What’s Happening

Small Business Cybersecurity Thinking

Ignorance is Bliss, or is It?

Smaller businesses are attractive targets to attackers because most small businesses rely on technology to perform day-to-day operations. Many businesses would not be able to thrive without the ability for customers to view its website, make online transactions, or even the ability for employees to send an email to employees or customers around the globe. Small businesses must realize that the technology that allows you to grow and be profitable can also pose the greatest threat to your business if not properly managed. Without training your employees to identify and understand the risk of cyber-attacks, many businesses are sitting ducks for an attacker to simply harvest customer information. That’s what we call a low-risk, high-reward opportunity. The reputational damage caused by a cyber-attack could very well force your business to close its doors completely.

Where to Start

An understanding of information security and how a well-managed program operates significantly reduces the risk of data being lost or stolen due to a cyber-attack. In 2017, Manta conducted a poll of 1,420 small business owners and found that 87% felt they were at risk of experiencing a data breach. Additionally, only a 17% noted that they had basic IT security controls in place. Basic security controls like antivirus and a firewall are critical to the health of the organization and its responsibility of protecting the customer information it possesses. Below are five (5) areas that any organization that utilizes the Internet NEEDS and is EXPECTED to have in place. If your business has not addressed these five (5) security control areas, stop what you’re doing and figure out how to protect your organization immediately.

  1. A business-class firewall: Home routers can be inexpensive and are great for simple tasks such as streaming online videos. Focus on investing in something that is made for businesses and allows you to change default settings.
  2. Anti-virus/anti-malware: You can choose either or both; just make sure you pay for the subscription and use its features.
  3. Email filtering: 93% of all data breaches begin with a phishing email. A single phishing email has the potential to cause significant damage to a business and is the most widely attack used; make sure you do everything you can to keep junk and phishing emails out of your environment.
  4. User access controls: Not limited to just strong and unique passwords; user access controls should be based on the principle of least privilege. Administrator accounts should never be used for regular duties. Reducing privileges for users drastically reduces the risk of an employee accidentally installing a malicious program onto their workstation.
  5. Patch management: It is paramount that systems are patched in a timely manner as soon as new patches are available. Be sure your third-party programs are included in your patch plan.

How to Improve (Don’t Be the Low Hanging Fruit)

IT security is not something you put in place and never touch or think about again. It is a continual process of improvement to stay one step ahead of the bad guys. Proactive security keeps businesses mindful of new threats and how you can protect yourself vs. reactive security where businesses are running to catch up with threats after they have happened. Now that some basic areas of security have been defined, businesses need to continue to grow their security posture for the future. Here are five (5) additional controls that businesses can implement to improve security:

  1. Vulnerability scanning: This is an excellent way for a business to understand and measure how successful the patch management program is or if there are additional vulnerable programs on the network.
  2. Password managers: These are a powerful tool that can be used to create extremely strong and unique passwords for all employee’s accounts. One master password is used to unlock a digital vault where passwords to websites can be securely stored and viewed. Password vaults can stop employees from using the same password for everything and worrying about remembering 200 different passwords (the number of unique websites that today’s consumer logs into on average).
  3. Ongoing security awareness training: Social engineering attacks are the most common way a network is compromised today. Continued education for employees about the dangers of phishing emails and how to identify them is critical. Additional training covering ransomware, customer identification, and other common social engineering attacks will dramatically reduce the risk of a successful cyber-attack.
  4. Phishing testing: Phishing assessments provide insight into how the business will fair during a simulated phishing attack. Testing provides employees a chance to see how authentic phishing emails can seem and the results can be used to further increase employee education and awareness.
  5. Back up your information: Backups can also make or break a business. Ransomware, viruses, and hardware failures can cause everything that a business is storing digitally to be lost in an instant. A business should follow the 3-2-1 strategy, meaning at least three (3) total copies of your data are available, stored on two (2) differed mediums (backup tape AND external hard drive, for example), and at least one (1) copy stored offsite.

Small businesses cannot afford to lag in information security. Every business must understand and implement basic information security needs to prevent the most basic and automated of attacks. Once addressed, a proactive approach to security will keep the business and its customer information secure and avoid being a low hanging fruit that is easy for an attacker to reach.

