Cyber-security is always at the forefront of the minds of IT Managers and departments, but not always for staff. To keep your company safe from a security incident, it’s in everyone’s best interest to know a bit about what you should watch out for and who could be a threat.
Who is attacking?
A threat actor, also called a malicious actor, is an entity that is partially or wholly responsible for an incident that impacts – or has the potential to impact – an organisation’s security. In threat intelligence, actors are generally categorised as external, internal or partner.
Today there is increases in threats as attacks become more sophisticated and easier to execute; and threat actors are diverse with many different motivations.
What do the attackers want?
There are a number of different threat actors out there including insiders, hacktivists, organised crime and nation states. Their motivations and gains varies:
Financial – systems and data are worth money
Industrial – competitors want an advantage
Military – cyber warfare between nations
Ideological – hacktivist threat actors
Political – for example North Korea vs Sony
Prestige – the honour and title
Attacks are happening right now and are on the rise. The latest in a spate of phishing emails aren’t simply trying to lure you to a fake site to enter your credentials, the emails are containing malware. As soon as you click on a link in a phishing email your computer and possibly the entire network you are on, are infected. Many of the malware attacks at the moment contain ransomware – they lockdown your computer until a ransom is paid. You can read more about the latest malware phishing attacks in this blog post: Phishing emails carrying malware are on the rise.
Security Basics for Staff
What can staff do on a day to day basis to keep their credentials safe and to protect company data?
Be Vigilant – look out for people, emails, websites or activities that look out of place; keep your eyes open and learn what to look for.
Be Diligent – use the correct systems and follow corporate policy; protect all your corporate and personal data; practice password safety.
Report your suspicions – know who to tell and how; there is no need to be certain, you can let the experts decide.
Phishing
“The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers online.”
How to spot a phish
Phishing emails often use emotions like greed (they offer a financial reward), urgency (email gives a strict deadline for response), curiosity (the promise of something exciting or forbidden) or fear (they threaten negative consequences or punishment).
They usually use a generic greeting such as ‘hello friend’, they contain suspicious looking links; the sender address doesn’t seem quite right, and grammar or spelling might not be up to scratch.
Always beware of attachments, links and login pages – phishing emails often contain more than one of these.
Password safety
Don'ts: Avoid using dictionary words, avoid using sequential numbers 123456, avoid using personal information (names, birthdays, children, pets, sporting team).
Do's: Use phrases instead of words, use different passwords for different purposes, don’t use your corporate password on public websites.
To read indepth information about passwords and how they are cracked, you can read our blog How can I create an unbreakable password.
Social Media best practises
People have become complacent about their use of social media. It’s important that they keep their social media accounts separate from their work life. Best practises include:-
- Use unique passwords for each of your social media accounts.
- Always remember that when you post something it’s very hard to delete it permanently from everywhere.
- Companies and recruiters are using social to review employees and candidates.
- Posting sensitive company information on social media may breach policy or simply be a bad idea.
- Always think before you post.
Tips for businesses
- Employees should attend information security training on an annual basis
- Background checks for employees and consultants
- Prevent access to removable media such as USB storage devices
- Undertake a cyber-security risk assessment
Our award-winning security team runs Information Security Awareness Training, call 1300 865 865.
