Optiv Security shared a list of a dozen tips for implementing secure business practices during the 2016 holiday season. Security experts developed these recommendations to help security and IT teams better prepare their companies and employees to address the increase in cyber threats that occur during this time of year.
1. Limit temporary worker privileges
Many organizations employ temporary workers during the holidays to address increased demand for their products or services, and backfill employees on vacation. Criminal organizations know this and seek to take advantage of the potential “insider threat,” specifically that temporary workers may be less familiar with corporate policies and practices. Organizations should limit temporary employees’ access to corporate systems based on those individuals’ needs to do their jobs. Therefore, if a criminal successfully social engineers a temporary worker in order to carry out an attack on the organization, the fraudster’s access to sensitive company data will be kept to a minimum.
2. Remember holiday season is phishing season
Research has proven phishing messages, emails designed to extract information from recipients for fraudulent purposes, and other spam activity increase exponentially during the holidays. Alert employees to expect harvesting attacks using fake shopping portals and fake shipping entities. Educate employees on how to spot the difference between legitimate messages and phishing emails as well as how they can report those scams.
3. Brush up on physical security practices
Offices and homes see an increase in the delivery of valuable packages this time of year, which offers more opportunities for theft. When receiving or sending expensive gifts, remind employees to make accommodations to safely pick up the packages. They should also remember to lock file cabinets containing sensitive documents, keep track of tablets and laptops, and be careful when working in public spaces such as coffee shops where prying eyes may seek to compromise valuable information.
4. Promote safe payment methods
It’s important for all employees to understand the safest payment methods to use when buying goods and services for personal as well as company-related purposes (such as client gifts or holiday parties). Whether it’s using chip readers when available, generating virtual credit card numbers or using third-party payment applications, educate individuals on safer ways to pay. If paying by mobile device, individuals should use contactless payment technology and integrated payment solutions, and install the official application directly from the credit card issuer. Also, be sure finance and accounting departments closely monitor corporate credit card accounts for potential fraudulent activity, and encourage employees to check their personal statements.
5. Verify and deploy regular data backups
Ransomware continues to ravage businesses by holding data hostage for funds, sometimes going as far as destroying critical data altogether. Regularly back up data to help mitigate the impact of a ransomware attack. Also, periodically verify the ability to recover data from backups.
6. Implement strong safeguards relating to large wire transfers
Businesses have lost billions in wire transfer fraud. An example of one common scheme includes emails that appear to be from a CEO to the CFO asking for large sums of money to be transferred immediately for a “secret deal.” Without proper procedures in place, companies may fall victim to this type of fraud. Organizations need to establish a protocol where two or more executives are required to approve any wire transfer over a designated amount—under any circumstances.
7. Check point-of-sale (POS) terminals and cash register computers daily
Organizations that handle cash and credit card transactions must make sure to regularly monitor and check POS terminals and registers for signs of fraud. POS fraud can come in many forms, including realistic-looking credit card skimmers and USB devices. Employees should be suspicious of people they don’t know claiming to be from corporate IT or security teams, as well as strangers poking around equipment.
8. Encourage use of official apps
Employees will be hard-pressed to avoid online shopping this time of year. Encourage them to use a merchant’s official application, as they are usually more secure than third-party shopping applications. Official applications are safer than browser shopping due to extra security measures merchants take to protect their apps and sensitive customer data. Individuals should make sure they are using the merchant’s official app, as real-looking imposters can expose individuals and organizations to fraud.
9. Watch for Internet-connected devices
This year, research shows an increase in cyber threats as a result of the growth of the Internet of Things (IoT). Companies and their employees should take steps to better secure all Internet-connected devices by following standard security guidelines, including regular software updates and deploying strong passwords. Also, individuals should update often overlooked devices such as video game consoles and smart televisions to reduce the chance of them being compromised.
10. Keep third-party applications up-to-date
Organizations use many third-party applications and programs to conduct business. With so many, it can be difficult to keep patches up-to-date, but help is usually available. Many patch managers, programs that automatically update third-party applications, can keep all critical programs current and thus, more secure.
11. Beware of holiday burnout
IT and security workforces can feel extra pressure during the end-of-year crunch. When our mind is elsewhere, it is easy to let our guard down and make a critical error. Just because someone is willing to work a 12-hour shift to help out, doesn’t mean it’s a good idea. Make sure employees get the breaks they need, and have adequate staff on hand to closely monitor for potential security issues and quickly remediate them.
12. Do not recycle passwords
Passwords are the first line of defense against cyber threats. With many people browsing online retailers and signing up for new accounts this time of year, remind employees to use proper password procedures. Recommend that they should never use the same password from their email or bank accounts, in particular. It is common for usernames to be an email address. So when individuals use their email addresses as their passwords, an attacker could easily test this and gain full access to other accounts.