7 minutes
Your employees can be your best defense
Remember the days when IT departments took full responsibility for cybersecurity? Back then, we worked at centralized facilities using company-owned computers and hard-wired phones, and IT had strict control over gateways, firewalls and networks.
That’s just no longer the case. With the dramatic transformation of the workplace in our post-COVID world, we’ve revolutionized the ways we protect data when employees work from home, use their own devices and interact with others outside the organization via email, messaging and a variety of apps.
But, according to a 2022 report from Stanford University, Understand the Mistakes that Compromise Your Company’s Cybersecurity, 88% of data breaches are caused by employee error—simple things like accidentally sending an email to the wrong recipient or clicking on a link in a phishing email or smishing message.
It’s clear that employees are becoming the biggest vulnerability in secure infrastructures. But they also can be your best defense—so it pays to keep your teams informed about good cybersecurity practices.
October 2024 marks the 21st Cybersecurity Awareness Month. As the team in charge of tech compliance at Velera, we’re taking this opportunity to focus on what financial institutions can do to safeguard members’ data on the front line. Here are some ways your employees can do their part to strengthen your defense against the ever-present threat of cyberattacks.
Build your Defense. Use Strong, Unique Passwords
Strong passwords are critical to protecting data. According to the 2022 Verizon Data Breach Investigations Report, 81% of confirmed data breaches were related to stolen, weak or reused passwords. And once those password hackers get in, you could face data loss, identity theft, extortion, system takeovers and financial loss.
Once a hacker has your credentials, they have tools that can, in an instant, search dozens of sites to see if you’ve used that same username and password—and if you have, then sites such as work accounts, personal banking accounts, online shopping, streaming services and more are now open and available to them. Once in, they can use your personally identifiable information (PII), including your financial data, to impersonate you just about anywhere.
Social media sites add the risk of reputational harm, as well as the ability to launch spear phishing campaigns against your contacts. Successful spear-phishing has the potential to introduce malware, which then can spread the attack exponentially. If that hack is linked to your financial institution, it could also do significant reputational damage.
- To create a strong password, make it long (at least eight characters, but strive for 12 or more), random and unique, and include all four character types: uppercase, lowercase, numbers and symbols. Password managers make it easy to generate strong, unique passwords—and will prevent you from using easy-to-guess personal information in your passwords, such as the name or birthdate of a partner, child or pet. For more tips on creating strong passwords, check out this article from the Cybersecurity & Infrastructure Security Agency (CISA).
Don’t get Hooked! Spot the Signs of Phishing and Smishing
Phishing is a social engineering tactic used by attackers to trick you into giving information such as passwords or credit card numbers by pretending to be a legitimate company. It’s often formal in tone, with an urgent call to action, and usually includes a link or attachment. But there are often some telltale signs that the email is not what it seems— and if a message looks suspicious, it’s probably phishing. Here are some signs to look for:
- Email addresses that do not match the supposed sender
- Invalid domains, such as micros0ft.com instead of Microsoft.com (hover over the link to confirm if it’s valid)
- Generic greetings like “Dear Sir/Madam”
- Urgent or emotionally appealing language or claims that your account is compromised
- Requests to send personal or financial information
- Poor writing and misspellings
- Suspicious attachments from unknown senders—anything you’re not expecting
Smishing is the SMS version of phishing, attempting to attack through your messaging app. As with email phishing, a smishing attacker uses misleading text messages to trick victims into sharing valuable information, installing malware or sending money. One common smish attempt entices you to click a link, claiming “your package has arrived at the warehouse and could not be delivered.” We’re also seeing a rise in smishing texts that impersonate a member of your organization’s senior leadership team as a way to convince you to either transfer money, buy gift cards or give up sensitive information.
- If you suspect a phish or smish, don’t engage with any number, link or attachment you’re not expecting; be especially wary of .zip or other compressed or executable file types. Verify the legitimacy of emails or texts by contacting the company or person directly: Go to the company’s website to find their contact information, then call the individual at a known number and confirm whether they sent the message. Never provide sensitive personal information (like usernames and passwords) over email or text. And always report phishing or smishing attempts immediately so that your cybersecurity team can block the sender and begin their investigation.
Another Line of Defense: Multi-factor Authentication
Multi-factor authentication (MFA) makes it hard for an attacker to gain access to your accounts, even if they know your username and password. MFA requires you to prove your identity via two or more different authentication factors. For example, to access a secure account, it’s common to provide a username (often an email address, which is not difficult for a hacker to guess) and a password (harder to guess, but nefarious software makes it easier to crack, especially if passwords are not complex). With MFA, you may then also input an additional PIN, use biometrics (a thumbprint or facial recognition), answer a security question like “What is the name of the high school you attended?” or enter a one-time passcode sent to your device.
You should enable MFA whenever possible on work accounts, as well as banking accounts and anywhere else you provide personal information such as credit card/debit card numbers, bank account numbers, social security number, driver’s license number, passport number, etc.
Still, you can’t guarantee security from fraud. Even with MFA enabled, you may receive a one-time passcode prompt via email or text when you aren’t currently logging into one of your accounts. This could be an indication that you’re being hacked—and you should assume your credentials (username and password) have been stolen.
If this happens, do not click any links in the prompt and go directly to the legitimate site or location and change your password. If it’s a work-related account, report it immediately to your cybersecurity team. If it’s a personal account, report it to that institution.
- To avoid falling victim to MFA bypass attacks, strengthen your MFA. For example, whenever possible, use biometrics to access applications. Use an authenticator app such as Microsoft Authenticator, which provides a time-based token and requires you to log into the application before seeing the one-time passcode. Also, if you have to choose between receiving a one-time passcode via SMS or email, select SMS that uses your phone number on file.
See this National Cybersecurity Alliance page for more tips and information on MFA. As for how to enable MFA, the Cybersecurity and Infrastructure Security Agency offers tips here.
Cybersecurity is everyone’s business. Today, everyone in an organization must take personal responsibility for security and network safety. Staying aware and vigilant is our best defense!
As Velera’s VP of Technology Compliance & Identity Services, Lori Lucas oversees a team of 35 employees who implement and execute technology risk management, compliance, and business process improvement strategies to protect the company’s IT assets and sensitive information. Her team works closely with Velera’s marketing and corporate communications teams to alert employees of cyber threats, raise awareness and engage them in the fight against cybercrime. Lori joined Velera in 2012, after working for several financial services companies in the field of cybersecurity and IT compliance as well as for Ernst & Young as a technology risk consultant.