Phishing and spear-phishing emails are an ever-present problem to businesses, and the criminals are only getting better at fooling people. Understanding and being able to spot phishing and spear-phishing emails is a vital part of employee training at Anderson Technologies. But reading about how to spot them and actually spotting emails are different things.
Worse yet, the phishing websites those email links go to often appear legitimate, right down to having the secure lock icon in the browser. In their 2018 1st Quarter Report, the Anti-Phishing Working Group notes that “more than a third of phishing attacks [reported to them] were hosted on web sites that had HTTPS and SSL certificates.” They attribute this in part to the fact that consumers believe they can trust all HTTPS sites, or they at least recognize a site without encryption asking for personal or financial information is not secure.
It’s vital to know whether your email is a legitimate business interest or a scam hoping to trap you, but how confident are you to do so? Take our quiz to see if you can tell the difference between a legitimate email and a fake one.
Hopefully you were an expert phisherman, but if not, it’s not too late to brush up on some basics.
- Know what you’ve ordered and who your vendors are. If you didn’t order anything from the person, don’t trust their emails.
- Always check the sender’s address before clicking on links or attachments, even if it looks like a company you trust.
- Read the email completely before clicking links. Poor grammar or obvious spelling/branding mistakes are key signs of phishing emails.
- If you’re unsure if an email is really from a company you trust, go to their website manually, not through a link provided in the email. If it’s real, you can look up the information through your account, and if not, you’ve just protected yourself.
- Don’t panic! Urgent calls for action to avoid loss of service or legal action are meant to upset you. Don’t let them. Read everything carefully and verify there’s a problem by using the service mentioned or calling the company using the number on their website, not in the email.
- If all else fails, Google it. These emails are widespread and a quick Google search will most likely bring up a hundred different people receiving the same fraudulent email.
If you’d like a refresher course on e-mail safety, contact Anderson Technologies to schedule an employee cyber security training seminar. Reach us by email at email@example.com or by phone at 314.394.3001.
The new year is here, and a useful resolution for every small business is training employees on how to stay safe online. Many small businesses rely on their employees’ common sense when it comes to password creation, email threats, and avoiding unsavory websites, but what exactly is common sense in cyber security terms? Someone untrained in cyber security techniques won’t have the same kind of common sense as someone steeped in the latest security threats and updates. That’s why formal cyber security training for employees should be an important part of every business.
Your small business can benefit from more in-depth cyber security training for your employees, and the best course of action would be to enlist the help of a local IT consulting company or your managed IT service provider. They are the experts and know what common mistakes can lead to trouble for your business and your bottom line. Regardless of who provides the training, there are a few key topics any instruction on common sense habits should include.
Passwords remain the most wide-spread form of identity verification on the internet, so how a user creates a secure password is important. For years, websites and apps demanded passwords of at least eight characters, capital and lowercase letters, at least one number, and a special character. Most people think they have a strong grasp of what makes a secure password. Unfortunately they’d be wrong, thanks to new cyber security guidelines.
Last year the National Institute of Standards and Technology (NIST) released the Digital Identity Guidelines. This report states that the current method of password creation is making passwords more predictable because people “have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed.” When a site enforces the letter, number, symbol requirements, people tend to make predictable alterations to that easily-guessed password, or they end up writing down the password in order to remember it. Neither option makes the password very secure.
The new guidelines suggest that users be allowed to make longer, more memorable pass phrases that are not easily guessed. Memorability is more important than complexity. Randomized passwords are still the strongest option, but may lack memorability. A password manager such as LastPass or Dashlane could be the best solution, allowing the user complex, randomly-generated passwords without the need for memorization.
Emails are key to most phishing and spear phishing campaigns, so training your employees on this cyber security threat is crucial. Criminals hope to trick an unsuspecting user into clicking on a link or attachment that leads to or contains malicious content. Thankfully, common sense generally tells people not to click on a random link pasted into the body of an otherwise empty email, even if it comes from someone on their contact list. But, as with passwords, our understanding of common sense needs to be updated.
Spear phishing campaigns have become dangerously sophisticated, and knowing how to stay safe online means being skeptical of anything that feels a little off. Emails from companies about services you didn’t buy, unexpected closure of accounts, or missing information are all ways criminals lure you into clicking on a link in an email.
Teach your common sense to look beyond the layout and familiar logos. Spear phishing can often be identified by misspelled email addresses or country codes that don’t belong to the company. A user must be vigilant, as these changes are subtle and sometimes hidden by a name in place of an email address. Hover over the links or name to reveal the full address without clicking on it. Make sure to double check anything that doesn’t make sense.
