The Complete Guide to Secure Online Behavior

Some high tech crime can be thwarted by following some low-tech best practices. It all starts at employee workstations, which can hold a treasure trove of loot for people who want to steal your organization’s secrets.

Keep a Clean Desk

It makes complete sense and sounds so simple, but keeping a clean desk is often overlooked when talking about data security. It’s also the perfect place to start the discussion with employees.

Employees that keep a cluttered desk tend to leave USB drives and smartphones out in the open. They also often forget to physically secure their laptops so someone can’t simply walk off with them.

A messy desk also makes it more difficult to realize something is missing such as a folder with hard copy print-outs of customer lists. In addition to increasing the likelihood of something being removed, a cluttered desk means that the discovery of any theft will likely be delayed— perhaps by days or even weeks if the employee is out of the office. Such delays make it more difficult to determine who the perpetrator is and where the stolen material might have been taken.

Encouraging employees to maintain a neat desk pays off in two ways. In addition to making digital and paper assets more secure, employees with clean desks are more apt to be productive because they can quickly—and safely—access the tools and resources they need to do their jobs.

Phishing is defined as a fraudulent attempt to obtain sensitive information by disguising oneself as a trustworthy entity. In order to trick people, hackers impersonate a wide variety of people and institutions, including coworkers, IT staff, email system administrators, banks, the IRS and police.

In especially dangerous “spear phishing” attacks, the scam can be personally directed. The hacker uses information about their target to increase the apparent credibility of their request for more sensitive information.

Just as keeping a clean desk makes it harder for thieves to walk away with documents, following best practices for email cybersecurity can lessen the risk of falling victim to phishing attacks.

Email Security Best Practices: Ways to Block Phishing Attacks

Employees should always be suspicious of potential phishing attacks, especially if they don’t know the sender. Here are five best practices to follow.

1. Don’t reveal personal or financial information in an email or click on any links in suspicious emails.
2. Check the security of websites. This is a key precaution to take before sending sensitive information over the Internet. <http> indicates the site has not applied any security measures while <https> means it has. Sites that do not serve a legitimate business purpose are more likely to contain harmful links.
3. Pay attention to website URLs and domains. Not all emails or email links seem like phishing attacks, so employees may be lured into a false sense of security. Many malicious websites fool end users by mimicking legitimate websites. One way to sniff this out is to look at the URL to see if it looks legit. Be aware of subtle variations in spellings or domains (such as .net instead of .com).
4. Verify suspicious email requests. While there might be a human-sounding first and last name associated with the address, verify that the email fits the company nomenclature. For example, Fred Smith’s email is f.smith@bankofstates.com, not Fred Smith at vhsfjn0fjs08f3k@gmail.com. When in doubt, contact the company they’re believed to be from directly rather than responding to the suspicious email address. It’s best to contact the company using information provided on an account statement—NOT the information provided in a new email. If an email asking for sensitive information comes “from” a coworker, first verify with the coworker that it’s a legitimate request.
5. Keep a clean machine. Utilizing the latest operating system, software, and Web browser as well as antivirus and malware protection are the best defenses against viruses, malware and other online threats. A managed IT service provider can help with this.

Consider Conducting a Phishing Test on Your Employees

It’s better to learn to fight phishing attacks in a controlled environment than when actual data is on the line, which is why many employers today conduct phishing tests on their own employees. Think of them as training exercises similar to fire drills and active shooter scenarios.

To conduct a phishing test, follow these guidelines:

• Notify employees so they know to expect a phishing email in a specific time period. Even though they will have been warned, many will still likely fail the test.
• Make the test phishing emails as convincing as possible. Consider hiring an outside organization to conduct the test.
• Share anonymized results. Don’t shame specific employees who failed. The point is for employees to learn, not for them to feel embarrassed.
• Consider having a regular schedule of phishing tests to see how your employees are improving, and to make sure new employees learn vigilance.

If your employees are using passwords like “password,” the name of your organization, or “qwerty,” it’s about as useful as having no password at all.

Hackers are sure to try lists of most common passwords when trying to gain access, and these passwords are easy to guess or look up.

Types of Low Security Passwords to Avoid

The following common passwords were collected from Troy Hunt’s database of global cyber breaches, as reported by Forbes.

