Phishing in the New Wild West
Planning Your IT Defense
According to Forbes, in 2017 two thirds of Americans worried about having their Identify, Credit Card, or other personal information stolen.
Getting murdered only concerned 18% of people.
According to the FBI, in 2018 will cost Texans at least 96 million dollars. If 96 million dollars were being stolen from homes and businesses, and two thirds were worrying it would happen to them (only 36% are worried about physical burglary), politicians’ heads would be rolling, police chiefs would be mobilizing, and people would be up in arms.
But it seems like most of us simply shake are heads and wonder what we can do.
Well that’s what I’m writing about—establishing an IT defense strategy. To quote General George S. Patton, “Nobody ever defended anything successfully, there is only attack and attack and attack some more.” Since we can’t yet take the fight to cyber-criminals, I can’t promise you that your association or business will be invulnerable.
But I can give you the tools to protect yourself against all but the most determined/advanced attacks.
We’ll be discussing IT vulnerabilities in two major groups: hardware and software.
Starting with your first line of defense, you should have a commercial grade firewall in place, between you and the world at large. Everything in your office needs to be behind the firewall, and I mean everything.
One of the most overlooked IT weakness is leaving printers outside the firewall, which sound like small potatoes. Its just a printer, what’s the worst someone could do—waste your toner?
Actually, with the increasing intelligence of printers, offices are experiencing greater risk. Many “smart” printers save the jobs they’ve done, which means if your printer is outside the firewall, someone can look at any document you’ve printed. it has to be the most aggravatingly simple form of hacking, but it’s a real risk.
Speaking of underestimated risks, let’s talk about easy set-up WiFi routers. These devices were designed for non-techy (ie. normal) people to use in their homes. You can set up a wireless network with the push of one button! You probably can’t tell, but I cringed writing that statement. Because the simplicity comes from doing away with most security protocols! Easy setup means easy access. You don’t want your association’s network to be easy to get into.
So, on the networking security front, ensure that your office is secured with a commercial-grade firewall, that your printers are behind that firewall, and that your wireless network is similarly secure. If you have no idea how to verify any of that, ask your IT provider to walk you through how your network is secured.
The last bit of hardware I want to discuss is the world’s most prolific Weapon of Mass Distraction; the smart phone.
A question I get all the time is, “How secure is my smartphone?” The answer…varies.
There are numerous articles dedicated to this question alone. Let me sum it up for you. A lot of it depends on what kind of phone you’re using.
iPhones are sealed devices, that operate in a fashion that secures them against the vast majority of viruses. Plus, iPhones only make up about 20% of the market. Its just more cost-effective for criminals to go after the other 80% with viruses. Androids, by their open nature are less secure. If you or your staff use Android phones, I cannot stress strongly enough that you should install antivirus software on your phone. Because of the iPhone’s nature, its somewhat less important to have an antivirus…but its still a good idea. Especially if your association is deeply involved politically—that paints a target on your back.
And regardless of what phone you use, please secure it with facial recognition and/or a password that isn’t your or a loved one’s birthday! Its way to easy for a phone to fall out of your pocket or bag, and if your phone isn’t locked, someone can see all your emails, and anything else you have saved on your phone.
Now if your computer is connected to the internet at all, you are officially at risk of cyber-attack. So what software do we need to compliment our hardware defenses?
The first thing to understand is what kind of attacks to expect. In my company’s experience, we see two main things; viruses that turn computers into spambots and ransomware.
Here’s the good news; these are the cybercrime equivalents of a crook walking through an apartment complex trying doorknobs to see what doors are open.
So how do we lock the door?
First things first; get an antivirus for your computer. Do not use a free antivirus. If you’ve read my articles before or spoken with me, that idea has come up before. But we still find people who use free antiviruses!
As the Joker said, “if you’re good at something, never do it for free.” Free antiviruses don't work all that well, and are dangerous in that they make us feel we're secure when we really aren't.
Now, I’m not saying you should buy Defense Department antivirus. Just something reasonable like Webroot or MacAfee.
That will keep most of the barbarians at the gate.
Next up, you should buy or subscribe to an antispam service. I’ve seen some offices that have physical antispam appliances, but unless your office has about 100 people or more that is overkill.
By using an antispam service, you can again block out a huge proportion cybercrime emails.
Unfortunately, they won’t stop every malicious email. They just can’t. So, train your staff on how to recognize phishing emails, and anytime you see a suspicious email from someone you actually know, call them and ask if they sent the email.
Aren’t sure how to go about training? Talk to your IT provider about organizing a session during a lunch sometime. If they don’t know how to go about training your staff…run away and find someone who does know.
Now when it comes to securing data, I highly recommend that you find a Cloud service and store your data there. Simply put, companies like Apple, Amazon Web Services, Microsoft, Box.com, Drobox, and Google can spend way more money than you can on cyber-security.
Putting your data in their hands essentially immunizes you against ransomware. If your computer is locked by ransomware, and your data is in the Cloud, you’ll be inconvenienced, but you won’t suffer permanent consequences. Because your data isn’t actually on your computer, the malware can’t reach it. Reset your computer—which is a major inconvenience, but better than losing all your information—and get back to work.
Lastly, every organization needs a central management system for their computers.
A central management system will allow you to monitor computer activity—not check to if your staff is working but rather to see if the computer is being illegally accessed from the outside. It will also allow you to lock down a computer in case of theft or employee termination.
Any organization can be hurt by a disgruntled employee misusing company assets. With a central management system, you have one more layer of protection for your organization.
Security comes with a price, both in money and time. It takes constant vigilance and regular training for your staff. It takes equipment and software designed to protect offices, not to make life at home more convenient.
Make sure that your office is protected from the point that it makes contact with the outside world with a firewall to the point a phone slips out of a pocket. Protect your data by moving it to the Cloud. Ensure that you and your staff are aware of what cyber threats you face.
If you do all this, you will be protected against the huge majority of threats the world can throw at you.