Another way to ensure you’re not caught by a spear phishing attempt is to always go to a company’s website manually rather than from a link provided. Some criminals use links that send you to a fake mirror website to trick you into logging into your account. The criminal records your login information and then has access to the real account with you none the wiser. By choosing to go to your account from another tab or window without clicking the link, you can verify if something is actually wrong with the account without the risk of giving up your information.
Surfing the Web
Common sense for how to stay safe online starts with the business owner. Installing an enterprise-level firewall is the first and best defense against a cyber attack. These can often be configured to your business’s needs and block content you don’t want employees viewing on a company computer. Sites with disreputable content are prime targets for cyber criminals. Ensuring your employees never access unsafe sites will protect your company.
It’s also important to activate any “safe search” functions within your browser and on your anti-virus and anti-malware programs. This runs any site you search for through a list of sites known to be compromised. These sites can come up in any search without you realizing it. Criminals create websites meant to trick you into thinking it is a legitimate business and even hack into real sites. Safe search is another layer of common-sense IT protection.
These are just a few of the common sense procedures your employees should follow. For cyber security training and in-depth answers to common sense mistakes, turn to Anderson Technologies, a St. Louis IT consulting company that offers on-site training seminars for small businesses. Let our expert consultants teach you what to avoid to keep your business safe. Contact Anderson Technologies at firstname.lastname@example.org or call us at 314.394.3001.
St. Louis IT company Anderson Technologies is committed to educating its clients, as well as St. Louis at large, about cyber security and IT best practices. As part of that mission, it is offering free cyber security training workshops in which participants learn how to protect their computer systems from cyber attacks.
Small business owners have a lot on their plate. While it’s understandable that cyber security and other IT issues could fall through the cracks, there’s simply too much at stake to let that happen. Cyber crime targeting small businesses is on the rise everywhere, and St. Louis is no exception. By adhering to IT best practices, employees can mitigate their risk of being victimized by a cyber attack, including ransomware. In fact, it’s one of the smartest things they can do to help protect their business.
The team at Anderson Technologies strives to deliver clients the best managed IT services possible. It also wants to educate them. That’s why it recently unveiled a free Onsite Cyber Security Training program to provide educational workshops about IT best practices. The IT company offers the sessions free of charge and holds them at clients’ offices for their convenience.
Mark Anderson, principal of Anderson Technologies, understands audience members have varying degrees of tech proficiency, so he designs his talks to resonate with non-technical staff members as well as those with deeper domain knowledge. Topics covered include:
- Cyber crime and how it can impact you and your business
- The importance of a multi-layered security approach
- Creating reliable data backups and a strong disaster recovery plan
- Why you need a hardware firewall and business-grade anti-virus/anti-malware software
- Digital best practices all your employees should follow
Anderson also teaches participants how to recognize phishing emails and how to safely make company purchases online. After his presentation, questions from the audience are encouraged. He says the Q&A is one of the most valuable portions of the session.
The St. Louis cyber security and IT company ran its first free cyber security training seminar this April at Smile Station Dental, where Anderson fielded questions about password management and what to do if you think your computer has been infected with malware.
Even if a business has taken the proper precautions to protect its data from cyber attacks, an employee can unwittingly infect the network with malware by clicking a nefarious link or downloading a dangerous attachment. These scams have become tougher to spot as criminals get better at spoofing legitimacy. The increasing difficulty is what makes education even more crucial. By teaching its clients best practices and how to recognize red flags, Anderson Technologies believes it can help keep them safer online.
“Education is power,” says Anderson. “We want everyone to be as knowledgeable as possible, which is why we offer these workshops as a value-add for our clients, as well as to others in the St. Louis community. We believe educating users about cyber security best practices can save everyone trouble in the future and help limit the number of cyber attacks.”
As part of its mission to educate the St. Louis community about cyber security, the IT company has also produced an ebook, An Employee’s Guide to Preventing Business Cyber Crime. Educating every employee, at every level of the organization, is an often-overlooked step of cyber security. This guide is specifically designed for small businesses and emphasizes that every employee has a role to play when it comes to keeping a business safe from mounting cyber threats. The ebook is available to download for free.
Anderson Technologies is a St. Louis cyber security company committed to providing quality IT services to St. Louis and beyond. If you’re interested in setting up a free cyber security training session at your office, contact Anderson Technologies by sending an email to email@example.com or calling 314.394.3001.
When it comes to small business cyber security, you could be doing everything right, but it just takes one wrong click from a well-meaning employee to undo all your hard work. Here’s what to cover during business cyber security training for your team.