It’s easy to avoid the weakest passwords, but it’s hard to consistently come up and remember good passwords. Passwords should ideally be strong (a long un-guessable string of letters, numbers, and symbols). They should also be unique: not used as the passwords for other websites. Keeping track of a long list of strong, unique passwords is a formidable task, which is why using a password manager is a top tip for strengthening password security. A password manager also saves the time and stress that usually goes into creating and remembering multiple passwords. A password manager can make rebounding from a breach easier with a single reset of multiple passwords with their strong password generators.

A Word About Usernames

While securing usernames isn’t as important as keeping passwords private, usernames are one of the pieces of information hackers need to get access, so it’s worthwhile to avoid commonly guessed account names like “admin” and “user1.”

Have your employees been "pwned?" The importance of not repeating passwords...

The prevalence of large data breaches means that millions of passwords are out in public or are available for sale on the dark web. When people repeat passwords, they let hackers who already have a key to one account access all the other accounts that share the password.

While it may be a helpful memory trick, using simple variations of passwords, like changing “OpenSeasame” in one account to “Open3easame” isn’t a safe alternative to using unique passwords for every account. It’s too easy for hackers to try out different variations of a password once they have a related one.

Have your employees check their email address on haveibeenpwned.com to see which of their accounts are already compromised by existing data breaches. They should prioritize changing their passwords on compromised sites and any sites that share a password with the breached site.

Like it or not, private employee mobile devices in the workplace are a given today. For years, corporate IT departments resisted the idea of bring your own device (BYOD) policies specifically because of the security risks that come with putting sensitive proprietary information onto devices that the organization doesn’t own.

But BYOD appears to be the way of the future because it’s just an easier and less expensive way for companies to keep pace with the constant innovations in the consumer electronics market. Plus, employees report they’re more productive using their own phones, laptops and tablets compared to using company-issued ones.

Protecting important data in a BYOD world means being aware of security challenges that come from employee-owned devices, and educating your employees.

Security Challenges From BYOD Mobile Devices

• Devices leave the office every day and can be lost, misplaced or stolen. Devices should have a way to be remotely wiped, so sensitive data can be destroyed before it falls into the wrong hands.
• Mobile malware: hackers are now turning their attention to mobile devices andexecuting successful breaches. This malware can infect company infrastructure when BYOD phones are connected to the company network.
• Unsecure third-party apps: if breached, they can serve as a gateway to other apps on a device and the device operating system, where security controls can be manipulated.
• It’s especially easy for employees to accidentally send sensitive information to an unauthorized party when they’re using their BYOD phones outside of work hours - especially if they’re tired, intoxicated or distracted. Personal phones also make it easier for employees to maliciously steal sensitive information.

Because employee phones are effectively part of a business’s network once they connected, employers today share responsibility for keeping their employees’ devices secure.

What Employees Should Do to Secure Their Mobile Devices

• Set a PIN or passcode: This is the first line of defense—if someone wants to access the device, they first need to break the code. Some device manufacturers also provide the option to automatically wipe the device after a few unsuccessful attempts at the passcode or PIN. So even if a phone is stolen, information cannot be accessed.
• Avoid using public WiFi. While unsecured WiFi networks can be convenient, they offer too many opportunities for hackers to steal information. Important work information should never be transmitted over unsecured WiFi networks.
• Enable remote locate tools like Apple’s Find my iPhone so lost or stolen devices can be recovered.
• Keep devices clean: Phones are mini-computers, and just like “big” computers, they need to be periodically scanned for malware.

What Employees Should Do to Secure Their Mobile Devices

A Mobile Device Management platform is a kind of middle ground between a company phone and a purely private BYOP phone. An MDM platform is a software that lets businesses’ manage aspects of employee devices.

MDM features include the ability to:

• Make users use passcodes to access devices.
• Remotely wipe devices that are lost or stolen.
• Isolate corporate apps from personal apps so that personal apps remain private and corporate apps don’t leave the company when the employee leaves.
• Prevent users from using corporate apps they aren’t authorized to use.

Some of the most devious attempts to steal information, identities, and access to devices occur within the internet browser window.

Employees can best defend themselves by familiarizing themselves with the most common techniques. Two especially common browser-based techniques are malvertising and social media scams.

