The internet has brought the whole world to our fingertips, and businesses that can best leverage the competitive advantages of the internet have quickly risen to the top.
Businesses aren’t the only ones adapting however – crime has also gone digital, and your information is a prime target. Access to the private data of businesses is very valuable, as is the ability to disrupt regular operations and hold a company to ransom.
When it comes to keeping your business safe from digital crime, information security is your first line of defense. Information security, or infosec, is the practice of protecting your business by preventing unauthorised or illegal access to your data.
The first step to strong information security is awareness. By being aware of the threats your business may face online, and by following a few simple infosec steps, you can drastically reduce the probability of your business being compromised.
Why Information Security is Important
Information security is vitally important to keep your business and your data secure from threats in the digital world. If you use the internet for banking, payroll, sharing company documents, operations or planning, good information security practices allows you to safely operate your business without risking unauthorized access to those activities.
This is the crux of information security – maintaining a balanced protection of the confidentiality, integrity and availability of data without hampering organization productivity.
Weak (or absent) information security practices is the easiest way for your business to get hacked, and this can be extremely costly. Recently in the US a major fuel pipeline paid out $5 million dollars to a hacker group after being the target of a ransomware attack that shut down their operations.
Even if the hack does not affect normal operations, a simple breach can still be very costly if the private data of your customers is exposed. Fines or lawsuits can add up to hundreds of millions of dollars under data privacy laws for not taking steps to adequately protect your customers.
Phishing and Social Engineering
When we think of crime on the internet we always start with Hacking. Hacking is the generic term for gaining unauthorised access to a digital system, but it’s not at all like the movies!
Rather than using highly advanced technology to run sophisticated code, most hacking is simply tricking your target into giving you their information willingly.
This type of hacking is known as Phishing (or more broadly as social engineering), the use of deception to manipulate individuals into divulging confidential information that will be used for fraudulent purposes.
Phishing relies on tapping into the routine operations of your business and how employees respond to specific situations. By being aware of how hackers can exploit these operations and situations, you can better defend against their attacks.
Phishing
Phishing is by far the most common approach, and is where the hacker pretends to be someone else via email or phone in order to get you to divulge sensitive information or allow the hacker access to a system.
Hackers are always changing their specific tactics, but there are some common warning signs of phishing attacks to watch out for. For phishing emails, these include:
- The from email addresses in email is misspelt / incorrect
- HTML attachments / unclear or suspicious links
- No personalised information about you (emails that address you as “Dear Customer…”)
Fear is also a very common tactic for hackers, and they will often try to scare you into following their requests by mimicking account deactivation emails, warnings from officials like police or tax officers, or even threaten firing by pretending to be your boss.
While phishing attacks over email are very common, any channel can be used by hackers. You can avoid phishing over email, phone, social media – even macros in word and excel documents – by following a few simple steps:
- Don’t click on links or open attachments unless you are expecting them (and only from known contacts)
- If there’s a link in the email (for example to your bank), instead of clicking on the link, open a new browser and go to the website directly as you normally would (ie: by searching for your bank in google)
While phishing happens primarily in the digital space, there are a few other common social engineering attacks to keep watch for that happen in the real world. Keep watch for the following around your place of business:
Tailgating
Tailgating is trying to gain physical access to an area by following someone else – literally walking through the door they opened.
This can also be achieved by pretending to be a delivery man carrying in heavy boxes, or by wearing a fake uniform like a janitor, so that an employee of the business will open the door for you.
Waterholding
Waterholding is where a hacker will attend the same physical places as other workers, such as restaurants or bars that the team frequent, in order to overhear important information or learn specific details about the business (such as work patterns, names of employees, or even what uniforms they wear).
This information then lets them better pose as another employee or business partner in order to run their other hacking attempts.
Waterholding is not limited to the real world, and it can be quite common for hackers to join public groups, forums or social media pages of their target businesses as well.
Baiting
Baiting is the modern form of bribery – giving people gifts or rewards in order to gain information or have the person make a particular action.
The main difference between baiting and bribery is that the person being bribed knows a trade is happening, whereas a person being baited may have no knowledge that they have been victim of an attack.
An example of this may be receiving an email from a fancy restaurant or nightclub offering free meals – just click the link below to claim now! However, when you click the link, you also download malware onto your computer, giving a hacker remote access to your machine and potentially exposing the entire network!
Malware
Once a hacker has access, they can install and run malware – malicious software designed specifically to cause damage or disrupt a computer, server, client or network.
Malware can take on many forms, and you may be aware of some of these types of already:
- Viruses
- Trojans
- Ransomware
- Spyware
- Worms
- Bots / zombies
Protecting your computer and your network from malware is fairly straightforward, and there are several steps you can take to improve your security.
- Install antivirus software and keep it up to date
- Don’t open attachments from unknown sources
- Keep applications and OS up to date
- Turn off office macros and don’t bypass security warnings
While these measures are a strong start to keeping your computer safe from malware, the best protection is to avoid malware altogether. By utilising safe browsing techniques, you can greatly reduce your chances of being exposed to malware.
Learn to use incognito and private tabs
If you are using a modern browser to access the internet, you are probably familiar with incognito and private tabs. These are tabs that are more “secure” than normal tabs and windows, because they do not share data and credentials with non-private tabs.
This makes incognito and private tabs a great option for secure activities like banking. Make sure you exit out of your incognito tabs though – as while they can’t share data with non-private tabs they can share data and credentials between other private tabs.
Check for HTTP vs HTTPS
HTTP (or hypertext transfer protocol) is how the internet transmits web pages. Over the last couple years, a more secure version of this protocol has been developed, called HTTPS.
A site using HTTPS typically has a padlock icon in the top left corner of your browser, and indicates the site is encrypted so that no one else can see your data.
However, hackers can also use HTTPS on their own sites, so having the padlock is no longer a guarantee of safety. You should definitely still check though, and when in doubt – back out!
Remember that this padlock icon is only used on websites – it has no meaning at all in emails or on social media. If you see a padlock icon in an email or social media post, it could be a phishing attempt.
Be careful on social media
Social media can also be used to run phishing attacks or launch malware. Be careful in what you share online (especially as it relates to your business), as hackers can use this information to pose as employees or find email addresses to target.
Online identities on social media are easy to fabricate, so don’t trust messages or posts from people who you don’t know, and don’t communicate business matters over non-corporate channels.
Conclusion – Protecting Your Information
Information security practices are a great first step in protecting yourself and your business online. It can be daunting to learn about phishing and malware attacks, but being aware of these threats is the best way to avoid falling victim to them.
Be proactive about your information security and don’t be afraid to ask for assistance! Report suspicious activity to your IT team or reach out to cyber security experts and keep your business – and yourself – safe online.
