January 15, 2019 – Tim Winterich - Training, cyber, malicious

The SAFE Approach to Cyber Threats in the Workplace

Anyone who goes online these days, which is just about everyone, should know some basic techniques for dealing with cyber threats in emails, text messages and web pages.  This article offers some non-technical tips for individuals to handle some of the most common cyber attacks that might land in their email inbox, pop up on web pages or appear in their texts.

In the very early days of the internet, your activity was relatively risk-free and most of us clicked through email and around the web with as much threat of danger as watching TV.  But these days your online activities require the attention and defensive posture that are more associated with driving a car.  

Cyber criminals are very effective at gaining the trust of unsuspecting users to lure them into their scams.  They use malicious emails, websites and instant messages to trick you into clicking on their links or downloading attachments that can wreak all kinds of havoc in your organization, including divulging passwords, banking information, or sensitive personal data.

Some of the more notorious, recent attacks at Target and Home Depot, for example, employed spear-phishing where the email bait included personal or company details to lure victims into clicking on dangerous links. And because upper level management has access to more secure and valuable data, they are prime targets for this type of attack.  The bad guys get more sophisticated each day, reading company blogs, researching employee posts on social media, and monitoring company news to develop newer types of attacks.

Then there is the relatively new threat for companies that employ BYOD (Bring Your Own Device) policies at the workplace where employees use their own mobile devices for work activities.  For example some malicious Apps on mobile devices will access the user's address book to expose their contacts to spear-phishing attacks by using personal information that makes the malicious email or message look like it originated with a friend or colleague.

In this wild-west world of cyber dangers, it only takes one employee in an organization to make the wrong click to compromise the entire company's data systems and the rest of the workforce's sensitive data.  And it is hard to see this changing anytime soon as the arms race between cyber criminals and the good guys continues to escalate. 

In general, I think the key skills for individuals to combat cyber dangers these days include: avoiding knee-jerk reactions, applying a critical eye to suspicious things that appear on your screen, sharing information about new threats, and making sure you protect yourself against future attacks.

We can encapsulate these skills in an approach known as SAFE to protect both yourself and your company from cyber threats.  SAFE stands for: STOP, ANALYZE, FIGHT, ELIMINATE

STOP: We should all be very cautious when clicking on links or downloading attachments in emails.  When we receive emails/attachments that look remotely suspicious, even if they appear to be from someone we know, we need to STOP before acting.  Knee-jerk reactions are very costly in the cyber world.  So please learn to slow down, avoid going on auto-pilot while clicking through your inbox, and do not quickly swallow the bait that the bad guys are busily planting all over the place.

ANALYZE: After you stop yourself from taking the bait of a suspicious email, link, attachment or web page, take the next step and ANALYZE what is in front of you.  For example, you can carefully hover your mouse over the email sender's name or over the suspicious link in the email body.  Usually this will give you clues about their veracity. You may be able to see that sender's address does not match up with the one you expect from a personal source.  Or a malicious link could appear very similar to a real live website that you trust, and the email body may even include a company's logo to make it look legit. However the dangerous link will be slightly misspelled; you can analyze it or read it backwards, from right to left to look for any inconsistencies in the URL address.  Also, be on the look out for sites that don't start with "https" or begin with an IP addresses.  Adopt the habit of analyzing, inspecting and rejecting anything that looks out of place in your inbox, on the web or on your mobile device.

FIGHT:  Most of us are not programmers who are employed to combat the cyber criminal world through the coding arms race.  But we can fight back in different ways to protect ourselves and our company.  For example, if you have any concerns about the validity of the person who sent an email or text message, simply take the added step of contacting that person by making a phone call or sending a separate email/text to confirm the authenticity of the message.  Just as important in this battle against cyber attacks is communicating with friends, co-workers, and your IT security professionals about new threats that you encounter or hear about from others.  Always report any threats you encounter and share information to help others counteract threats.

ELIMINATE:  Make sure you delete the dangerous email or text message after confirming that it is a real threat.  Then run a system scan with your anti-virus software to make sure your computer is not infected.  We can ELIMINATE future costs of threats through constant learning and training.  A good training practice for companies to fight against phishing emails, for example, is to conduct mock attacks to help people identify threats. Hands-on training is the best method for this and there are many companies offering mock phishing attacks through online exercises.  A few of the more popular companies in this area are Cofense, Wombat and PhishLine.  They create phishing campaigns to safely test and train employees to spot and deal with online attacks.  This training should be followed-up with quizzes, poll questions or games to reinforce vigilance and lessons learned.

Unfortunately the cyber crime world is here to stay for the foreseeable future, and new techniques and strategies for duping us are always in the works.  To save yourself, and your workplace, from the serious costs of time, energy and money resulting from these types of attacks it's best to adopt SAFE habits while working or playing online.