One of the most overlooked steps to small business cyber security is employee education. Cyber criminals are stepping up their game and increasingly targeting small businesses. Every employer must find the time to educate its team members about digital safety. The global cost of cyber crime is projected to reach more than $2 trillion by 2019. It’s worth taking the time to provide thorough cyber security training to your employees. While doing so, make sure to include the following topics.
- Spear Phishing Emails Are on the Rise
Spear phishing is a more sophisticated form of phishing in which criminals target a particular victim rather than a wide audience. These emails often appear to be sent by legitimate sources, such as a colleague or trusted vendor, and are designed to trick the recipient into providing personal information, like a credit card number or password.
Spear phishing emails targeting employees increased by 55 percent in 2015, according to research from Symantec. Warn your team to:
- Be skeptical every time they’re asked for personal information.
- Hover over links and email addresses to ensure target URL credibility.
- Refrain from downloading attachments unless they’ve verified the sender.
- Ask you or your outsourced IT services provider for help when in doubt.
- The Art of Password Management
Cyber criminals use software that helps them guess people’s passwords. Do not make their job easier. Teach your employees the importance of creating effective passwords. You can also consider implementing a password management tool for employees to use as an added security measure. Your cyber security training should include the following tips:
- Do not use the same password for everything.
- Do not use real words that can be found in the dictionary or obvious things like the name of your business.
- Use a combination of numbers, uppercase and lowercase letters, and symbols.
- Change passwords on a regular schedule.
- The Web Can Be a Dangerous Place—Get Out of Autopilot
It’s easy to be lured into a false sense of security as you browse the web. It’s so familiar, and you may have been using it without incident for work and personal purposes for some time.
Business owners must teach their employees that the internet can be a dangerous place. In fact, nearly 75 percent of legitimate websites have security vulnerabilities that could put users at risk. Business owners need to:
- Create guidelines for appropriate digital behavior. Seedy content breeds seedy behavior, so keep your employees off inappropriate sites at work.
- Teach employees that legitimate sites can have vulnerabilities.
- Install and maintain an enterprise-level firewall coupled with safeguards such as a subscription for content filtering and intrusion protection.
- Use anti-virus and anti-malware programs that include “safe search” features that help flag sites that have been compromised.
- Consider partnering with a managed IT services provider who can make sure your business implements these steps correctly.
These tips are just the beginning. Cyber security training for every employee, even administration and management, proves itself to be invaluable in the event of a potential threat. For more information on what your employees need to know about small business cyber security, including what to do when they click a link they shouldn’t have, check out An Employee’s Guide to Preventing Business Cyber Crime.
Anderson Technologies is a St. Louis IT consulting company that can help your small business educate its employees about effective cyber security practices. For more information on our cyber security training services, call 314.394.3001 today.
Make sure your new employees are productive from day one by checking all the boxes on this IT to-do list.
Finding and recruiting the right talent is one of the most challenging and crucial components of running a small business. Once you’ve welcomed new members to your team, it’s important that they can hit the ground running, not only because it’s good for productivity, but also because their onboarding experience is a reflection of your company.
Show new employees you are organized and committed to providing an environment that breeds great work by taking the following actions—and do it before they walk through the office door, not while they wait awkwardly for their workstations to be ready. These tips will also help you preserve your small business network security and ensure your recruits adhere to cyber security best practices.
Determine how every new hire’s job function affects IT needs
Hopefully, you have clear ideas of your new hires’ responsibilities before you made offers. Now consider how these duties affect IT requirements. The nature of their roles will help you assess the following:
- Should they use a PC or a Mac?
- What size monitor do they need?
- How much memory do they need?
- What software programs do they require?
- How mobile are they? Will they be traveling frequently and/or need the ability to work from home?
The answers to these questions will help you choose the right computer and hardware for the position. If you work with an outsourced IT services company, the experts there can do this for you. They can also make sure you do not overspend or throw money away on a low-quality machine.
Set up the computer
An outsourced IT services partner will set up the new computer with the particulars of the job function in mind. Whether you’re hiring a vendor or doing it yourself, consider how your office is wired, and be sure to get the computer on the network before the employee arrives. If he or she will primarily work from an office desk, use a hardline connection to the server room (rather than relying only on Wi-Fi) to minimize connectivity complications and reduce network security issues.
If your new hire will use an existing computer, make sure your IT partner migrates data from the previous user to the appropriate parties before creating a new user ID.
Connect to the printer
Set up and test the connection to the printer. If new employees will be handling confidential information, such as HR documents or company financial information, consider if they need a dedicated printer, rather than printing to a shared device.
