5 Business Security Tips to Protect Your Workplace
In the digital age we find ourselves in, security is more important than ever before. Keeping customer and employee personal information, sensitive business information and assets out of the hands of would-be attackers requires cooperation from every person in a business. All it takes is one person thinking a suspicious situation is harmless to result in an attacker gaining access.
For many, the very word “hacker” draws to mind a mysterious figure in a hoodie sitting in a dark room and typing furiously on a keyboard. It seems to be all about password cracking and creating backdoors into systems. Either they’re too good to be stopped or a good enough firewall will keep them out, right? However, while there are some brute-force ways to attack a system the reality is that most hackers operate more like con-artists and scammers; piecing together pieces of information from discarded documents and gaining the trust of unsuspecting employees.
This approach to beating security is known as social engineering and it is one of the most insidious weapons in an attacker’s arsenal. It takes advantage of the fact that people tend to let their guard down when everything seems normal and safe. Even the most level-headed and reasonable person can be fooled by social engineering if they don’t have reason to believe the behaviour is suspicious. We at DigitalJTI have compiled a list of 5 security tips that you can use to identify suspicious behaviour so you can help keep your workplace and your personal information safe from attack.
#1 Do Not Leave Sensitive Information Where Others Can Find It
This one seems deceptively straight-forward, but it can take a lot of awareness and discipline to keep information from slipping into the wrong hands. Desks and garbage bins seem like they’d be safe from intrusion, but they’re favored places for information gathering for attackers. You should be careful to file and dispose of documents, even informal ones, properly.
Beyond the obvious, you should pay special attention to business information such as names and personal information of employees and customers, internal phone numbers, dates and times of meetings and other internal events and anything else that’s not publicly available. This sort of information can help an attacker gain access to the system or provide a lead to where they can get that access. If you’re uncertain, it’s better to treat the information as sensitive.
Documents should be carefully organized and stored to prevent unwanted access. Sticky notes with reset passwords or a business card with a colleague’s personal email should be carefully tucked away in a secure place if still needed or destroyed if not. If left on a cluttered desk, even for a few minutes, they can be easily viewed by someone walking by or quickly searching your desk. Sensitive documents should be filed away somewhere that can’t be accessed quickly and easily by someone looking. If they must be stored on the desk surface, keep them organized and stored in a way that they can’t be easily identified at a glance. The more time it would take for a would-be attacker to find something, the less likely they will be to take the risk of being caught. A clean and organized desk goes a long way towards this and allows you to quickly recognize if something sensitive goes missing so you can report it.
Documents with sensitive information to you or the business that are no longer needed shouldn’t be simply discarded in the trash. Hackers have been known to dig through garbage bins and dumpsters to find sensitive and useful information. Sensitive documents should be shredded or thoroughly torn up to ensure they cannot be read by anyone getting them. A general policy of shredding all discarded documents would be even better to ensure nothing slips through.
#2 Do Not Put Sensitive Information Online
This is another one that appears simple on the surface. Anything that gets put online can have a traceable record and can be potentially accessed by anyone from anywhere. This can be as simple as sending the password to access the online store in an email to a coworker or posting on Facebook to complain about a meeting you must attend this weekend.
A savvy hacker can potentially breach a less-secured system or monitor wireless signals to steal data as it is transferred. You should be especially careful of anything posted publicly or used in a public place such as a coffee shop. Some hackers use devices known as packet sniffers to snatch signals such as emails through a network which they can then access if they’re not properly encrypted.
Even basic information that seems harmless can be used by attackers. Good social engineers can piece together shreds of information from multiple people. A Facebook post with a couple employee names here, a Tweet about a meeting there, and an attacker can build up the information necessary to launch their intrusion attempt. If it’s information the business doesn’t actively make public, it’s best to avoid putting it in a public place just to be safe.
#3 Be Wary of Unknown People Even If They Seem Like They Belong
Social engineers are good at pretending they belong and coming across like they know you. You likely believe that you’ll immediately recognize a would-be intruder as suspicious, but it’s not as straight-forward as we tend to think.
Consider this: have you ever had someone come up to you who knows you by name and is friendly, but you don’t remember them? Maybe they were introduced by a mutual friend or they met you at an office event. Likely you didn’t want to admit you didn’t remember them and chose to be friendly back. Chances are they were who they said they were, but this is exactly the kind of situation where social engineers shine. This is also where the information from tips #1 and #2 can be useful to attackers. They can make their presence in the company seem more authentic if they can show they know your name and face (which they got from a document in the dumpster) and can recount a funny story from the recent office Christmas party (which they saw you post about on Facebook). If you don’t remember them and they can’t prove their identity, don’t trust them with access to the office or documents.
A common trick for social engineers is to act like someone official who just needs their password reset or access to an area to do their job. They make you feel sympathetic to put you off guard; they’re in a hurry, their boss is breathing down their neck, and they were so flustered they forgot their password, couldn’t you just help them out? Even if they seem like they belong and you feel like you should give them a break, don’t help them if you don’t recognize them and can’t confirm they should have access. Instead, find someone who can confirm their identity and access such as an administrator or the IT department to help them out.
#4 Do Not Interact with Suspicious Messages
Another common tactic for would-be hackers is trying to get information electronically, especially via email or social media. This is known as phishing and can be as insidious as the methods mentioned in tip #3. We’ve all probably seen obvious phishing attempts: poorly worded messages requesting banking info or password resets. It can be easy to conclude that phishing messages are easy to identify, but this is not always the case. Some attackers use carefully crafted emails that look nearly identical to official emails sent by a company.
Another risk from messages is malware: dangerous software meant to harm or steal from your computer, such as viruses. A message may contain an official-looking link or attachment, such as what appears to be a Word document from your department head. Clicking on such an attachment or link can give the malware a chance to install itself on your computer where it can damage the system or even copy files and data to send back to the hacker.
If you receive any emails or social media messages that appear official, but request sensitive or personal information, or have attachments or links, take a moment to confirm the email is from a trusted source. Look for small mistakes in any images, logos, or titles, and confirm that the sender name and email is correct. Mistakes and misspellings, especially in the sender name or address, can indicate a phishing message. If you’re uncertain, contact your IT department for advice.
#5 Beware of Suspicious Devices
Our last tip for today covers a couple seemingly-harmless devices hackers can use to trick people. If you find a lost USB thumb drive, do not use it. It may seem like someone forgot it on a table or dropped it on the floor. You might think you should plug it into a computer to see if you can identify who it belongs to so you can return it. However, while most thumb drives are simply a storage device for files, a hacker can set one up to automatically access your system when plugged in, stealing the data on your computer, or creating a backdoor access for them. Then they just have to leave it somewhere where it looks like it was forgotten. If you find a thumb drive or similar device, instead ask around to see if you can find who lost it or turn it over to your IT department to deal with.
Another device some hackers use, sometimes called a pineapple, appears like a regular Wi-Fi router. However, it can track any data sent through it by computers that connect to it. They’re often named in ways that seem sensible. If you notice a new open Wi-Fi network appears near your workplace, or the coffee shop you’re taking your lunch break in has a second Wi-Fi network with the same or similar name, do not connect to it.
Attackers have a wide range of subtle techniques for getting access to sensitive information. But they can be stopped if we all remain aware and vigilant. You should always be careful with how you manage sensitive documents and information and destroy them properly when they’re no longer needed. You should be careful of people and messages who can’t be identified, even if they seem legitimate. You should be careful of unfamiliar digital devices even if they appear innocuous. Security starts with the individuals and so long as we’re all alert and careful we can keep our businesses safe.