Recently, we were reviewing security concerns in a company meeting and how we should inform our clients to protect them. Generally leadership is aware of security threats and scams, but all it takes is one employee to mistakenly divulge information and that becomes THE entry point to your company.
For instance, last week a client of ours had a security problem that stemmed from a false Microsoft employee calling an internal employee claiming that their windows system had reported an error. The employee believed the person was legit and gave the person their login credentials where the crook then logged into their system, installed some remote control software all to “diagnose and fix” the problem. The employee became concerned when she was asked for credit card information to pay for the fake technical support. That is when the realization that this “support” person was probably not legitimate and help was asked for.
Quite frankly, you can’t really blame the employee who was acting reasonably and probably nervous they might be to blame for the error and did not want to alert their boss. It was smart that they recognized a red flag and reported it immediately. The point is, competent employees can be taken advantage of too.
In this particular case luckily, we were able to quickly attach, change credentials and remove the bad software, but not all companies and people are so fortunate.
It reminds me of an instance a while back when an extremely secure company was breached by someone who left a few USB memory sticks around a company’s parking lot and building. Innocently, a few employees found them and plugged them into their work computers, probably thinking it would just be a nice new memory stick to utilize, but it was laded with Spyware. This allowed the spyware to be installed on several systems and access to their company was opened for theft.
To help protect your company please let your staff know:
• Never give login credentials (user names, passwords, access codes) to people you do not know
• Large companies like Microsoft do not make unsolicited calls to end users
• When there are technical problems, you are only allowed to go to your approved support people.
All it takes is one domino to fall to bring down the whole chain –
A little prevention here is a lot cheaper than recovering from a breach.