Cybersecurity for SMEs: What employees should know

Cybersecurity for SMEs: What employees should know

The employees are the first line of defense and key to any enterprise’s cybersecurity. Thus, we gathered some important tips that SME employees could practice and bear in mind in the workplace, whether working from home or in the office. Here are the four (4) reminders to employees:

Cybersecurity for SMEs: Remember to fight the phish

Phishing scam instances in Singapore have experienced a considerable increase this year, with more than 190 incidents registered between January 2020 to August 2020. This is a far cry from the seven cases reported in the same period in 2019, with damages totaling $304,000 this year as compared to losses that amounted to $4,000 in the same period in 2019.

In the newest trend of phishing scams, scammers were alleged to have impersonated organizations that the victims know or trust, such as banks, government agencies, trade unions, or companies, including Singpost, StarHub, Netflix, Paypal, and DHL. Victims would receive e-mails or SMS messages from these ‘companies’ with fraudulent offers or promises to deceive users into clicking on a URL link.

These fraudulent offers or claims include unpaid parcel delivery, service or subscription interruptions, refunds, or incentives. Another type of phishing fraud includes the use of phony advertising campaigns and bank-sponsored prize draws. In this iteration, victims would either get messages reportedly sent by local banks over WhatsApp, or they would come across bogus bank adverts on Facebook inviting them to enter fortunate drawings or special promotions for a chance to win enticing rewards. Likewise, victims would be duped into clicking on a URL link.

After clicking on the URL link hidden in the e-mails, text messages, or bogus adverts, victims are led to a false bank website, where they are prompted to enter their internet banking credentials, credit or debit card information, and One-Time Password (OTP). Victims would find they had been duped when unauthorized transactions were made from their bank accounts and credit or debit cards. Scammers may also periodically tweak such sites to target clients from various banks and payment service providers.

Cybersecurity for SMEs is crucial as without a strong safeguard against threat actors, this could disrupt the business operations and tarnish the organization’s name. To fight the phish, here are the four (4) necessary steps to avoid being a victim of it:

a. Never click on URL links contained in unsolicited e-mails or text messages; 

b. Always verify the authenticity of information via the official website or other sources;

c. Never disclose your personal or internet banking information or OTP to anyone; and

d. Report any fraudulent credit or debit card charges to your bank immediately and cancel your card.

How a DPO can help against phishing scams

A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Every Organization’s DPO should be able to curb any instances of Phishing scams as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity. 

For instance, at Privacy Ninja, we randomly conduct simulated email phishing to clients to see if there are any vulnerabilities present that a bad actor can exploit and patch it to ensure that the client will never be a victim of such a scam. 

DPOs complement the efforts of Organizations in battling the scams as DPOs ensure that when there is an instance of a cyberattack, a protocol in dealing with it has been established and can be employed to protect the personal data of clients. DPOs play a crucial role when an organization is hit with phishing attacks as they ensure safeguards are put in place to combat it when it happens.

Also Read: Understanding the mandatory data breach notification of Singapore

Cybersecurity for SMEs: Set strong, secure, and random passwords

Cybersecurity for SMEs heavily relies on the employees. This is because only employees have easy access to the inner workings of the organizations. This is why they are the target of bad actors as they are their easy way to get the most out of their illegal activity.

Passwords protect your computer and personal information against illegal access. Your computer will be more secure against hackers and bad malware if your password is strong. You should use strong passwords for all of your computer’s accounts.

With this in mind, here are some helpful recommendations for building strong passwords and safeguarding your personal information.

• Create a separate password for each critical account (i.e. e-mail and online banking). Use a unique password for each account.
• Your password should contain at least eight characters. Lowercase and uppercase letters, numerals, and symbols should all be included in the password. If a long password is properly constructed, it will provide more protection than a short password.
• When creating your password, avoid using personal information such as your name, age, date of birth, child’s name, pet’s name, or favorite color/song.
• Avoid keyboard combinations that are consecutive (i.e. qwerty or asdfg).
• Check your surroundings to ensure no one is observing while you input your password. If someone is, ask them nicely to look away.
• Never divulge your password to a third party.
• Change your passwords on a frequent basis and avoid using the same password repeatedly.
• Never scribble your passwords on a sticky note and conceal them beneath your workstation or phone. Someone will discover it.
• When your Internet browser requests permission to remember your passwords, always select “never.”

Cybersecurity for SMEs: Safeguard your device and protect your digital presence

Cybersecurity for SMEs begins with the employees and their mobile devices. Since phones nowadays are the lifeblood of every transaction we have online, it is essential for us to have a set of guidelines to remember to keep these cyber-attackers away. Here are seven (7) tips to follow to maintain healthy cybersecurity hygiene:

• Install and run applications only from official app stores.
• Enable Anti-Malware Protection!
• Keep your apps and operating systems (OS) up to date on a regular basis. 4. Avoid “rooting” or “jailbreaking” your smartphone.
• Make use of reputable USB charging stations
• Avoid using public/untrusted WiFi networks.
• Avoid clicking on links in unknown e-mails.

Cybersecurity for SMEs: Know when to raise the cyber alarm

Real-time identification and remediation might be the difference between a security incident and the loss of protected data, which can result in catastrophic financial consequences. Additionally, real-time detection enables organizations to prevent public shame, client defection, and other negative consequences associated with a publicly publicized breach. Here are the six (6) warning indicators of an ongoing data breach on your company’s network and how you can respond quickly to rising issues:

1. Critical File Changes

Hackers may edit, change, remove, or replace vital system files once within an organization’s network to avoid discovery. Verizon claims most data breaches are resolved in “minutes” or less. A data breach might go undiscovered for a long time unless organizations actively monitor vital system files for modifications.

2. Unusually Slow Internet or Devices

The Organization’s security policy and end-user education initiatives should handle abrupt slowdowns in devices or the company network. Malware, viruses, or questionable outbound traffic might cause this. Users should never think IT isn’t interested in reports of slow equipment.

3. Obvious Device Tampering

If an employee realizes their device is functioning after being shut off, they should notify security leadership immediately. This could be a symptom of physical or remote meddling.

Employees should be taught not to use tampered devices, including sign-in. Pop-up notifications, bogus antivirus warnings, and suspicious browser toolbars are all symptoms of device hacking. To avoid credential theft or other difficulties, they should not handle suspected tampered devices until IT has inspected them.

4. Locked User Accounts

The inability to log into accounts using valid credentials may indicate that a cybercriminal has compromised the account and locked the user out. In the event of a locked account, IT teams must investigate account access and password changes, especially if the employees believe legitimate credentials were provided correctly. Multi-factor authentication can help lower the danger of unwanted access using genuine user credentials.

5. Unusual Outbound Traffic

“The most telling symptoms that something is awry,” according to IT Business Edge. Criminals utilizing the Organization’s applications to communicate externally can cause heavy traffic. It can also mean data transport. Regularly monitoring traffic patterns can help discover suspicious activity fast.

6. Abnormal Administrative User Activity

Privileged employee account compromise is a serious symptom of a data breach. PCI requirements mandate regular auditing of logs, including administrator user activity. A high amount of database transactions or rapid permission changes can indicate an external or internal threat.

The best organizations treat all employees, including super users, with suspicion. If you’re dealing with an internal danger, make sure your technical tools, such as file integrity monitoring software, prevent users from changing logs to hide trails.

Companies must know their networks and have the tools, rules, and procedures to regularly monitor their assets to respond to incidents. This should include both human factors (teaching staff to report unusual device activity) and technology barriers (file integrity monitoring software, for example).

Also Read: Guarding against common types of data breaches in Singapore