I’ve been talking a lot about the importance of cyber security because it is one of the biggest threats to operating a business today. The bigger your business gets, the more valuable the information that can be stolen is. To make my point, I’m going to discuss the criminal cases of two hackers and civil cases of five others who used a phishing scheme to hack into the Security and Exchange Commission (SEC for short. For those who don’t know, every company traded on the United States stock market must file reports with the SEC before passing on the information to the public. ) and utilizing undisclosed information to illegally profit $4.1 million through insider trading between May and October of 2016. It is over two years later, and they have just reached the point where cases are being filed against the participants.
Can you imagine something like this hanging over your business for years? I know I can’t, so I’m going to talk about this and make some recommendations as to what could have been done differently and what you can preemptively do to help protect your company from experiencing the problems that come with successful phishing attempts.
How did the SEC get hacked?
Using phishing techniques, the hackers were able to get data collection software on the SEC servers and get information from EDGAR, the SEC’s database of corporate filings, before it was released to the public. This information was then transferred to a server in Lithuania where the information was either used to make trades or sold to others to utilize.
What could have been done differently?
There are three things that could have been done differently to prevent this:
- Don’t be a hacker.
- Don’t get caught
- Just kidding, here’s the real list:
- The SEC could have disabled email hyperlinks on a group level, rendering phishing almost completely useless. It would also make valid hyperlinks require a copy-and-paste method to open. Probably a good idea when you have the entire knowledge of transactions and business information for publicly trade companies in the U.S.
- The employees could have hovered over the link and seen it was phishing.
- Block access to non-public files from outside of SEC buildings. This would make it where the hackers would have had to remotely viewed a computer inside the building, manually opened files, and read them to understand the information and process whether its beneficial and take notes. This would have made it much more risky and time consuming to attempt.
This is great and everything, but…
What can I do to protect my business from phishing attacks?
Phishing attacks are basically a hackers attempt to gain entry into networks they don’t belong through someone being careless. The tips I’m going to give you here are partially behavioral and partly technical. I’m going to break them up in to thing to do and things not to do as well.
- Train your employees on how to spot phishing.
- Hover over links to catch phishing links.
- Have a plan in place to deal with phishing and other cyber security risks.
- Consult with a managed service provider, like Maryland Computer Service, on the best ways to secure your network from phishing attacks.
- DON’T Multi-task: studies show that people who do more than one thing at a time make more errors and take longer than those who do one thing at a time.
- DON’T Check e-mails before your morning coffee. If you are like me, you aren’t fully awake first thing in the morning and you might click on the wrong thing in your groggy state.
- DON’T ignore the risks of cybersecurity because you think your business is not big enough to be worth hacking. Big businesses with revenue in the billion also spend millions on cybersecurity, making us small business owners low hanging fruit.
- Update your systems regularly.
- Backup your system regularly.
- Use Webroot or other endpoint protection software.
- Use DNS filtering software to prevent access to known threats.
- Consider blocking hyperlinks in email.
- DON’T leave your system unprotected.
- DON’T utilize software that manufacturer support has expired.
Utilizing these tips can help you avoid or minimize the impacts of cyber security attacks like phishing. While the successful phishing mission conducted against the SEC created illegal gains for the people involved, $4.1 million is barely a blip in the daily trade of the stock market. If cyber attacks impact one of our businesses to that degree, we could be starting over.
Make sure your company and employees understand the importance of being cautious when using emails. If you need help training your organization on proper cybersecurity, implementing better hardware and software, or maintaining your current systems, Maryland Computer Service will help you find the solutions that work for your business and budget. You can learn more about our services at http://marylandcomputerservice.com/it-support or contact us to learn more about what we can do to help protect your business from the risks that come with utilizing all the technology that makes our lives easier, more productive, and more fulfilling.