What you can do to minimise security threats
Hackers and cyber criminals can take down servers, prevent business deals, increase costs, destroy data, or even sell it to the highest bidder.
The threats to business from cyber-security flaws has costed the global economy around $445bn a year, according to McAfee.
Anyone watching the Mr Robot series - the sci-fi drama following hackers infiltrating a global corporation - will have noticed it was made possible by access to lower-level employees' data, such as an infected CD, or access through their social media accounts.
This is the not the preserve of Hollywood: employees are being used as revolving doors to secure servers.
You may remember the hacker who broke into John Brennan’s AOL account – Mr Brennan being the Director of the CIA. After a reverse look-up of his phone number, the hacker contacted his provider, Verizon, pretending to be another Verizon employee.
The employee was fooled into revealing aspects of Mr Brennan’s personal information that allowed them to request account access from AOL. It did not help that the CIA Director had forwarded himself work emails with highly sensitive information.
Phil Huggins, vice-president of security science at global digital risk and investigations firm Stroz Friedberg, told Computer Weekly that “just being connected to the internet makes any company interesting to cyber criminals”.
Your computer processor speed is also for up for rent – Stroz Friedberg investigators have found criminals using companies’ super-computers for illegal activities, without the knowledge of the business.
Now some cyber criminals are turning their attention to financial institutions and key banking staff, with a view to stealing their identities to work in banking systems and steal cash.
Your IT department is likely to be extremely well versed in the necessary precautions, but there are steps that an individual can take to reduce these risks and ensure data integrity.
Your starting point as a responsible CA Student Member must always be to understand and follow your own firm’s security protocol: remember that you will have signed up to follow this and it is likely to be a disciplinary matter if you do not abide by the terms.
If you haven’t looked at it for some time, this could be a timely reminder. As a general rule, if you are ever unsure you should always seek clarification from your IT team.
Here are some useful key points which are likely to be covered in your firms’ IT policy in more depth, and which are always good practice:
- Be cautious of phone calls purporting to be high-level employees you have never spoken to before; if they request information such as account numbers, passwords, codes, etc, suggest that you will get that information and call them back. Speak to IT or your manager about concerns.
- If you don’t know the email sender, or the name of someone you know is being linked to a different email address, be extremely careful to avoid clicking any links or replying with sensitive information.
- As a general rule, sensitive information should be encrypted and not sent through mail servers that can be easily hacked.
- It might be tempting to take work home with you, but be sure to use a work computer with a VPN connection; do not email yourself the work.
- Be on guard when using external USBs or CDs; they may be corrupted with malware, viruses or Trojans, and the act of running it could be fatal for systems. If in doubt, ask IT to test. They may have an in-house policy on external storage devices, also.
- Security problems can start at home, so think about how you work on your computer and mobile – are there any risks? Is your security software up-to-date? Have you secured your accounts with two-step verification, where possible?
- Keep an Rkill shortcut on your home computer desktop – this handy little app will force (in most cases) malicious registry processes to stop running; long enough to find and remove with security software.
Quick guides on spotting vishing or phishing techniques
- How to recognise phishing email messages, links, or phone calls
- Dealing with fraudulent "phishing"
- How to tackle fraud ‘vishing’ calls