Small business or large, studies show that all companies are at risk of attack by hackers. Government agencies including the FBI have suggested using a separate computer for all transactions involving money or sensitive information, but from a business view, that isn’t scalable or practical. So we’re gonna spill the beans for you. We’re not claiming to bullet-proof your enterprise, but a few minor tweaks may deflect attack, because – as we’ve seen – the lowest hanging fruit is usually what gets picked off. Let’s raise up your proverbial tree and get that fruit out of reach, shall we?
- Beware the man (or woman) behind the curtain. Spear phishers are looking for quality, and they’ll do their research well. Often though, they won’t go for the high profile target directly, they’ll go to someone who pushes the buttons for that person – an executive assistant, general counsel, staff attorney. They are more likely to be phished than, say, the CEO or CFO. These folks need to be super vigilant about the links they click on and the sites they login to, in a sense, expecting that someone will try to dupe them. And that is why they should follow the next advice.
- Look for non-obvious clues. Anyone can duplicate a logo or make a look-alike login page. But a vast number of attacks come from non-English speaking countries. If an ‘official’ communication uses rotten grammar and is overly casual, be suspect. Hover over links and read the entire link source before clicking – is the format what it should be? Trust your gut. If something seems odd, don’t click. And just like dad always told you, if it seems to good to be true, it probably is.
- Be cautious of downloads. Certain people – like lawyers – deal with downloads all day. PDF’s and other documents are sent back and forth, passed around, read and re-read. Are you aware that PDF’s can contain malicious payload that compromises your computer? Don’t download PDFs thinking they’re just harmless documents. Note the sender (or host), make certain it’s something you requested or critically need. And if you’re unsure, confirm the credentials before downloading.
- Use unique email addresses if you can, only giving out your ‘real’ email address to people you trust. It’s easy if you have your own domain – firstname.lastname@example.org, email@example.com, firstname.lastname@example.org. If you don’t have your own domain, you can at least set up a public email address and a private email address. The public one would be the one you use on websites that require opt-ins, on forms for store loyalty programs, etc. And you would know that anyone can gain access to that account.
- Don’t click on anything in an email. If you think about it, you hardly ever receive something vitally important in an email that requires a click. There’s the occasional “click to verify your account” message, but let’s be honest – you expect those, they come right on time, and you were told in advance when and where it would come. So if you didn’t ask for it, don’t click on it.
- You know those patches for software? Ever wonder if they’re for real? Well, they are. Use them. They’re there to protect you, so let them.
- Avoid P2P – person to person – download applications. BitTorrent, Rapidshare, you know what I’m talking about. If you want to do it at home, go for it. But there’s no place for it on an enterprise computing network. Those things are rife with malware.
- Switch your company and your home router’s DNS resolver to use OpenDNS. Do it right now, I’ll wait. There’s no reason to use the default DNS provided by your Internet service provider. OpenDNS has a gigantic cache that will speed up your queries and a free Website filtering service that might interest some companies. Even if you don’t want the filtering, its robust and secure DNS infrastructure can shield you from well-known attacks at the DNS level.
- “Bob” saying so doesn’t make it so. We’ve all had that experience where ‘Bob’ says that if we download that patch or install the new version or upgrade the antivirus software, application xyz will fail to work and the entire business will crash. Are you really going to let ‘Bob’ put your entire network at risk? If the mission-critical application needs to be tweaked for upgrades, tweak it. And silence Bob – your enterprise security is more important than Bob’s personal opinion. Sorry, Bob.
We have to thank CIO magazine for the tips here – many of them came from their informative article on enterprise security. And to conclude, if you have influence over your business’ security procedures, make sure you have policies in place to inform your people about what’s acceptable and what’s not. It doesn’t take militant enforcement – your people want their computers to be safe. They just need to know how.