At PrimeRevenue, we’re invested in improving customers’ financial health, competitive standing, and supplier relationships. We see an annual transaction volume of more than $180 billion; and with great volume, comes great security responsibility. As we continue to add new partners to our diverse multi-funder family, we remain vigilant in our security practices to protect against cyber attacks.

We do this internally by employing multilayered security practices and requiring ongoing security training for all employees. Further, we communicate and educate on security with external audiences.

In this article, we look at the issue of cyber security, one of the most pressing problems organizations around the globe face.

Create a No-Phishing Zone

If you focus on just one thing, phishing prevention is a great place to start.

According to the 2017 Data Breach Investigations Report from Verizon Enterprise Solutions, 43 percent of the 828 confirmed security breaches that resulted in data disclosure came about through human interactions. Phishing and pretexting (pretending to be someone else, typically in an email) accounted for 98 percent of those data breaches.

While most of us think we’re too smart to fall for this old con, today’s hackers employ remarkably clever tricks to convince people to open malware-laced emails, click on harmful email links, or open malicious attachments that infect their computers with viruses that quickly spread throughout an enterprise.

According to the Verizon report, 95 percent of phishing attacks that resulted in a breach involved some type of malicious software being installed. The malware was used to open the backdoor to hacking attacks, install spyware, or capture keystrokes to steal credentials. Phishing also leads people to directly disclose passwords and other sensitive personal information, and even to give away money.

While the Verizon report found that only 7.3 percent of users fell for phish­ing attempts, about 15 percent of those who did took the bait more than once in the same year. Remember – it only takes one employee to fall for the bait one time. No one is immune to a clever phishing attack.

Many of the data thefts that made the news in recent years were started by a spear-phishing attack from someone who had carefully researched the intended victim before sending an email that included seemingly personal and credible information. Such emails are often sent from email addresses disguised to look like they came from trusted sources, even from people within the organization.

What you can do

  • Train employees to detect phishing. Keep the training interesting and provide regular updates, so that employees stay informed of the latest phishing tricks.
  • Employ email spam filters, web filters that block malicious websites, and virus detection software. Additionally, make sure virus software is set to update automatically on employees’ computers.
  • Empower employees to immediately report and route any suspicious emails, phone calls or messages to a dedicated IT person trained to take immediate action. Make it a guilt-free service to ensure that employees who accidentally click on a link feel comfortable reporting the mistake.
  • Perform external penetration (PEN) testing on corporate systems on an annual basis.
  • Enable two-factor authentication on VPN and corporate network access.
  • Only allow mobile devices to connect to your network through a virtual private network (VPN).
  • When employees are working off site, require that they connect through a VPN.
  • Instruct all employees to change their work and personal email passwords every 90 days or less. Furthermore, consider requiring employees to use a unique password to access your network and personal accounts. Remember – once hackers get a hold of an email address and password, they can use the “Forget your password?” link on countless websites to gain access. Moreover, if employees use the same password for work and other websites, a data breach elsewhere can deliver those user name and password combinations to hackers.

While these measures won’t guarantee protection against highly sophisticated and determined cyber criminals, they will help thwart the garden-variety hackers looking for an easy mark.

Chief Information and Security Officer

Published April 24, 2018