Written by: Eric Chase  Information Security Consultant SBS Cybersecurity, LLC

Internet-Enabled Devices Holiday Traveling Guide

Know the risks

Your smart phone, tablet, or other device is a full-fledged computer. It is susceptible to risks inherent in online transactions. When shopping, banking, or sharing personal information online, take the same precautions with your smart phone or other device that you do with your personal computer — and then some. The mobile nature of these devices means that you should also take precautions for the physical security of your device (see Protecting Portable Devices: Physical Security for more information) and consider the way you are accessing the Internet.

[By clicking on the links in this message you will be leaving the Security State Bank of Fergus Falls’ Website.  We do not make representation as to the completeness or accuracy of the information provided at these websites.]

Do not use public Wi-Fi networks

Avoid using open Wi-Fi networks to conduct personal business, bank, or shop online. Open Wi-Fi networks at places such as airports, coffee shops, and other public locations present an opportunity for attackers to intercept sensitive information that you would provide to complete an online transaction.

If you simply must check your bank balance or make an online purchase while you are traveling, turn off your device’s Wi-Fi connection and use your mobile device’s cellular data Internet connection instead of making the transaction over an unsecure Wi-Fi network.

Turn off Bluetooth when not in use

Bluetooth-enabled accessories can be helpful, such as earpieces for hands-free talking and external keyboards for ease of typing. When these devices are not in use, turn off the Bluetooth setting on your phone. Cyber criminals have the capability to pair with your phone’s open Bluetooth connection when you are not using it and steal personal information.

Be cautious when charging

Avoid connecting your mobile device to any computer or charging station that you do not control, such as a charging station at an airport terminal or a shared computer at a library. Connecting a mobile device to a computer using a USB cable can allow software running on that computer to interact with the phone in ways that a user may not anticipate. As a result, a malicious computer could gain access to your sensitive data or install new software.

Don’t fall victim to phishing scams

If you are in the shopping mode, an email that appears to be from a legitimate retailer might be difficult to resist. If the deal looks too good to be true, or the link in the email or attachment to the text seems suspicious, do not click on it!

What to do if your accounts are compromised

If you notice that one of your online accounts has been hacked, call the bank, store, or credit card company that owns your account. Reporting fraud in a timely manner helps minimize the impact and lessens your personal liability. You should also change your account passwords for any online services associated with your mobile device using a different computer that you control. If you are the victim of identity theft, additional information is available from https://www.idtheft.gov/.

For even more information about keeping your devices safe, read Cybersecurity for Electronic Devices

[By clicking on the links in this message you will be leaving the Security State Bank of Fergus Falls’ Website.  We do not make representation as to the completeness or accuracy of the information provided at these websites.]

Author

US-CERT Publications

Building a Digital Defense Against ID Theft

Building a Digital Defense Against ID Theft

Welcome to the Oregon FBI’s Tech Tuesday segment. This week, building a digital defense against ID theft.

Fraudsters have been trying to steal your identity and personally identifiable information—or PII—for many years. But, the growing number of data breaches at retailers, financial institutions, and credit agencies mean that you are more at risk than ever.

Once a criminal organization gets a hold of your name, Social Security number, date of birth, health insurance info, and more—it will likely sell every bit of it on the dark web. Once that happens, the buyer can open credit card or bank accounts, apply for loans, or commit any number of crimes in your name.

You as an average consumer can’t do much about the massive data breaches, but you can take some basic steps to protect your financial future:

  • Watch for phishing attempts—that’s phishing with a “ph”. In this case, a fraudster may send you an e-mail or contact you online. He tries to appear legitimate—perhaps using a logo from a recognized bank or a real-looking website. He offers you money back on a new bank account or a great interest rate on a credit card if you just supply him with all of your personal info.
  • Another concern, discarding credit card offers or mail with personal info on it in the trash or recycling. Make sure you shred such documents… or better yet, ask to quit receiving credit card and insurance offers all together by going to www.optoutprescreen.com.
  • Watch your credit card and utility bills as well as bank statements for unusual transactions.
  • Enable security functions on your phone and computer—especially if you have passwords stored or apps that link to your financial institutions.
  • Be careful when using a public Wi-Fi system and consider using a virtual private network when you can.
  • Never respond to unsolicited requests for your personal info, whether online, by e-mail, by phone, or in person. If you have been victimized by an online scam or any other cyber fraud, be sure to report it to the FBI’s Internet Crime Complaint Center at www.ic3.gov or call your local FBI office.

