Can you recognize a potentially disastrous breach of your computer system’s security when you see it? Let’s find out with two quick questions. First, consider this one: You receive a sternly worded email from the Better Business Bureau, saying a customer has filed a complaint against you that could result in a cancellation of your BBB rating if you don’t respond within seven days. The complaint, with an official-looking ID number, is attached. Do you click on the link?
Now the second scenario: An old friend (say, your college roommate) or a current business contact (maybe your favorite client) sends you an invitation to join his or her network on LinkedIn. You’d be delighted! But do you click on the link in the email?
If you answered “yes” to either of these questions, you need a crash course in cybersecurity — and your employees probably do, too. Either or both of the above-mentioned links could contain malware that gives criminals instant access to, and control over, your computer network, at which point “they can do anything they want with it,” said Stu Sjouwerman, founder and CEO of KnowBe4, a training firm with many clients in and around New York.
“Anything” includes, for example, stealing sensitive data like customers’ and employees’ credit-card numbers and Social Security numbers, or launching a worldwide barrage of malicious spam that looks like it came from your company. Gulp.
Cybercrime is on the rise. Mr. Sjouwerman is the author of Cyberheist, a computer security guide for small business. He points to a PricewaterhouseCoopers study released last month that says nearly one in four U.S. companies have been victimized in the past year alone. “Yet most small enterprises assume that cyberthieves won’t bother to come after them when there are so many bigger, more profitable organizations out there,” he said.
If only that were so. “The fact is, cybercriminals cast a wide net and will target any company, big or small, that doesn’t have appropriate safeguards in place,” he added. Another mistaken assumption, widespread among entrepreneurs, is that “keeping the company’s computer systems safe is the IT people’s job.”
Of course, techies do need to put the right firewalls, antivirus software and other security measures in place. But that alone isn’t enough. Most data breaches (about 70%, by some estimates) are the result of “social engineering,” a hacker term that refers to the practice of tricking people into clicking on links that come loaded with spyware, malware and assorted other kinds of trouble. “Your IT department can’t protect you if your employees allow cyberintruders to get in,” Mr. Sjouwerman said.
As a general rule, he advocates advising staffers not to click on any email link they didn’t specifically request. “Any email from anyone you don’t know, with a link or an attachment, should be deleted immediately,” he said. “When in doubt, delete.”
When he received the purported “complaint” from the Better Business Bureau recently, Mr. Sjouwerman smelled a rat and forwarded it to his IT staff. Sure enough, they dissected the link and found it contained a worm that could have wreaked havoc. As for the LinkedIn example above, Mr. Sjouwerman said, “Instead of clicking on the link in the email, delete it and go to the LinkedIn website. If it is a genuine invitation, it will show up there. If not, you’ve just saved yourself a whole lot of headaches.”
Curious about how skilled you are at foiling cybercrooks? You can take a free security test at www.knowbe4.com/phishing-security-test.>
Have you ever been the victim of hackers or online scammers? Tell us athttp://www.crainsnewyork.com/. Also: Are you an entrepreneur or nonprofit executive with a question about hiring, firing or motivating employees, or another workplace issue? Starting soon, Executive Inbox will have answers. Ask us at firstname.lastname@example.org. We’ll keep you anonymous if you wish.
Congrats KnowBe4 – you have a great story here!