4. Five steps to stronger
cyber security
1 Strengthen your computer’s defenses
2 Avoid downloading malware
3 Protect company data & financial assets
4 Create strong passwords & keep them private
5 Guard data & devices when you’re on the go
11. Guard company data
when you’re on the go
Connect securely
Confirm the connection
Encrypt confidential data
Save sensitive activities for trusted connections
Flash drives: watch out for unknowns
12. What to do if there are problems
Report abuse and other problems
Immediately report phishing
Immediately report missing devices
or theft of company data
Change all passwords
Wipe mobile phones
SLIDE 1 TALKING POINTS
Today we’re going to spend about half an hour outlining how you can work more securely on the Internet and help protect our company’s information (including customer data) and financial assets against online fraud and other cyber crimes.
You’ve heard the tales of how companies and organizations were damaged and in some cases even destroyed by cyber criminals. Here are a few true stories:
A thief stole a company laptop, and the company lost a decade of irreplaceable research and intellectual property worth millions.
A newly-hired executive received email from what looked like his company’s travel agency, where he was asked to click a link to confirm the accuracy of his personal details. This took him to an official-looking site where he found his personal data. There, he was asked to download software that would link his Outlook email account to the travel agency’s booking system. In so doing, he downloaded malicious software that spread through his new company.
Hackers broke into the computers of a retail chain through an unsecured wireless network and stole the financial information of all its customers, which cost the company millions in lost business and was ruinous to its reputation.
Most often, damage to big corporations dominates the news, but cyber crooks target small and midsized businesses, too. [click]
SLIDE 3 TALKING POINTS
Cyber criminals assume that smaller business owners are more focused on building their companies than worrying about cyber crime. They know that smaller businesses have fewer resources than large companies to defend themselves, and also assume that they don’t have the necessary expertise to take preventive steps.
Why target a big corporation with sophisticated tools and extensive resources to combat cyber crime, when it’s easier to infiltrate the tens of thousands of small businesses? [click]
SLIDE 4 TALKING POINTS
Data backs this up. For example, the Aite (pronounced eye-tay) Group, which provides research for the financial services industry, asked controllers at 110 small and midsized businesses in June 2011 about attempted online fraud. Researchers found that one third of those businesses surveyed had experienced online fraud attempts.
Criminals are indiscriminate in their targets of smaller organizations and the crimes seem to pay. For example, a small town in upstate New York lost $139,000, and a Catholic diocese forfeited over half a million dollars, both to thieves who stole employee credentials to initiate transfers from their bank accounts.
Fortunately, preventive steps to help defend our company’s assets don’t require us to be experts or spend a lot of money.
It’s really a matter of educating ourselves about Internet risks and then developing practical habits that strengthen our security when we’re online. So, for the next 30 minutes or so, let’s get the details. [click]
NOTE TO SPEAKER
You’ll find the Aite Group research in this 2012 white paper, “Know Your Enemy: Successful Strategies in Online Fraud Migration:” http://info.threatmetrix.com/Aite-Online-Fraud-Mitigation-2012.html.
SLIDE 5 TALKING POINTS
We’ll talk about these five steps you can take:
Help secure your computer by strengthening its defenses.
Be cautious so you don’t inadvertently download malicious software that could damage computers or be used to steal information.
Help protect sensitive company information and financial assets from theft.
Create strong, unique passwords and don’t share them with others.
Guard data and devices (phones, flash drives, laptops, tablets, etc.) when you work away from the office.
These practical measures don’t take much technical expertise—just smart habits regularly practiced and a good dose of common sense.
So let’s look at the first step—beefing up your computer’s defenses. [click]
SLIDE 7 TALKING POINTS
So, to strengthen your computer’s defenses, never turn off your computer’s firewall. Turning it off—even for a minute—increases risk.
A firewall creates a barrier between your computer and the Internet, a kind of security checkpoint that both information and software must pass through before they can enter or leave your computer. [click]
Second, to defend against malware:
Install antispyware and antivirus software from a trusted source. Our IT staff will tell you what to install. This software helps protect your computer by scanning downloaded files and attachments for the latest threats, and detecting and removing thousands of specific viruses before they have a chance to do any damage.
Also, never download anything in response to a warning from a program you didn’t install or don’t recognize—especially if it claims to protect your computer or offers to remove viruses. Same for any pop-up message that advertises security software. These are likely to be fake, and do exactly the opposite of what they advertise. [click]
And third, cyber criminals are inventive in their efforts to exploit vulnerabilities in software. Many software companies provide updates, so regularly install them for all software. This means updating antivirus and antispyware programs, your browser like Windows Internet Explorer, operating systems (like Windows), and word processing and other programs (including games). Everything.
The safest and easiest way to stay current is to subscribe to automatic updates whenever they’re offered. For example, to automatically update all Microsoft software, go to update.microsoft.com, or if you use Windows, open Control Panel and use Programs and Features.
It’s also a good idea to UNinstall any software that you don’t use. Check with our system administrator to find out how to do this.
