Important Strategies to Stay Safe and Secure Online - A Creative Services, Inc. Compliance Corner Article
Resource Center
Compliance Corner
Important Strategies to Stay Safe and Secure Online
09.21.18
To Our Valued Customers:
It’s no secret that we live in a world where cyber-security and data protection issues pose a greater risk than ever before. Creative Services, Inc. (CSI) understands that all companies are potential targets for cyber-attacks, insider threats, or other security issues. Online phishing scams are becoming more sophisticated every day, with hackers impersonating individuals and companies so well that it’s easy to be fooled. Incidents of phishing and impersonation attacks are on the rise, and with that in mind, CSI wants to remind our clients of some important strategies that you can use to ensure that you don’t become a victim.
All emails are not created equal. Of course, you should always be on alert for a scam. However, you should pay extra attention to “high-risk” messages. Any email asking you to do the following should be considered high-risk:
- resetting a password;
- changing payment information; or
- providing personal data
Even if an email appears to be from someone you know, there are steps you should take if you receive a high-risk email:
1) NEVER REPLY
If you have a question or need to comment on a high-risk email, send a new message instead of replying. If the email you received is fake, and the hacker has spoofed (faked) the email address, they are counting on the fact that you will reply to the message. Simply clicking “new message” and typing in the email address of the recipient will defeat a significant portion of phishing attacks.
2) CHECK THE “FROM” ADDRESS CAREFULLY
A common approach hackers use is to register a look-alike domain. For example, our legitimate domain is creativeservices.com. A hacker might add or change one letter so upon first glance, it seems legitimate, however, when you look closely you see it is not. For example, changing the “a” to another “e” allows for accounting@creetiveservices.com. A’s and E’s look a lot alike when they are right next to each other. This is another example of why drafting a net-new message and not replying to an email as described above is always a good strategy.
3) AVOID CLICKING AND/OR VALIDATING LINKS
If you receive a high-risk email asking you for a call to action in some way, for example, “click here” to change a password or enter sensitive data, you are better served to closing the email, opening a web browser, going to the source’s website, login to your account and resetting your password. In general, you should avoid clicking links, but for those times when you can’t, it is recommended and easy enough to validate a link before clicking. To check the validity of a link, just hover your mouse over it without clicking. In MS Outlook (and most email software) a balloon will appear showing you where the link goes for the source. If it goes somewhere other than what it says, it is not a safe link to click.
For example, when you hover your mouse over the link:
Do you see how the link shows a site that’s not Creative Services, Inc.? Now you know it is a fake link! It’s that easy!
PRO TIP: If you are not using Outlook and are in a web browser, the link typically shows in the lower left corner of the browser when you hover over it.
4) BE SKEPTICAL – Banks, healthcare, and other financial institutions should never ask you for your password, account number, or other personal information by email. If that’s happening, pick up the phone and call the party in question. Approximately 90% of the cyber-losses that are a product of phishing could be avoided by calling to verify with the source that they do want you to change payment information or reset a password.
PRO TIP: If you decide to call, look the number up online or in your contacts. Do not use the number in the signature of the email you are questioning. Hackers are very slick and some of them will actually put their phone number in the email and will try and fool you if you call.
5) ALWAYS ENCRYPT SENSITIVE DATA – The world conducts business in email and we understand that. So, if you DO need to send sensitive information by email encrypt it and then CALL the recipient to provide the password. If you don’t know how to encrypt a document, you can visit our website at www.creativeservices.com/resource-center/safety-first for instructions. Additionally, your internal IT department may have a preferred method for sending encrypted emails in place. Please consult them first before sending sensitive information.
An ounce of prevention is worth a pound of cure, especially when it comes to password management. Below are some tips and recommendations to ensure that your password strategy is effective and does not have holes.
PASSWORD REQUIREMENTS
- Passwords should be at least 8 characters long, but 10-12 is much better. The longer it is, the harder it is to crack.
- Passwords should include at least one upper case character, one number, and a special character (#!$%@).
- Do not repeat old passwords. The goal is to improve security. Adding a digit to your old password defeats the point.
- Even if a system doesn’t require it, change your passwords at least every 90 days if you can.
PASSWORD MANAGEMENT
Hackers love habit. Avoid reusing passwords. For example, if you use your Facebook password for your corporate email account, and Facebook’s credential database is compromised, your email is at risk. Of course, remembering a million passwords isn’t practical. You will have to decide for yourself if you want to trust a password manager but consider identifying your highest risk accounts and ensuring they all have unique passwords. The next time there’s a high-profile loss of data online, you’ll be glad you did.
- DO NOT share your password with others.
- DO NOT jot your password down on a sticky note and put it on your monitor (or anywhere else for that matter.)
- DO NOT email yourself your password so you have a record of it.
- Passwords should exist only in your memory or a location/service that you feel is secure and should be closely guarded information.
These strategies will help you to stay safe and secure online. Please use all these tactics in your interactions with CSI as well. When it comes to security and the protection of your data, we recommend a “trust no-one” approach. Cyber security and personal protection can feel overwhelming at times, but CSI is here to help you if you have any questions or if you would like to be connected to someone that can help you evaluate your own security strategies. Please feel free to call us for assistance anytime at 800-227-0002.
We appreciate your trust and your business. Stay Safe!