When it comes to Internet security, smaller companies can be at a disadvantage. Unlike enterprises that may have complex and expensive layers of security that protect them from outside infiltration, smaller companies probably use some kind of inexpensive antivirus protection software, not understanding it will only protect them from about 40 percent of threats. That's according to Joel Smith, cofounder and CTO of email and web security company AppRiver, who says a slew of affordable options exist for keeping a company's machines from "getting owned" due to the dumb things employees might be doing while at work. Here are the dangerous activities he says you need to watch for.
1. Opening attachments and links supposedly sent from financial institutions or the government.
Spam filtering technology has evolved to the point where a lot of bad guys don't even waste their time with it anymore and resolve instead to simply infect machines and harvest the data they store. They do it by posing to be a legitimate entity--such as the IRS--and sending an email message claiming that there's a problem such as a refund which can be fixed by installing attached software. "The take away from that is, don't click on the attachment," he says. "Financial institutions and the government will not send you an email and say, 'Here's something in the attachment that we need you to take a look at it." And don't follow links sent to you via email, as well. Instead, go directly to an institution's website by typing its address yourself into your browser's address bar.
2. Downloading free stuff.
Whether it's free videos, songs or apps, if it's not offered from a legitimate source such as the iTunes store or Google Play, people are taking a huge risk by saving this kind of content on their machines. When they do, they could unintentionally be installing a remote-access tool an outsider could use to capture a week's worth of keystrokes that could be extracted. Think about the wealth of data that migrates through an employee's fingers and keyboard onto the computer or Internet--everything from passwords, financial or customer data, credit card and social security numbers. "It ends up being the everyday employee, someone in the accounting department who is versed in accounting but not in the ways that computers can be compromised," he says.
3. Giving a mother's maiden name or other personal information to an unknown entity.
It's one thing when you're creating an Amazon account, but quite another when you're signing up for some new or unknown service. Why? Criminals are using targeted automation to go after certain kinds of people--say, teachers who work in a certain city. Malefactors build SEO websites and send massive email blasts that appeal to these people when really they only want their logon credentials. "When you're signing up for different services and they're asking for things for mother's maiden name, first pet's name, that kind of stuff, have a system in your head to create unique names based on that vendor," he says. "Either that, or use some sort of password manager." In case you don't know what he's talking about, check out LastPass, which will create and remember unique passwords for any website you use.
4. Giving information to another employee in a different location.
Is there a chance your employee could unwittingly give away too much information to someone posing as another employee? Is there a way to verify this person is who he says he is? "Employees want to be helpful," he says. "The conversation can quickly end up where they're divulging information that they don't need to about a particular customer."
5. Sending a credit card number or other sensitive information via unencrypted email.
Once a message is within the central email system it can be seen by administrators or anyone who has access to it on a network provider level. The system makes 30-day backups of messages, which are eventually rolled into older systems that might keep backups around for years. "So your email can live on and have a hundred copies that last forever," he says. "Eventually, somebody's going to come along, find those backups, grab them and then have all that information." Instead, use a cloud service that lets you encrypt a particular message with one click. Not only will it protect sensitive information, it will show you who received an email and what they did with it, such as printing or forwarding to another person.
6. Traveling with a business card as a luggage tag.
It seems like a sophisticated thing to do--conveying to fellow travelers that you're a professional business person. But think about the kinds of things you could learn about a person if you had her full name, what she does for a living and where she works. A Google and social media search alone could turn up a wealth of information. How easy would it be for a bad guy to craft a tailored email that looked as if he actually had some connection to a traveler so as to get her to respond and give up personal information? "Being a little more anonymous when you travel is probably a good idea," he says.
As for how to know if your security may have been compromised, Smith says to look for clues such as a computer that's suddenly running much slower than usual, a web browser that keeps redirecting a user to different sites or a business password that's getting locked out--an indication someone might be trying to guess it. "This is where cloud security services can come into play and they can monitor network traffic and detect and alert you to anything malicious," he says.