Phishing, whaling and spear phishing are attempts by hackers to steal sensitive and personal information to gain access to your business or personal accounts. Because phishing accounts for 90% of data breaches, Sam Card, Cards Technology founder and CEO, discusses what you can do to protect yourself and your business from these hacking attempts.
Q: What are phishing attacks and how can they impact the security of your business data?
Sam Card: Phishing attacks are social engineering attempts designed to steal user data like passwords and user names. Firewalls and antivirus software typically are successful at stopping hackers from getting into your network so hackers have come up with an easier way to get this information – phishing emails. The emails are disguised to look like they are from a trustworthy source so users can be tricked into giving out sensitive information such as passwords and even credit card numbers.
Once hackers have this information, they can impersonate you which is where the main security impact is. Acting as you, the hackers send out emails to your contacts asking for more information to access even more online accounts. You might not know for months that you’ve been hacked as hackers often sit tight for a period of time after stealing credentials before exploiting your stolen information.
Q. Are Office 365 users targeted by attackers?
Sam Card: It’s not that Office 365 users are being targeted per se. Because the use of Office 365 is so widespread, hackers disguise their phishing attempts to look like they are coming from SharePoint, Teams or Outlook, for example. Since most people recognize messages and notifications coming from Office 365 they are more likely to trust and act upon them.
Q. What type of data could a hacker gain access to if they obtain your credentials?
Sam Card: When a hacker has access to your email account, for example, they can figure out a lot – where you do your banking, where your company stores its files, what your Facebook account is. With this information, hackers can easily get access to more private information like names and addresses of your customers and other data about your business that is commonly used to aid in identity theft schemes.
Q. What steps can your business take to prevent these types of attacks?
Sam Card: One of the best defenses is to have proper data governance policies in place. Part of this system is a data loss prevention and retention policy to identify where data should be stored and how long it should be retained (or not). Policies can be set up to prohibit users from saving information in the wrong location or accessing data they aren’t permitted to access. More importantly, data governance policies can trigger alerts if specified types of data are used inappropriately or shared outside of your company.
Cybersecurity awareness training is the other essential piece to protecting your business information as human error is currently the weakest link in cybersecurity. Employees must be trained to recognize phishing attempts and then be tested regularly to continually train them on how to deal with them. Even after awareness training, people typically still click on a phishing email because they can look very convincing. Business leaders should make sure employees feel safe and understand that they must report it to the IT department if they click on a phishing email. If no report is made, the hacker has a much-improved chance of not being caught and realizing high levels of success with their attack.
Gordon Moore said it in 1965 and it still holds true – technology increases at an exponential rate. If you’re trying to keep your business up with technology, it may be a good idea to take it slowly. Cards Technology CEO Sam Card shares some best practices when you’re considering adopting new software for your business.
Q: What advice do you have for business owners who want to adopt new technology?
Sam Card: Stay away from the latest and greatest applications. They’re usually fraught with problems – bugs, compatibility issues – and they’re expensive to fix. They have unknown, unexpected behaviors. Wait until they’ve been tested for a while.
Also, be sure to involve your IT support early in the process. It can be very problematic to make an executive decision about technology without talking to your IT team. When IT is involved from the start, they can make sure the new applications are compatible with your systems before you make a substantial investment of time and money.
Take your time. Not rushing will make implementation a whole lot smoother.
Q: How does a business owner encourage staff to use new technology, especially those staff members who are hesitant to adopt?
Sam Card: To get staff on board, whether they’re not tech savvy or don’t want to change, takes support from the top. They have to see their manager, or upper management using the new technology. Upper management has to use the new software themselves to show the value. When implementing new technology, make a plan to ensure the correct priorities are set and everyone is aware of what the change is and why it’s taking place. Share the business reasons for the new technology and how the new tool will be of value to the organization as a whole.
It’s a good practice to implement new software with a pilot program. Have a small number of people start with it and try it out for about a month. This way, any issues can be worked out before the entire company switches over. The pilot participants can help the others when the software is rolled out to everyone. Also, the software vendor and your IT support partner can troubleshoot any problems on a small scale during the pilot program.
Some people fear change of any kind, so if you can make them comfortable with change, transitions are much smoother. Assure your staff that even if they were the go-to person for the software being phased out, they are still valuable. It takes time to trust new software. Even if your old software had to be updated every month and it always went sideways causing downtime, its behavior is still “comfortable” to users. Once the new software behaves as expected repetitively over time, people will trust it.