Malvertising

• What is it?
  It’s a portmanteau of malware and advertising. It’s malicious code hidden in an advertisement that then spreads to wherever the advertisement is sold.
• What does it look like?
  Malvertising is no nefarious, because users don’t have to actively navigate to seedier parts of the internet to encounter it. It comes to them, sometimes in ads on ordinarily trustworthy sites. According to anti-malware software company Malwarebytes, some of the most famous malvertising ads have appeared on websites including Spotify, the New York Times magazine, Yahoo.com, and the Zedo and Google DoubleClick advertising network.
• What can employees do about it?
  Malvertising is especially hard to avoid because it doesn’t always rely on users making an active decision to click in order to do damage. In “drive-by download” malvertising attacks, hackers don’t need users to click the ad. The malware can do its work when the user loads the page with the ad embedded. Nonetheless, many malvertisements require a user click, so be especially suspicious of ads promoting surveys, antivirus software, or get rich quick schemes.

Keeping browsers and operating systems up-to-date can also help minimize vulnerabilities.

Social Media Scams

• What are they?
  Most social media scams are confidence schemes that rely on the trust that comes from seeing a message from a social media "friend." Sometimes the scheme involves an actual friend who's been duped into spreading a malicious scam through his social network. Sometimes it's a hijacked account or cloned account masquerading as a friend.
• What do they look like?
  There's a new variations launched every day, but here are some of the most common categories, as described by anti-virus company Avast.
  • Data-mining quizzes and surveys: That survey that asks your mother's maiden name in order to tell you what "Friends" character you are isn't purely about "fun."" The data that employees volunteer in these quizzes can be used against them, and against the company.
  • Clickbait: Some stories with sensational headlines are just designed to get users to click and boost a websites traffic numbers. But sometimes the links are more nefarious and link to a fake social media log-in site, in hopes that users will "log-in" again and divulge their passwords.
  • Friend "emergencies:" Once hackers hijack or clone a social media account, one of the easiest ways they can monetize their investment is by sending messages requesting money from the account owner's friends. The classic message is that they're stuck in a foreign nation and need money to get home.
• What can employees do about them?
  Similar to avoiding email scams, the key is not clicking links without thinking, and not assuming that people are who they say there online.

Today’s BYOP world puts a heavy weight on employees and on IT departments.

But they don’t have to be alone. Managed service providers (which include us at Meridian Imaging Solutions) can help supplement the work of IT departments.

Security services that MSPs can provide include:

• Providing security assessments to identify weaknesses.
• Keeping employee devices updated with the latest antivirus and anti-malware software.
• Deploying mobile device management platforms.
• Offering secure network hosting.
• Applying updates to operating systems and applications when new versions and fixes become available.
• Providing on-site support in response to security threats.

What Employees Should Do to Secure Their Mobile Devices

Any managed service provider should provide protection against malware and viruses.

It’s worth taking a moment to understand the difference between malware and viruses, because there’s so much confusion in this area.

Technically, viruses are a type of malicious code that’s capable of replicating itself to do damage to computers of data. Meanwhile, malware is an umbrella term that applies to all malicious code, including viruses.

But there’s a distinction when it comes to protection programs. Antivirus software traditionally focuses on legacy malware like Trojans, viruses and worms, all of which continue to be threats. Anti-malware software, meanwhile, focuses on new and emerging threats. That’s why we recommend both anti-malware and antivirus protection. We provide - and recommend - malware protection through Malwarebytes, and virus protection from Webroot.

There’s a common but misguided attitude in many organizations that cybersecurity is the job of the professions in the IT department and that others don’t need to worry about it. This attitude is often found in back office departments like accounting and legal departments. It’s a dangerous attitude because these employees often have access to sensitive information, and their reluctance to learn about cybersecurity threats make them especially vulnerable.

There’s an equally dangerous attitude that’s common among more tech savvy employees: that “low-tech” social engineering attacks like phishing only work on gullible people who don’t understand technology. This attitude is equally dangerous because it underestimates the sophistication of these attacks and how easy it is to fall for a well-crafted message that appears to come from a trusted person.

The guidelines suggested in this book will likely change as hackers develop new tactics. But one guideline that won’t change in the foreseeable future is that cybersecurity is everyone’s job today.