How to Protect Your Business
Technology can be a great way to engage current and future customers, gain competitive advantage and stay efficient. As a small or medium sized business, sometimes the security resources needed to keep your customers and your business safe online can be limited.
There are several basic security measures and a number of resources readily available that can help you safeguard your customers’ information and keep your business secure. Below are some common security practices and resources for mitigating your security risk and reducing the likelihood of fraud.
- Start with security
- Don’t collect personal information you don’t need
- Hold on to information only as long as you have a legitimate business need
- Don’t use personal information when it’s not necessary
- Control access to data sensibly
- Restrict access to sensitive data
- Limit administrative access
- Require secure passwords an authentication
- Insist on complex and unique passwords
- Store passwords securely
- Guard against brute force attacks
- Protect against authentication bypass
- Store sensitive personal information securely and protect it during transmission
- Keep sensitive information secure throughout its lifecycle
- Use industry-tested and acceptable methods
- Ensure proper configuration
- Segment your network and monitor who’s trying to get in and out
- Segment your network
- Monitor activity on your network
- Secure remote access to your network
- Ensure endpoint security
- Put sensible access limits in place
- Apply sound security practices when developing new products
- Train your engineers in secure coding
- Follow platform guidelines for security
- Verify that privacy and security features work
- Test for common vulnerabilities
- Make sure your service providers implement reasonable security measures
- Put it in writing
- Verify compliance
- Put procedures in place to keep your security current and address vulnerabilities that may arise
- Update and patch third-party software
- Heed credible security warnings and move quickly to fix them
- Secure paper, physical media, and devices
- Securely store sensitive files
- Protect devices that process personal information
- Keep safety standards in place when data is en route
- Dispose of sensitive data securely
Don’t Fall Victim to Business Email Compromise (BEC) Attempts
What is Business Email Compromise?
Business email compromise (BEC) is an emerging fraud trend affecting businesses globally and nearly doubling wire fraud in recent years.BEC is a type of payment fraud that involves the compromise or spoofing of legitimate business email accounts for the purpose of conducting an unauthorized wire transfer. After a business email account is compromised, actors use the compromised or spoofed account to send wire transfer instructions.
How does it happen?
The scam usually begins with actors phishing an executive and gaining access to their email or emailing employees from a look-alike account that’s one or two letters off. A request for a wire transfer is then sent to another employee within the company, tricking them into initiating the transaction.
Unlike traditional phishing scams, these are targeted communications, not mass emails. These social engineers take the time to understand the company and the victim(s) using publicly available materials or information gleaned from other social engineering scams.
As a reminder, when you receive an email requesting a significant transaction:
- Look at the email address – It may appear correct at first glance, but closer inspection may uncover an extra letter or positioning your mouse over the name could reveal an unknown address.
- Don’t take any action without verbally confirming the request with the sender – Email addresses are easily spoofed. Verify funds transfer requests via other communication channels, such as a telephone call.
Suggestions for Protection
- Be mindful of posting certain information to social media and company websites such as job duties/descriptions, hierarchal information, and out of office details.
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Know the sender – if it doesn’t sound like your colleague or client, it may not be; is this request out of the ordinary or does the grammar seem unusual?
- Beware of sudden changes in business practices. For example, if a contact suddenly asks you to use their personal e-mail address when previous official correspondence has been on a company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
- Do NOT open the email, click on links, or open attachments. These often contain malware that may give subjects access to your computer.
- Verify all significant transactions verbally.
Information Security Sources & Resources
- Federal Trade Commission - Start with Security: A Guide for Business‡
- Federal Bureau of Investigation: Business E-Mail Compromise An Emerging Global Threat‡
- Fraud Advisory for Businesses: Corporate Account Take Over‡
- Department of Homeland Security – Stop. Think.Connect Campaign‡
- Protecting Personal Information: A Guide for Businesses‡