1 25 Table of Contents 27 32

Pub. 1 2019 Issue 6

do not patch critical systems or secure them correctly. To prevent problems or detect them early, test critical systems. • Vishing: This is similar to Phishing, but the victim provides sensitive information over the phone. • CEO fraud: This can occur through email, a text or over the phone. Someone impersonates the CEO to get someone else to do what the impersonator wants. There are many ways in which these attacks can occur. Someone might impersonate a new employee to gain physical access or leave a USB key with the words “Payroll Figures” on the ground. All you would have to do is wait for a curious employee to insert the USB key into a system, and the bad guy is in. All of these attack vectors take into account some form of social engineer- ing. The bad guys are taking note of human nature and exploiting that to their advantage. To be effective, we have to do the same thing. NEXT STEPS You can take some basic steps to protect your company: 1. Make sure your systems are on a patch schedule so that security fixes are installed as soon as possible. The fixes should be done, at most, within days. 2. Make a local backup of all of your critical systems, but then use the cloud to move those backups off-site. Also, perform periodic test restores from your backups to make sure they work in the event of a disaster. Write a plan about what to do and then test it. 3. Implement industry-standard firewalls and security policies. Test your firewalls, and make sure they are fully patched as well. 4. Make sure that your security cameras, Voice Over IP Phones, or any Internet of Things devices are separate from your internal networks. 5. Make sure your passwords are longer than 12 characters and do not allow people to reuse them. The best way to accomplish this is to use a Password Manager like LastPass. Also, do not force a password change more than twice a year, if at all. Passwords should only be changed if there is a need. 6. Most important is to focus on the education and training of your staff. There are many security training com- panies out there. My company, National Software Systems, partners with a com- pany called KnowBe4. We provide security awareness training as a service in the cloud. We can help you in testing your users initially to see how many fall for the attack, train all your users, schedule regular weekly phishing tests, and evaluate the results. You will be surprised at how many users initially fall for the attack, but as they are trained over time, they will become bet- ter stewards of information security. As the old saying goes, “Your weakest link is the link between the chair and the keyboard.” John Bouley is President of 2MB Corp., dba National Software Systems. NSS helps organizations of all kinds stay safe online and guides clients on anything related to technology. John can be reached at 603-626-1115 or via email to jabouley@nationalsoftwaresystems.com D R I V E 24

RkJQdWJsaXNoZXIy OTM0Njg2