Do these 4 things for a cyber-safe summer holiday break this year
It’s been a year like no other and it’s time for a break. While 2021 likely chalked up more cyber attacks and sophisticated breaches than any other past year, there’s no reason why you can’t shut down with peace of mind. To do so, though, you should recognise that cyber crime is a 24-7, year-round industry and periods when organisations have skeleton crews can create opportunity for exploits, writes Jason Whyte, general manager of Trustwave.
In that spirit, here are four tips to consider when you clock out:
- Do your out-of-office messages mindfully. Increasingly, cyber attackers exploit granular information to penetrate an organisation’s security. We are consistently seeing phishing attempts that convincingly deploy the executive and commercial details in such a way as to convince members of the team to take action whether that action involves resetting a password or affecting money transfer. By all means, use an out-of-office message but be mindful of what it contains. Attackers probe organisations’ public facing information for weakness and that information usually includes your email address. All it takes is your name on LinkedIn and some rudimentary knowledge of your organisation’s email naming convention (e.g. [email protected]) and they can email you. And if your out-of-office settings contain more than a brief message indicating that you are on leave and will respond when you get back then remove your signature block and don’t indicate your date of return for extra security. Each extra detail is ammunition for a potential attacker, so supply the bare minimum of information to maintain business continuity.
- Be an anti-social media butterfly. Keep a low social media profile. Similar to point one, look at it from a cyber attacker’s point of view. Persistent attackers are a little like mountain climbers looking for any toehold and grip as they advance in their attempt to breach your organisation. Social media can contain rich biographical information that goes beyond your day-to-day movements and can serve as a way for them to socially engineer their way into your organisation. Social engineering is one of the most common ways attackers gain access to organisations by playing off people’s natural instinct to help and solve problems for other people. A social engineer will seek a weak human link like an employee tasked to mind the shop while others with more authority are away, and then use their ignorance and some targeted “inside-sounding” information to win access or some action from this employee. Social media challenges go beyond this too, since we now have plenty of examples of sophisticated attackers, including state-based actors, using LinkedIn and WhatsApp to drive phishing clicks which can open a gateway to an organisation’s system.
- Embrace process when it comes to delegation. Many business functions will naturally continue in your absence, and the most important consideration is that those processes are anticipated and planned in advance. For example, in a procurement system, you can delegate your authority. Never leave your delegate in the lurch, make sure there are authority and delegation in place prior to your departure, and if possible, do this in an automated system. Many systems today have the ability to nominate your delegate. Do it this way because this will avoid creating unusual ad hoc processes that could open up a window for business email compromise. A business email compromise attack is a situation – often during an accounts receivable process – where an outside actor swaps in their payment information for legitimate payment instructions. And while you’re thinking about the delegation process, you probably also want to consider who’s minding the security store. If half of your IT team are on leave, is there backup like a MSSP (manage security service provider), and, more important, an established escalation process in the event of a cyber issue?
- Protect your passwords. Easily guessed and easily stolen passwords continue to be a challenge. Are you worried about forgetting complicated passwords? Consider using a password manager which can securely store all your passwords in one place instead of on sticky notes. And use multi-factor authentication wherever you can. By adding an independent device to the password confirmation process, you increase the difficulty for an attacker by an order of magnitude.
Hopefully the above will let you go on that well-deserved leave with a little more peace of mind. Incremental changes in your behaviour and processes can have outsized gains for the security of your organisation. Like physical security, cyber security can be a game of inches: make the house a little harder to break into and the actor is often likely to give up and move on to softer targets.
Jason Whyte has worked in information security for more than 25 years and is general manager for Pacific at Trustwave.