By Teddie Linder, business manager, Netlink Inc.
Technology security is an ever-changing landscape, with new risks coming quickly and that are subtler. The three examples are from real situations that Netlink has helped clients with in the last six months. Our intention is that in sharing them, you will note the sophistication and follow our recommended precautions to keep your organization safe.
- Physical security risks: In 2016, an individual entered an apartment leasing office posing as a printer repair technician. The individual inserted a USB Flash Drive in several desktop computers. The office manager called our company and we investigated each computer, changing passwords, checking for malware and making sure each machine was secure. All the company’s sensitive data was stored on an offsite main server, which couldn’t be accessed by the USB Flash Drive).
- Phishing scams: A dental office received an email on mock HHS (Health and Human Services) Departmental letterhead signed by an OCR’s (Office of Civil Rights) Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates. The email prompted recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.
- Wireless network takeover attempt: An attempt to takeover a wireless network (the attempt created issues with accessing the network, which was how it was detected). If successful the hacker could have traced keystrokes and accessed passwords, which led to sensitive data (personal identification records, financial records).
Preventing cyber technology breaches like the ones above requires awareness and understanding that clicking on a link can be dangerous.
Make it a point to talk to staff members about technology security. Everyone should know whom to call in case of a problem and not to accept “help” from unknown individuals. Don’t assume that your staff knows about scams. It only takes a few minutes to remind them about e-mail and office security. Below are talking points for both your staff and your executive team on this important topic.
Staff members must be aware. If a technician appears to work on a computer or printer, make sure to ask for identification or to call the company represented to ensure that they really sent a tech to your office.
Be suspicious of the unexpected. Before clicking on links sent by e-mail, check what the e-mail address looks like. An “official” government e-mail sent from a gmail e-mail account? That should raise a red flag for managers and staff members alike. Don’t click on links sent from e-mail accounts that you don’t know or from senders that are unexpected. Validate ANY link in ANY unfamiliar email before clicking on it. Malicious links arrive in spam emails — many disguised as FedEx, UPS, or USPS shipping updates — every day. Make sure you hover over all links and look for legitimate IP addresses, not long strings of random characters, before clicking. If you weren’t expecting anything, don’t open the attachment. All it takes is one click by one employee in his or her personal email account while at work to compromise the data of your entire organization.
Finally, at the organizational level, it is a necessity to make sure your network, workstations and infrastructure is up to date for security. If you take donations, keep sensitive data on your network devices, your IT professional can also scan your network infrastructure for irregularities indicating potential breach risks. Have a trusted IT professional assess and baseline the security of your systems.