Last year, the CEO and CFO of a European public company became victims of cyber fraud, which ultimately cost them their jobs and the company 42 million Euros. The attacker(s) pretended to be a senior board member and emailed the finance department, asking for a money transfer from the company’s account. The mistakes made by the CEO and CFO landed the company in a difficult situation that no business wants to face. Sadly, this kind of targeted cyber-attack on executives, often called whaling, is more common than many realize, and it’s just one way cyber criminals harm businesses. From technology to staff, most companies likely aren’t doing everything possible to protect themselves against malware. While there are no completely foolproof methods, here are some best practices every company should adopt to reduce their risk of becoming a malware victim.
Deploy Network Security
Let’s begin with the basics. Firewalls, antivirus software, anti-malware, and anti-exploit tools are effective. Using firewalls and antivirus programs is a solid first line of defense that can identify and stop known malware from getting onto your device. Anti-malware and anti-exploit tools like intrusion detection systems (IDS) and intrusion prevention systems (IPS) are more advanced solutions that can protect against attacks from unknown sources.
Best practice when using network security software is to use different brands at different points. For example, use one product scan engine for email, a different one for desktops, and a different one at the firewall level. Different security products use different algorithms to identify and block threats. That way, if malware gets through one algorithm, there is another algorithm in place to catch it before it gets to infect your device.
Beware of Plugins
Advertisements that display on websites while you are browsing the web can be more than an annoyance – they can actually pose a security threat. One avenue for malware to infect your device is through malware embedded in advertisements that utilize plug-ins such as Flash or Java– and they can live on the most well-known, trusted websites. To protect your device, disable dangerous plug-ins, or at least enable click-to-play plugins. This prevents Flash or Java-based ads from playing unless you specifically click on it.
Flash has been one of the primary avenues for malware to infect devices, so you may consider removing Flash entirely from your device. Estimates are that only 15% of websites still use Flash, and for this very reason, most modern website now utilize HTML5 and JavaScript.
Read Emails with Care
If you receive an email from a sender you don’t recognize or appears suspicious, then it’s probably best to delete it. If you do open the email, it’s recommended that you don’t click any links in the email. The same goes for any emails that have content that sounds questionable. Many times, cyber criminals will blast out emails that are from seemingly reliable sources such as banks or other companies you may use. However, there may be a slight misspelling or awkward phrasing that should signal the email may not be legitimate.
Emails sent from someone you don’t recognize should always be read with an eagle eye. If you receive a questionable email, never use the contact information within the email to reach out. Rather, if you receive an email you suspect could be fake, call your bank or other potentially compromised organization directly to inquire about your accounts.
Malware may be lurking elsewhere on emails, such as in images. The image simply loading on the screen could cause malware to infect your device, or contain a tracker. Best practice would be to turn off the ability for images to be automatically loaded in your email application, so if you don’t recognize the sender or the content of the email seems questionable, you can immediately delete the email without giving image-embedded malware a chance to infect.
Use Strong Passwords
Think about your password – does it include obvious personal information like a birthday? Do you use the same password for different logins? If either of these common practices are the case, you don’t have a strong password. Best practice would be to use a password that is complex, with a mix of at least eight letters, numbers and symbols. It also avoids personal information that is easy to look up or find such as a birthday, pet name, or childhood name. Another key aspect is using a different password for every login you have to prevent having to change a single password used for multiple log-ins that may be compromised.
Realistically, remembering numerous rotating passwords that have no personal connection and are full of symbols is no easy feat. There are plenty of password management techniques and tools out there that can securely store, encrypted passwords for your log-ins and devices to help ease the difficulty.
Educate Your Employees
The reason many people find themselves victim of malware can be security inexperience or the fact that they act to quickly without thinking. Had the CEO and CFO of that European company taken the time to question the whaler’s request for money, they would have saved themselves their jobs, money and embarrassment. While you may think you’d never be gullible enough to fall for malware, some enticements that can be in these emails are too good to be true.
That’s why it’s important to educate employees about malware – the different types, what to look for and of course, how to avoid it. It only takes one employee misstep for your business to be compromised, so keeping everyone in the know on the latest tips and tricks is one of the best ways to protect against malware.
With the ever-changing methods available with so many different malware variances, it’s more of a requirement to protect yourself now than it was in the past. Many of these steps might be only a minimal amount of time with very big benefit – so it’s critical to take the time to protect your company.