In yesterday’s Advisor, we provided training background and tips to help your employees use the Internet securely. Today, we hear from a legal expert on what malware is, how hackers use it, and what employees can do to avoid it.
Saul Glazer, a partner with Axley Brynelson, LLP, explains that malware is used to:
- Disrupt computer operations,
- Gather sensitive information, or
- Gain access to private computer systems.
Malware may be intended to steal information or spy on computer users for an extended period of time without their knowledge. It may be designed to cause harm or extort payment. It can take the form of executable code, scripts, active content, or other software. Malware is often disguised as or embedded in nonmalicious files.
The majority of active malware threats are worms or Trojan horses, not viruses. Malware can infect computers in a number of ways, including employees opening e-mails from unknown sources, connecting infected USB drives, or going to unsafe or unapproved websites.
How Hackers Work
Hackers share information through a series of hidden networks often called the Darknet. They use incredibly sophisticated fast-looping programs to guess passwords, generating millions of passwords in a matter of seconds. Hackers’ ability to freely share information has greatly increased their effectiveness and made it much more difficult for IT personnel to keep up with and respond to the latest viruses and hacking strategies. There are substantial financial incentives for hackers to steal personal data such as credit card information. Additionally, a growing number of hackers are motivated by political reasons and engage in cyberterrorism.
Think you have no time to train? Think again. BLR’s 7-Minute Safety Trainer helps you fulfill key OSHA-required training tasks in as little as 7 minutes. Try it at no cost and see!
Fight Back with Employee Training
Keeping your servers safe from attack requires constant vigilance. No matter the size of your company, you need competent IT personnel who are properly trained and engaged in continuing education. For small companies, it may be more effective to outsource IT functions. Many employers are turning to clouds to leverage the efficiency of hosting companies that manage servers. Ensure that you do your due diligence when choosing a cloud-hosting or third-party IT company. If you use a third-party IT vendor, make sure there is open communication so that if an employee leaves the vendor, you can change your passwords.
Train all employees to use strong passwords. It’s particularly critical to educate employees on which kinds of passwords they should NOT use (See the “Do NOTs” in the list below). As a general rule of thumb, each additional character in a password expands the strength of that password exponentially.
There are a variety of mnemonic tricks employees can use to create strong passwords. For example, translating a sentence into a word, using numbers, and incorporating uppercase and lowercase letters are simple ways to create a strong password. Employees should use unique passwords for work-related systems, and they should NOT reuse those passwords for non-work-related reasons.
Train employees to follow these tips for choosing passwords:
- Use a password that has at least 10 characters. Incorporate at least one number, one uppercase letter, one lowercase letter, and a special symbol.
- Do NOT use the same password for multiple important accounts.
- Do NOT use the names of family members, friends, or pets in passwords.
- Do NOT use postal codes, house numbers, phone numbers, birth dates, ID card numbers, or Social Security numbers in passwords.
- Do NOT use any words found in the dictionary in passwords.
- Do NOT simply add a character like “!” to the end of an existing password.
Effective 7-minute sessions provide comprehensive safety training at an average cost of $1 a day. Get the details.
For sensitive documents, consider using encryption programs. Confidential information may be safer if it is put on servers that are not accessible via the Internet. Take serious measures to protect your servers, desktops, laptops, tablets, and smart phones from theft. Make sure that any device that leaves your facilities (e.g., laptops or mobile devices) has a secure password and data encryption, if possible. If a hacker obtains possession of a server or laptop, it is nearly certain that he will be able to mine the data on the device. Audit your computer equipment and software, and take out-of-date devices offline. For example, outdated operating systems are easily hacked because patches to counteract new viruses have not been developed.