Now let’s talk about how to guard against the tricks criminals use to get you to download malware—starting with a story. [click]
NOTE TO SPEAKER
Consider introducing this slide with an overview of the security measures your company takes to help protect computers, laptops, mobile phones, and other devices against viruses, spyware, and other threats to network security and sensitive data.
If you don’t have an IT specialist or team to advise on installing security software or removing software you no longer use, here’s some help:
For installing antivirus or antispyware software, there is a pointer on the tip card to a Microsoft site that can help. When you distribute the tip card, you can point this out to your audience.
To uninstall unused software you use Windows, you can remove it using Programs and Features in Control Panel.
SLIDE 8 TALKING POINTS
Here’s an email message that crooks sent to thousands of top U.S. executives. It appeared to be an official subpoena from the U.S. District Court in San Diego. Each message included executive-specific information (name, etc.) and directed him or her to appear before a grand jury.
The message urged the recipient to use an embedded link to open the subpoena. However, anyone who clicked the link unwittingly installed software that secretly captured passwords, user names, account numbers, and other company data that the executive typed, and sent it to a criminal’s computer. The malware also enabled the criminals to control the infected computer remotely, wreaking further havoc.
Security researchers believed that at least several thousand executives took the bait and compromised their computers.
So if you had been one of these executives, what could you have done to protect your computer and your company? [click]
SLIDE 9
TALKING POINTS
When you receive email, instant, or text messages, or messages on social networks like Facebook, LinkedIn, and Twitter: be cautious. [click]
Stop and think before you click links, open photos, songs, or other attachments in a message from someone you don't know. Be wary of "free" games, apps, and the like, which are notorious for including malware in the download.
Even be suspicious of links and attachments from someone within your company, especially if it’s something unexpected, like ilovepinkponies.pdf from your boss. Or, just because the email message says it’s a LinkedIn update, doesn’t mean it is. You never know if a criminal has hacked into a coworker’s account, or that his or her computer has been infected with a virus that is automatically sending spam. [click]
Confirm. If you think it’s suspicious, don’t click anything or use phone numbers or email addresses in the message. Instead, use a different device and another account to confirm with the sender that the message is legitimate.
Or do some research. For example, the executives in our example might have paused to consider whether their companies were involved in litigation that could result in a subpoena from this court. [click]
Close. Avoid clicking Agree, OK, or I accept in banner ads, in unexpected pop-up messages or warnings, on websites that seem suspicious to you, or in offers to remove spyware or viruses. These also could trigger the download of malware. [click]
Instead close the window. To do this, press Ctrl and F4 on your keyboard.
And the advice, “If you see something, say something,” applies here. If you do see a message that seems suspicious or problematic, report it to the system administrator who can take action including warning others what to do if they see the same thing.
Now, let’s go to Step 3 and see how you can further protect sensitive business data and our company’s financial assets. [click]
SLIDE 11 TALKING POINTS
Avoid putting confidential information in email unless it’s encrypted. (Encryption enhances data security by scrambling the contents so that it can be read only by someone who has the right key to unscramble it.) Also, avoid putting sensitive information in instant or text messages, as these are not typically secure. This includes account numbers, passwords, intellectual property, customer data, and so on. [click]
Beware of scams—the most dangerous are the ones that appear to be legitimate.
Small and midsized businesses are as much a target of scams as individuals. Scams directed to them can include links that advertise false products, hoaxes that claim you’ve received a refund from the IRS or a package from the post office that your company never ordered, charges for unauthorized advertising or office supplies, or urgent requests to update account information.
All scams are designed to collect information the scammer can use to steal company data or money—or both. [click]
SLIDE 12 TALKING POINTS
Like the phishing scam in our story, criminals design their messages to be very convincing.
Learn to scan for telltale signs like these:
Messages that imitate organizations you trust—a supplier or your company bank, your payroll company, a government agency like the IRS, post office, or the one we saw from the U.S. District Court.
Requests to reveal sensitive data like account or logon info, to click a link to a fraudulent webpage, or to call a toll-free number that could go to a counterfeit call center.
Attempts to alarm you. “A virus has corrupted our database. Please re-confirm your information NOW to avoid account closure.” Or, “Confirm your password to continue using our payroll service.” When we’re alarmed, we may put our suspicions aside.
As spammers get more sophisticated, they’re increasingly avoiding misspellings and grammatical errors. But still keep an eye out for these tactics that are used to break through phishing filters. [click]
If you’re ever in doubt about the legitimacy of a message, consult a website such as www.snopes.com that identifies known scams. [click]
The pointers we learned in Step 2, to avoid downloading malware, apply equally here to help evade scams.
Think twice before you click a link or open an attachment. [click]
Keep sensitive information private. Never give information like a user name or password in response to a phone call, or an email message or other online request (even from a coworker).
Instead, confirm that the message is legitimate using a different device or another account.