If you have been victimized by an online scam or any other cyber fraud, be sure to report it to the FBI’s Internet Crime Complaint Center at www.ic3.gov or call your local FBI office.

By clicking on any of the links in this message you will be leaving the Security State Bank of Fergus Falls’ Website.  We do not make representation as to the completeness or accuracy of the information provided at these websites.

Watch Out for The Cellphone Porting Scam

(Article posted on KimKomando – https://www.komando.com/happening-now/441606/watch-out-for-the-celphone-porting-scam)

The battle against cybercriminals is always evolving. That’s because when we catch on to their scams they change them up to find more victims.

Which is why we’re always having to come up with more secure ways of protecting our critical information. Can you imagine the damage that could be done if a hacker is able to get access to sensitive data on your smartphone?

Well, there’s a new scam dubbed “porting” or “port-out scam” going around that would do just that.

What is a porting scam?

The Better Business Bureau (BBB) is warning Americans about this fairly new scam making the rounds known as a porting or port-out scam.

(Note: Don’t confuse this with a SIM card swap scam, it’s not the same thing.)

It works like this. A fraudster finds out critical information about you such as your name, phone number, Social Security number, date of birth and more. Much of this information is obtainable on the Dark Web thanks to the massive Equifax data breach that we learned about last year.

Once the criminal has this information they call your mobile phone service provider pretending to be you, and tell them that you’re switching to another company but want to keep your phone number. Transferring your number from say Verizon to AT&T is a process called porting.

The porting process takes up to 24 hours to complete. During this time both phones will be functional. Meaning, any text messages that you receive on your phone will also be seen by the scammer on the phone your number is being transferred to.

This opens the door for all kinds of problems. If you have two-factor authentication set up on your bank accounts, or any online sites for that matter, the scammer will try to get the code needed to log into your account. From there, you could become a victim of identity theft and even have money stolen from your bank accounts.

Now, don’t let this turn you against two-factor authentication. It’s an important security feature that you should be using whenever possible.

The problem isn’t two-factor, it’s the criminals trying to rip you off. There are ways to prevent falling victim to these types of scams, keep reading for suggestions.

How to protect your gadget?

Porting scams are relatively new, which is why the BBB is warning people about them. Here are some of its suggestions to protect against porting scams:

  • Inquire with your wireless provider about port-out authorization – Every major wireless carrier has some sort of additional security for accounts or for port-out authorization that customers can set up, like a unique pin, or add verification question, which will make it more difficult for someone to port-out your phone. Contact your mobile provider and speak to them specifically about porting and/or port out security on your account.
  • Watch out for unexpected “Emergency Calls Only” status – Call your mobile phone company if your phone suddenly switches to “Emergency Call Service Only” or something similar. That’s what happens when your phone number has been transferred to another phone.
  • Be vigilant about communications you receive – Watch out for phishing attempts, alert messages from financial institutions, texts in response to two-factor authorization requests. (PssT! Take phishing IQ test at “KimKomando” to see if you can spot a fake email. https://www.komando.com/tips/361345/can-you-spot-a-fake-email-take-our-phishing-iq-test)
  • If you’ve fallen victim to one of these scams, alert your mobile provider, financial institutions and take the standard steps to combat identity theft. You should also help warn others by filing a report on BBB (https://www.bbb.org/scamtracker/us)

By clicking on any of the links in this message you will be leaving the Security State Bank of Fergus Falls’ Website.  We do not make representation as the to completeness or accuracy of the information provided at these websites.

 

Lost or Stolen ATM/Debit Cards

If your ATM/Debit Card is lost or stolen, contact us immediately during regular business hours at (888) 736-5400.

After hours or weekends, please call (800) 383-8000 to receive assistance.