When Businesses Get Hacked, The Weak Link Is Often A Trusted Employee

Posted on:

June 12, 2015

Major companies like Sony and Anthem make headlines when they are hacked. But don’t assume your small business isn’t an attractive target. According to the Wall Street Journal hackers sometimes find their way into giant databases by infiltrating the database of one of their vendors, like HVAC companies. They know that small businesses often lack the resources to put strong security measures in place, and they see that as an opportunity.

Even if you have a trusted staff and a strong security system, it’s smart to err on the side of caution. Dave Aitel, the CEO of Immunity — a security company — says you should always assume your employees will fall for e-mail scams. Many fake messages are obvious, but more and more, hackers work hard to develop more sophisticated “phishing messages” that throw out bait to see who they can hook. It only takes one unwary employee to click the wrong link and your system could be invaded by malicious software that steals sensitive information.

Here are several points about scam e-mails to go over with your staff periodically, to keep them on their toes. When in doubt:

Validate the sender. A message might appear to be from a familiar source, but a closer look at the address could reveal extra letters. This is a way thieves piggyback on someone else’s reputation. For example, you may have a Home Depot account, and you get a warning message that your account is about to be locked. Check the e-mail address to see if there are extra letters, like this: homedepotsx.com.

Don’t rely on a logo. Thieves copy company logos, hoping you’ll take the bait. When you do, they ask you to click a link or provide a password. If you think a company may be trying to reach you, look up the phone number (don’t rely on a number provided in the message), and call to ask if there’s a problem.

Links and attachments. These can be deadly so be sure your staff knows not to touch them. They usually come with a dire warning about some sort of problem. Again, if in doubt, call the company.

The message contains incorrect information. Messages may also appear to be sources you don’t deal with, like a large bank or power company. Scammers throw out the phishing net wide, containing a warning or a can’t-miss deal, knowing that it only takes one unwary reader to click a link and open a treasure trove of your assets.

Also, this type of message may include typos and sloppy word usage. Many scammers are outside the country and barely speak English. In an effort to sound professional, they misuse the language. Example: a recent phishing attempt urged visitors to: “Please clicking on reply.”

Software updates. This is tricky because some update messages are real, although, software gurus say free software programs don’t usually send out requests for you to update. When “update” pop-ups appear, instruct your employees not to click on them. Instead, they can go right to the site, like Adobe.com or Java.com, and download updates.

If All Else Fails… Consider Thin Machines
For his clients that are worried about employee mistakes, Dave Aitel sometimes advises them to install “thin machines” for employee use, instead of desktops. Thin machines have little storage space, so if an attack happens, the potential damage is limited to one area, rather than the whole network.

Whatever you decide, don’t neglect going over the importance of security with your staff regularly. Remind them that their jobs rely on continuing operations, and one wrong click could put you and them out of commission.

Author
Recent Posts

Teresa Ambord

Teresa Ambord is a contributing writer for IE3. She has been an editor/writer for Thomson Reuters since 2004 and has published widely on small business issues.