If it’s from a company you do business with, use the phone number or email address you know to contact them, not one in the message. To visit the site, type the web address yourself instead of clicking the link in the message, or use your own bookmark or favorite.
Your next defense is using strong passwords and PINs to guard your accounts and devices. [click]
SLIDE 15 TALKING POINTS
In addition to password strength, how else can you use passwords to help protect data? [click]
Don’t disclose passwords or PINs to anyone. Many account takeovers occur because the owner shared the password.
Don’t store them on your phone, or in a file or on a post-it on your computer. It’s okay to store them on a sheet of paper hidden away from your desk.
Don’t let anyone trick you into revealing them. [click]
Don’t use the same password (or even simple variations) for different accounts. Use a unique password or PIN for each account or device (including your computer and mobile phone) containing personal or business data. Otherwise, if one is stolen or inadequately protected by the site, all the accounts it protects are at risk. [click]
And last, you’ll want to take a few extra precautions when you travel for work. [click]
SLIDE 17 TALKING POINTS
When you use a public Wi-Fi network, choose the most secure connection—even if it means paying for it. Ask about it before you connect. Some wireless networks offer a network key or certificate that encrypts data as it travels between your laptop and the router. Look for a password- protected connection, ideally one that is unique for your use.[click]
Know where you’re connecting. Confirm the exact spelling of the network you’re connecting to. Beware of clever (slightly misspelled) fakes. For example, in HLTONHOTEL.SNET there’s no “I” in Hilton. [click]
Encrypt all confidential data on smartphones, laptops, flash drives, and other portable devices in case they’re lost or stolen. There are many programs that can encrypt data, such as Microsoft BitLocker Drive Encryption, which is included with certain versions of Windows. (Our IT staff can help you do this.)
Note, however, that encryption only slows access to data; it may not stop a very determined hacker from going after really valuable data. [click]
Never make sensitive transactions at a wireless hot spot.
Never do payroll, or pay invoices, bank, or do other financial business, or download or update software on any device over a public Wi-Fi network. The security is unreliable.
Remember, too, that email is not secure, so avoid using it to send sensitive information. [click]
Use flash drives so they don’t compromise your computer or network security. Flash drives can so easily be used to infect computers and company networks with malicious software that the U.S. military banned their use back in 2008! If you do use them, minimize the risk:
Don’t put any unknown flash (or USB) drive into your computer. It could have been corrupted after being inserted in an infected computer.
On your flash drive, don’t open files that you don’t recognize or that you don’t remember putting there—in case they harbor malware.
That’s it! We’ve covered the main points. Let’s recap. [click]
NOTE TO SPEAKER
This is a good point at which to pass out the tip card, Internet Security at Work, and point out the main steps on the card as you go through the next five slides.
For more information about Microsoft BitLocker Drive Encryption, visit: windows.microsoft.com/en-US/windows7/products/features/bitlocker.
SLIDE 23 TALKING POINTS
Report abuse to the service when you use email, a social network, or other services—scams, obscene material, aggressive behavior and the like. [click]
As quickly as you find them, report any misrepresentation of your organization—for example, a phishing scam that pretends to be from your company— to your system administrator and to the Anti-Phishing Working Group (APWG). The APWG can broadcast notice about them to help prevent potential victims from visiting the site while the APWG works to take down the site. [click]
Theft or loss of sensitive company data. If customer or other confidential company data has been compromised because of theft or loss of a laptop, smartphone, or other device, or if there’s been a breach of network security:
Report it immediately to IT or security personnel, if your organization has them, and to the bank, when appropriate.
Change all passwords used to log on to the device.
Contact the service provider for help wiping the data from smartphones and other devices.[click]
NOTE TO SPEAKER
Ask your audience to follow along with these points on the back of the tip card. That way, they’ll know what links to use.
If your company has policies in place to address these problems and they run counter to the ones presented on this slide, you may want to replace this slide with one of your own that summarizes company policies about what employees should do if they run into problems like these.
On the other hand, if your company does not have cyber security policies in place, the National Cyber Security Alliance offers an approach to creating a cyber security plan. Look for the link on the back of the tip card.
SLIDE 24 TALKING POINTS
To learn how to create strong passwords and work more securely, let’s review the links on the back of the tip card.
Get the latest information from the Microsoft Safety & Security Center (microsoft.com/security) about how to work more securely on the Internet and better protect company, customer, and personal data.
Any comments or questions? [click]
NOTE TO SPEAKER
Round out your presentation with a question-and-answer session if you feel comfortable answering questions about online security. If you don’t feel comfortable, but questions come up, solicit answers from the audience.
If you run a business without IT support, you can also point out these two references.
Microsoft can help you defend company computers: microsoft.com/security/pypc.aspx.
If your computer is unusually slow, crashes frequently, or shows other signs of unusual behavior, it might have been damaged by malicious software like a virus or spyware. Microsoft can help you address this: aka.ms/Troubleshooting_101.
SLIDE 25 TALKING POINTS
Thanks for your time and for your questions and comments.
