Office cyber security: A critical defense against hackers

Main photo courtesy DepositPhotos.

Carl Mazzanti

According to published reports, cyberattacks in the U.S. jumped 57% in 2022 — and 38% globally — compared to 2021, as smaller, more agile hacker and ransomware gangs drove much of the activity. Many attacks targeted smaller businesses, which points up why they may benefit from Cyber Security training. Just as a good cyber defense will utilize a layered approach, a robust Cyber Security training program designed by an experienced outsourced IT support partner will address issues in a multifaceted manner, recognizing that employees are at the front lines.

 Phishing Attacks Can Reel in Business Users

Phishing — a form of social engineering where attackers trick users into revealing sensitive information or installing malware such as ransomware — is the leading infection vector, so an effective Cyber Security training program will begin by guarding against phishing and other social engineering attacks. The core of such a program will center on three words: “Do. Not. Click.” The goal is to get employee users to resist the temptation to click an attached file or a hyperlink unless a) they were expecting it and b) the authenticity has been verified. More than 90 percent of attacks begin with a phishing email, so even if an email appears to come from a trusted source, a user should verify it with the source before opening the attachment. It is as easy as picking up a phone and calling the source on an authenticated number or sending an email to them via an authenticated address and asking if they did indeed send the email and attachment.

Professional services firms in New Orleans and elsewhere have been reeled in by these kinds of schemes. For instance, a phishing email that appears to come from a trusted financial institution may ask for account information to resolve an alleged problem. The email may use familiar logos and names that make it appear legitimate. But if the unsuspecting user supplies the requested information, their accounts will be compromised.

Phishing awareness training teaches users to recognize common signs of a scam. These can include items such as spoofed hyperlinks or a suspicious sender address. The training will also inform users how to avoid falling victim to an attack, while periodic phishing simulations — or realistic-looking phishing emails sent to employees to gauge their awareness of attacks and what to do when they receive a phishing email — can reinforce the training.

Safely sharing and storing information should also be addressed by educating employees about data protection essentials. With the rise of remote work, for example, employees are using email more often and are using cloud services regularly, including storing and sharing files with such services as Microsoft OneDrive or Dropbox.

But many users do not understand the risks that accompany the convenience of cloud computing, so training programs should address compliance concerns that accompany the transfer and storage of sensitive information. For example, to remain HIPAA compliant, employees in healthcare organizations must use strong encryption when transferring protected health information.

Password Protections

Passwords are another critical area. Best practices call for user-generated passwords that include at least eight distinct — avoiding sequential or repeated — characters and users should not use the same password across more than one site. To avoid the difficult task of memorizing multiple passwords for multiple sites, a password manager — or software application designed to store and manage online credentials — may be used, as long as it stores the underlying passwords in a secure, encrypted environment. The password manager is usually accessed with a memorized passphrase, which should itself utilize unusual spelling, capitalization, and characters to make it harder for hackers to crack.

Another issue is the rise in work-from-anywhere activity, which means employees are increasingly using cell phones, tablets, and other mobile devices for business — so besides securing these devices with strong passwords, employees should also avoid risky practices like using public Wi-Fi. And to further strengthen security, users and organizations should implement multi-factor authentication, a multi-step account login process where users must enter more information than just a password. For example, in addition to their password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.

Finally, organizations should develop comprehensive policies for mobile device use and ensure they are communicated to employees, while security training should cover items in the policy. Such training may include instructions on configuring security controls on devices, standards for remote access, and how to report device loss or theft. Partnering with an experienced Cyber Security consultant can ensure an organization gets enterprise-level security training customized to the company’s specific needs.

Carl Mazzanti is president of eMazzanti Technologies in Hoboken, N.J., providing IT consulting services for businesses ranging from home offices to multinational corporations.

s