Hackers are always looking for new and cool ways to get money from you/your company, which is why cybersecurity is a never-ending task. While we should all have a solid security program in place, there are specific things we should be doing to better protect ourselves from email attacks or scams.
Security Awareness
Make sure everyone who works in your company (including outside contractors/vendors) is aware of the risks and is always on the lookout for something that can hurt the company. This includes continual reminders that people shouldn’t click on links, open attachments, or respond to requests unless they are 100% sure it’s valid. Phishing and Business and Vendor Email Compromise (BEC and VEC) attacks are the most common attacks right now. We recommend providing training and phishing simulations regularly to keep everyone on their toes.
As you’ve probably seen at this point, it’s also super common for those attacks to come from people you know. Attackers use the accounts of people they’ve already compromised to go after everyone that person has a relationship with. We’ve even seen attacks come from contacts in LinkedIn messages…
Protect your accounts
Create strong, unique passwords for each account and store them in a solid password manager like 1Password; note: LastPass is not solid. Make sure you have 2FA enabled on all of your accounts; especially your most treasured ones like email, anything financial and otherwise critical to your business. When you’re done w/ an account be sure to log out of it, don’t just close the tab/window. If possible, set a timeout in your apps to make sure people don’t stay logged in forever; we recommend 12 hours.
Email security
To see if you have DMARC set up properly for your domain you can plug your name into the DMARC check tools on this website and see what it says.
“No DMARC record found” means you haven’t started this work and are most vulnerable.
“none” means you’ve started monitoring but are not protected yet,
“quarantine” is good and you’re 90% protected, and
“reject” is the most secure and final destination for DMARC.
Here are examples of what you might see if you plug your company name into the DMARC check tool…
Controls
Set thresholds for spending and make sure all purchases/spends over X amount are approved by you (or someone who knows) either in person or over the phone with voice confirmation first. We’d suggest $500 as that threshold as it’s common for hackers to pretend to be you and trick employees into buying gift cards for that amount but you should set it to whatever you’re comfortable with losing.
Team
Have people on your team who know what to do if/when something bad happens to limit the exposure and make sure everything is buttoned back up after an incident. You can’t 100% prevent attacks, but you can make sure you have the proper resources available to help if/when it happens. No company is too small to suffer from an attack. Attackers will go after any business (or person) to gain financially. Having the proper resources on your team to help protect against attacks and respond if they do happen is paramount.
We hope you find these cybersecurity tips helpful in protecting your business. Stay safe and vigilant in the ever-evolving landscape of online threats.
If you’d like to chat about how we can help your organization, please schedule a call or visit our website at geekgirltech.com.
