Security Awareness for Maine Businesses – The Highlights
I recently had the pleasure of speaking with Jeremy Clough, the Vice President, Information Security Officer at Gorham Savings Bank and Randy Porter, IT Director with Alexander & Schmidt at a MTUG free online webinar. This webinar was focused on ‘Security Awareness for Maine Businesses’ and how small to medium sized businesses can learn about security training and tips. In case you missed this informative webinar, I’ve given you the highlights here.
During the presentation, Jeremy Clough shared his experience in maintaining information security of Gorham Savings Bank. He explained a few of the major cybercrime methods that are popular among hackers. Phishing is built on a person receiving an email or text from a source they believe to be trustworthy so they click on the link or attachment and malware is downloaded onto their computer. Watering Hole Attacks are when hackers infect an entire website so all someone has to do is visit a website that is already infected and their computer will be attacked.
Randy Porter spoke about the three ways an organization can increase security awareness and create a basic Security Program. The first step is creating Policy Awareness. Randy suggested that sending security updates, providing security information to new hires and adding articles in the company’s newsletter are all ways to increase policy awareness. The second step is providing Access Control Awareness. Simple things like reminding employees to change their password every few months is extremely important to avoiding intrusions. It is also important that employees only receive access to certain sites that are necessary for their particular role. And finally, Vulnerability Management Awareness is very important.
My portion of the presentation was focused on social engineering. Before an organization can create a secure environment, it is important to understand the basic security facts. Almost all security issues begin with human error. Computers don’t make mistakes, people do.
Since email hacking is prevalent for many businesses, I concentrated my portion of the presentation on how to know when an email you receive could be malicious.
Here are a few red flags about email hacking:
- The ‘Reply-To’ and ‘From’ Reply Fields: If you think that you received an email hack, it is important to pay attention to the email addresses in the ‘Reply-To’ and ‘From’ fields. If you notice that an email address looks fake or you don’t recognize it, then most likely this email was sent by a hacker.
- Subject in All Caps: Often times, the subject line listed in all caps can be a sign that the email is malicious. Usually caps are used to catch someone’s attention and can often times be a red flag.
- Bad Grammar: If you are receiving an email that uses poor grammar that could be a sign of a phishing attack. Pay attention to this and ask your IT department or management if you suspect foul play.
- Deviation from the Norm: If you read an internal email and the look and feel of the message isn’t usual, report this right away. People will often include a signature, or use their nick name in their email and if this isn’t included in the email it could be a sign of hacking.
- Wire Money: Anytime you read 'wire money' in the subject or body of an email report it to your IT department or management immediately -- it is a scam.
Those are just a few things to consider among many more. It is often hard for a smaller company to have the resources necessary to achieve the goals and implement the required controls. If you feel as though your organization is not where it needs to be in order to protect your organization and data, then it’s time for a conversation.