Blog Written by Kayla Blaedow, Application Specialist at First Call Computer Solutions
Cybercriminals are only interested in large corporations. WRONG. This misconception comes from media and news outlets feeding us data breach information of larger corporations such as Marriott, Facebook, and Adobe. The truth is if your business has a computer with access to important information, and can be used to access the internet, then your business is at risk. No matter the size of your business, industry, or state — I’m looking at you, Montana, your business NEEDS security!
The number of basic cybersecurity mistakes employees and business owners make continues to grow and grow each day, regardless of the industry they are in! Even with endless data breach horror stories, many organizations still have a “be it as it may” attitude about their cybersecurity.
Look, I get it, cybersecurity isn’t exactly a sexy topic, but that does not change the fact that 60% of small businesses who suffer a data breach NEVER recover! Cybercriminals have discovered that small to medium-sized businesses, of any industry, are easiest targets due to a lack of enforcement and understanding of the recommended cybersecurity policies that have been established by the U.S. Department of Commerce.
To help advocate for the irrefutable need for organizations to have cybersecurity policies, I have put together a list of the top 3 cybersecurity mistakes that I am still seeing made on a regular basis.
1. Hooked by Phishing Emails
Every day, business owners and employees are bombarded with tons of different emails. Personally, I receive multiple emails per day, from my clients, vendors, colleagues, news outlets, and even people that I have never met!
I get it, with all those emails constantly coming in, it becomes easy to get in the zone, and start clicking away at all your emails and the emails’ contents.
If you find yourself clicking through your emails faster than an Osprey diving for a fish, I beg of you to please STOP!
Phishing emails are malicious emails that are disguised to be from someone you know and trust. Sometimes these emails will contain links or attachments that will be used to sabotage your system, once clicked. Other times, the emails will be used to try to trick you into giving out valuable information, such as passwords and banking information. Cybercriminals are clever at copying signature lines and logos to make these emails appear to be safe — at least at first glance.
I have seen many different real-life examples of these malicious emails. A common one that I have seen recently is an email that appears to come from the CEO or other executive of your company. The email has a sense of urgency to it and will request things like electronic gift cards or checks to be sent to them immediately.
If you receive an email like this STOP and look at the sender’s address. Is it an email address that you know and trust? Are there any spelling errors in the email address? If you are suspicious of the email address, then do not respond to that email—it is probably a phishing attempt. If you are still questioning the validity of the email, pick up your phone and give them a call with a phone number that you already have listed. Be careful not to trust the phone numbers that are listed in the email that you are questioning!
2. WEAK Passwords
I know that us IT people have been whining about the use of weak passwords for a while now, but they really are the Achilles heel of your network and I STILL see them daily! Cybercriminals can use tricky methods, such as brute force attacks, where they test hundreds of different frequently used passwords on your accounts until they find the one that works—YIKES!
It is not always obvious to people that their passwords are weak. Here are a few examples of what make weak passwords: The name of your business, loved one, or pet, a nickname, or your phone number. Even if you add some number combination or special characters, hackers can and will generally figure them out.
A First Call Best Practice is to use password phrases rather than simply words. Something like “1Lov3Sp@gh3tt1” is far more difficult to guess than “Mittens123.” An even better idea is to use a password generator, such as Myki’s that will provide you with a random string of letters, numbers, and special characters. These passwords are virtually impossible to hack and will provide you with a strong cybersecurity posture.
One last thing. Please, please, please STOP saving your passwords in a word document or *gulp* a sticky note!
I get that it becomes impossible to remember all the different complex passwords that you use for your user accounts. Especially since you certainly should not be using the same password for more than one account!
First Call strongly recommends finding a secure password manager app to help you store and remember all your different complex passwords. With the help of a password manager, like Myki, or LastPass, you will only actually need to remember one password, the password to the app, allowing you to make your accounts as safe as possible!
3. Keeping Unnecessary Web Accounts
In an effort to reduce the risk of our Advanced Security clients from experiencing data breaches, one of my daily responsibilities as an Application Specialist is to scan the dark web for our clients’ credentials. For those of you who do not know what the dark web is, it is basically an online black market that is hidden from the typical internet browsers like Google, Edge, Firefox, and Safari. As I conduct my daily scans, it has become quite common for me to find individuals credentials that have been exposed through data breaches from various free sites such as Evite, covve, and verifications.io.
The reality is it is not uncommon for staff to use their work email addresses to sign up for useful free web accounts to conduct their work. For example, back in my sales and marketing days, I created numerous accounts for different free sales lead generators, photo editors, label makers, and electronic invitations. One thing that I did not know back then, and that I am glad that I know now, is that those free sites often do not have the resources to properly secure their accounts! That means that those are usually the companies that experience data breaches the most.
I want to be clear here. I am not saying that you should not sign up for a free web account if they will help you do your work more effectively. Sign up away with strong and unique passwords!
BUT, when you find that you no longer need that evite.com account, DELETE IT!
Remembering to delete these old accounts will help you to reduce your chances of having your email address, and other personal information sold on the dark web and keep your organization’s data and network safe.
If you find yourself or anyone else in your organization committing any one of these common cybersecurity mistakes, please take the time to stop and adjust your cybersecurity posture. A great way to make sure that everyone in your organization is on the same page is to establish, train, and implement a cybersecurity policy. Additionally, to help reduce your organization’s chances of becoming the next victim of a data breach, it is a great idea to partner yourselves with an IT provider that can offer advanced IT security.