Last year, the CEO and CFO of a European public company fell victim of cyber fraud that ultimately cost them their jobs and the company 42 million Euros. The attacker(s) impersonated a senior board member and emailed the finance department requesting a money transfer from the company’s account. The missteps taken by the CEO and CFO put the company under hot water and into a situation no company expects to see themselves. The unfortunate reality is that this type of executive targeted cyber-attack, often referred to as whaling, is more common than one would expect, and it is just one of many ways cyber criminals inflict damage to businesses. From technology to personnel, chances are most businesses aren’t doing all they can to protect themselves against malware. Although there are no 100 percent foolproof methods, here are best practices every company should establish to lower their chances of becoming a victim of malware.
Deploy Network Security
Let’s start with the obvious. Firewalls, antivirus, anti-malware and anti-exploit technology work. Arming your technology with firewalls and antivirus programs is a great first-line defense that will detect and block known malware from infecting your device. Anti-malware and anti-exploit technology such as intrusion detection system, (IDS) and intrusion prevention system, (IPS) are more sophisticated programs that can fend off attacks from otherwise unknown agents.
Best practice when using network security software is to use different brands at different points. For example, use one product scan engine for email, a different one for desktops, and a different one at the firewall level. Different security products use different algorithms to identify and block threats. That way, if malware gets through one algorithm, there is another algorithm in place to catch it before it gets to infect your device.
Beware of Plugins
Advertisements that display on websites while you are browsing the web can be more than an annoyance – they can actually pose a security threat. One avenue for malware to infect your device is through malware embedded in advertisements that utilize plug-ins such as Flash or Java– and they can live on the most well-known, trusted websites. To protect your device, disable dangerous plug-ins, or at least enable click-to-play plugins. This prevents Flash or Java-based ads from playing unless you specifically click on it.
Flash has been one of the primary avenues for malware to infect devices, so you may consider removing Flash entirely from your device. Estimates are that only 15% of websites still use Flash, and for this very reason, most modern website now utilize HTML5 and JavaScript.
Read Emails with Care
If you receive an email from a sender you don’t recognize or appears suspicious, then it’s probably best to delete it. If you do open the email, it’s recommended that you don’t click any links in the email. The same goes for any emails that have content that sounds questionable. Many times, cyber criminals will blast out emails that are from seemingly reliable sources such as banks or other companies you may use. However, there may be a slight misspelling or awkward phrasing that should signal the email may not be legitimate.
Emails sent from someone you don’t recognize should always be read with an eagle eye. If you receive a questionable email, never use the contact information within the email to reach out. Rather, if you receive an email you suspect could be fake, call your bank or other potentially compromised organization directly to inquire about your accounts.
Malware may be lurking elsewhere on emails, such as in images. The image simply loading on the screen could cause malware to infect your device, or contain a tracker. Best practice would be to turn off the ability for images to be automatically loaded in your email application, so if you don’t recognize the sender or the content of the email seems questionable, you can immediately delete the email without giving image-embedded malware a chance to infect.
Use Strong Passwords
Think about your password – does it include obvious personal information like a birthday? Do you use the same password for different logins? If either of these common practices are the case, you don’t have a strong password. Best practice would be to use a password that is complex, with a mix of at least eight letters, numbers and symbols. It also avoids personal information that is easy to look up or find such as a birthday, pet name, or childhood name. Another key aspect is using a different password for every login you have to prevent having to change a single password used for multiple log-ins that may be compromised.
Realistically, remembering numerous rotating passwords that have no personal connection and are full of symbols is no easy feat. There are plenty of password management techniques and tools out there that can securely store, encrypted passwords for your log-ins and devices to help ease the difficulty.
Educate Your Employees
The reason many people find themselves victim of malware can be security inexperience or the fact that they act to quickly without thinking. Had the CEO and CFO of that European company taken the time to question the whaler’s request for money, they would have saved themselves their jobs, money and embarrassment. While you may think you’d never be gullible enough to fall for malware, some enticements that can be in these emails are too good to be true.
That’s why it’s important to educate employees about malware – the different types, what to look for and of course, how to avoid it. It only takes one employee misstep for your business to be compromised, so keeping everyone in the know on the latest tips and tricks is one of the best ways to protect against malware.
With the ever-changing methods available with so many different malware variances, it’s more of a requirement to protect yourself now than it was in the past. Many of these steps might be only a minimal amount of time with very big benefit – so it’s critical to take the time to protect your company.