compromises (BEC) that I have come across could have easily been avoided with the most basic of accounting control procedures. While I will not go into the specifics here, I do recommend consulting with your financial professional. Many times, you can thwart an attack with proper accounting procedures around things like Wire Transfers, Vendor Payment Changes, and providing Credit Card information.
Final Thoughts
If you have yet to implement any of these methods, now is the time. They are vital in running any organization. Bolstering your communications security – whether through secure email, training, or strict policies & procedures – will strengthen your company-wide protection from cyberattacks, and ultimately increase your productivity. A Managed Service Provider (MSP) like Spera Partners can help you overcome the challenges of business communications and get the necessary safeguards implemented. If you want to learn more about the benefits of digital communications security or how an MSP can give you peace of mind in all areas of your technology, feel free to reach out to us at www.sperapartners.com/contact-us/ or [email protected] or Schedule an Appointment with Me
Brian Hess
President
Spera Partners
Learn more about our Cybersecurity services at https://sperapartners.com/cybersecurity/