How to thwart hackers and protect clientsBy JASON GOLDEN
April 24. 2018 2:26PM
Email is an essential part of modern communications and is ubiquitous for most of us. News of recent email schemes targeting accounting firms and other companies during tax season is only the latest reminder that nobody is immune to sophisticated and dangerous scams.
In New Hampshire, we're seeing a heightened threat using email that gives the attacker full access to your emails and address book (including the ability to send emails as you), and uses the tactic to impersonate you to others in your network. In many cases, the attacker then uses your compromised email address to email requests to wire money or pay an attached invoice.
The details of the schemes change all the time, but the general approach is the same. It's called phishing, which is a form of social engineering. Cyber criminals are using tactics over phone and email to make you trust their identities and give up one or more pieces of you or your company's personal information, like bank account numbers, network passwords, or even the name of your company's payroll provider.
That information, combined with databases of stolen information that exist on the dark web (think of it as the black market of the internet), essentially becomes the keys to access every aspect of your online and offline life.
A growing percentage of cybersecurity breaches are going undetected by the security teams at businesses. Companies often learn of the hack when law enforcement or victims of the breach (usually your customers or clients) discover it and come calling.
Email, in its convenience and ubiquity, is by far the most common vehicle cyber criminals use to try to trick unknowing individuals. The email might look like it comes from an official source, with logos and email signatures included to get you to let your guard down. But once you click that link, you may have opened the door to you and your company's sensitive personal data.
If your e-mail is compromised this could mean that your data has been breached. If you have a data breach, you are responsible for adhering to state privacy laws along with any compliance requirements that your business may fall under. You could be subject to fines, penalties and reporting requirements based on the breach. Just troubleshooting the incident can be very expensive when you engage with the necessary technical, legal and forensics resources.
The best way to avoid falling for a phishing scam is by practicing defense in depth. Here are a few layers of protection against cybercriminals.
• Never click links in emails. It may seem drastic, but is the most effective way to not have your email account compromised.
• Never sign in with your credentials unless you are 100 percent sure you know what system you're connected to.
• Never enter personal information, usernames, or passwords over an unsecured Wi-Fi network.
• Be suspicious of anyone who calls asking for personal details. Comcast won't call asking for your account number, and the IRS will never email you looking for your social security or bank information.
• Enable multi-factor authentication on any account that stores personal information. Multi-factor authentication requires more than one authentication requirement (e.g. a secondary code, a fingerprint, etc.) in order to access an account.
• Not only use complex passwords, but the most critical step is to never reuse the same password for different accounts. If you do, you've essentially created a master key for your private data.
• Notify your IT support if you think you received (or worse, were tricked by) a phishing scam. Report every suspicious email.
• Identify every physical device where your sensitive data is stored and implement proper device or drive encryption.
Hacking is a profitable industry for cyber criminals. If you haven't been hit yet, it's only a matter of time before your defenses are tested.
We recommend all organizations consider working with information security specialists to assess risk across your organization and put up a strong defense. Each incident must be treated like the biggest threat to your company and clients out there. Because it is.
Jason Golden is chief information security officer at Mainstay Technologies, an information technology and cybersecurity firm that serves businesses throughout northern New England.