Create an email address
Before creating new email accounts, make sure you or your outsourced IT services partner thinks about whether employees need to access email remotely; if so, be sure their configurations can securely accommodate this. Remember to tell new hires to change their passwords, and share password security best practices.
If appropriate, you or your IT partner can help your employees set up email on their mobile phones and walk them through remote access guidelines once they have started.
Determine permissions level
If you have a file server, determine which directories the employees need access to. Anderson Technologies recommends providing access to folders and files on a need-to-know basis and limiting administrator privileges to curb the ramifications of a potential cyber attack.
Set up relevant software applications
Install and create accounts for all necessary software programs. Be sure to track all software license keys in a central place so you’re prepared for a potential software audit. An outsourced IT services partner can do this for you and keep track of when software was purchased and when subscriptions need to be renewed.
Prepare for any necessary IT training
Create a user training plan so your employees feel comfortable with your technology, software, and approach to IT security. Provide education from the onset so they know exactly what to expect. If you’re working with an outsourced IT services provider, ask the provider what level of training it can provide to your staff.
Ask the new hire to review and sign your policies on confidentiality, email and web use, and business network security
Make it clear from the beginning that all employees are expected to abide by strict cyber security rules and best practices. This especially includes password security. Are social media sites or personal email prohibited during the work day? Now is the time to share any restrictions. Present them in writing, ideally as part of your new employee handbook.
Don’t have an existing employee guide to cyber security best practices? Our Anderson Technologies’ ebook, An Employee’s Guide to Preventing Cyber Crime, a comprehensive educational resource for small businesses, is coming soon. Check back in January!
Anderson Technologies is a St. Louis IT consulting company that provides outsourced IT services, including employee onboarding, IT security, cloud services, hardware and software acquisition, and more. Call Anderson Technologies at 314.394.3001 today for your IT needs.
UPDATE: New guidelines from the NIST released August 2017 changed the way we all should look at passwords. Read our blog post regarding updated password recommendations by clicking here.
Password security is a fundamental element of cyber security. Defending your business from cyber attacks is one of the most important safeguards needed to ensure your company’s ongoing success. In addition to protecting sensitive company information, private client data must also be secured. A recent article published in InfoWorld reported that the underground market for compromised servers may be much larger and more active than anticipated. The publication cites websites selling login information for over 170,000 hacked servers.
One way to safeguard your business is by adopting a clear password policy to increase security and provide a roadmap for avoiding common password mistakes. Here are six guidelines Anderson Technologies provides its clients to better guard against hackers and strengthen cyber security.
Six Guidelines for Increasing Password Security
- Include a mix of upper and lower case letters, numbers, and symbols
A good suggestion for creating an easy-to-remember yet secure password is to start with a favorite phrase or quote such as “Keep calm and carry on.” Take the first letter of each word in the phrase, a numerical sequence such as 5-9, and two random symbols to create a very complex password. A password resulting from our example above would be K5c6a7c8o9&%.
- Use a minimum of eight characters
The longer the password, the more secure it is. There are 12 characters in the example above. When using this formula, find phrases containing at least four words. This results in passwords of at least ten characters.
- Avoid using the same password for multiple websites or logins
It’s worth investing the extra effort to generate unique passwords for your important accounts. Doing so greatly reduces your exposure if a particular account is compromised.
- Change your passwords on a regular basis
This is another task commonly neglected. However, it is critical to keeping accounts secure.
- Do not allow web browsers (such as Chrome, Firefox, or Internet Explorer) to remember passwords
While many browsers offer this convenience for their users, it’s also an open door to the hacker who gains access to your computer.
- Implement a robust password management system
Having a good password management system will safeguard and organize your passwords. Many also help you generate strong passwords. For redundancy, ensure at least two people know the login credentials to the management system in case the principal user is unavailable.
Password Management Systems Provide Security and Peace of Mind
While all of the guidelines in this article help avoid common mistakes, consistent implementation is an ever-increasing challenge as the number of passwords we manage grows. This is where password management systems provide the most benefit.
Anderson Technologies offers guidance to clients for advanced password management systems that provide built-in security and peace of mind. Here are several major cyber security benefits of a password management system:
- Passwords are secured through encryption and two-factor authentication
- Passwords are safely stored and organized — no more forgotten passwords (or passwords written on scraps of paper) and the time lost to reset them
- Employees can focus on their work instead of password security
- Master passwords are designated to principals or other individuals who can access them in case of emergency
If you would like help ensuring your systems are protected and your passwords secure, please give Anderson Technologies’ cyber security experts a call at 314.394.3001.