1
Tip 1: Security is everyone’s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the “human firewall.”
Tip 2: Avoiding scams. Be suspicious of unsolicited phone calls, visits, or email messages and do not provide personal information or information about your organization or yourself. If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
Creating a Culture of Cybersecurity
Tip 3: Protecting yourself from phishing. Protecting yourself involves knowledge and technology. Never open emails from unknown senders. Carefully read the email, be mindful of grammatical errors and misspelled words. Don’t click on the links in the email. Verify the legitimacy of emails by using your browser to go directly to the company website.
Make sure your software technology is updated regularly.
If you think you've received a phishing scam, delete the email message. Do not click any links in the message.
NATIONAL
CYBER
SECURITY
AWARENESS
2
Tip 4: Protecting yourself from Ransomware. Ransomware roams through the internet. Secure your data by backing up your information on an external or cloud drive.
Invest in security tools. Have security software installed and most importantly up-to-date with a current subscription. Remember with the thousands of new malware vari ants running every day, having a set of old virus definitions is almost as bad has having no protection.
Make sure all the software on your system is up -to-date. This includes the operating system, the browser and all of the plug -ins that a modern browser typically uses. One of the most common infection vectors is a malicious exploit that leverage a software vulnerability. Keeping software up to date helps minimize the likelihood that your system has an exposed vulnerability on it. Back up data and scan systems regularly. While ransomware
can slip past defenses, it's important to back -up your information so that you can retrieve it in a worst case scenario. Scan networks, systems and devices for malware frequently to stop data breaches as soon as they start.
Tip 5: Business Email Compromise (BEC). BEC is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. Legitimate business e-mail accounts are compromised through social engineering or computer intrusion techniques who then conduct unauthorized transfers of funds. Prevent being a victim by:
Create intrusion detection system rules that flag e -mails with extensions that are similar to company e-mail. For example, legitimate email of abc_company.com would flag fraudulent e -mail of abc-company.com.
Register all company domains that are slightly different than the actual company domain.
Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign- off by company personnel.
Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use
3
previously known numbers, not the numbers provided in the e -mail request.
Know the habits of your customers, including the details of, reasons behind, and amount of payments.
Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.
Tip 6: Destructive Malware. Destructive Malware presents a threat to an organization’s daily operations and business continuity; it impacts confidentiality, integrity and availability of data; and can threaten an organization’s ability to recover from an attack. Follow five tips to combat cyber-attacks:
1. Back-up data and scan systems regularly. While malware can slip past defenses, it's important to back -up your information so that you can retrieve it in a worst case scenario. Scan networks, systems and devices for malware frequently to stop da ta breaches as soon as they start.
2. Don't open suspicious emails. Malware is easily downloaded through malicious links in emails.
3. Protect credentials with strong passwords. Although
passwords seem unrelated to security, they are the first line of defense for companies. Require employees to create strong
passwords that are a combination of lower and uppercase letters, numbers and special characters to prevent hackers from simply guessing the correct one.
4. Ensure third-party providers are protected. One of the ways companies are most vulnerable to cyber -attacks is through an insecure third-party service provider. Cybercriminals can steal credentials from these third parties to gain access to the company and information they are targeting.
5. Update software and patches. Software and tech companies often issue software updates and patches to fix security flaws that cybercriminals can exploit.
Tip 7: Third Party Breaches. Eliminate third party risks by leveraging your contract and regulatory requirements. Key areas of concern include:
4
Managing your vendors. Perform regular due diligence of your third party service providers (TSP) as well as their outsourced vendors.
Verifying their controls. Validate that the controls being used by the TSP are in line with your written contract meeting your requirements.
Business resumption and contingency planning . Certify that the service provider is adhering to the agreed upon contingency plan that outlines the required operating procedures in the event of business disruption.
Right to audit. Enforce the right of the institution and its regulatory agencies to obtain the results of the audits in a timely manner. Vendor managers should closely monitor the financial, technical and competiveness of their vendor s.
Connected Communities: Staying Protected While Always Connected
Tip 8: Limit the amount of personal information you post . Do not post information that would make you vulnerable, such as your address or information about your schedule or routine. If y our friend posts information about you, make sure the information is something that you are comfortable sharing with strangers.Tip 9: Take advantage of privacy and security settings . Use site settings to limit the information you share with the general p ublic online.
Tip 10: Only access the Internet over a secure network . Maintain the same vigilance you would on your computer with your mobile device. Tip 11: Be suspicious of unknown links or requests sent through email or text message. Do not click on unknown links or answer strange questions sent to your mobile device, regardless of who the sender appears to be.
Tip 12: Downloading Apps. Download apps and data only from trusted applications from reputable sources or marketplaces.
5
Your Evolving Digital Life
Tip 13: Being smart about using your devices. Don't use your mobile device to store important and sensitive personal information, bank account numbers or other information that personally identifies you.
Tip 14: Lock your smart devices. Use the screen lock feature on your mobile device. Many mobile phones now provide security options to customize your devices so that your information remains secure.
Tip 15: Personal Identification Number (PIN). When selecting a PIN for your debit card or smart device, never use important numbers associated with anniversaries, birth dates, social security numbers and the like. Select something easy to remember but not commonly known. Tip 16: Protect your personal computer. Keep operational and security software up-to-date. Combined, these patches close vulnerabilities on your computer and protect you from cyber -criminals. Tip 17: Practice good cyber-hygiene. Remember to select unique and strong passwords for all online accounts. Make sure your
password is 8 or more characters in length and combine alphabetical, numerical and symbols.
Building the Next Generation of Cyber Professionals
Tip 18: Organizing operational security awareness. Your institutions security awareness program should be conduc ted as a growing and on-going process to ensure that training and knowledge is not just delivered as an annual activity, rather it is used to maintain a high level of security awareness on a daily basis. Ensure your security "experts" are well known in your organization. Have them send out security alerts and training exercises. Make the training clear, crucial and compelling. Tip 19: Communicate your expectations on the first day of employment. Clearly state the mission of your cyber-security program, the risks institutions are exposed to, how employees are part of the
6
solution and where employees can report suspicious activity. Lead by example. Enforce your cyber-security policies when violations are made.
Tip 20: Expand your security perimeter. By educating your customers and employees, you expand your security perimeter. What are some ways to increase education?
Tip of the day. Post a tip of the day that provides a daily security message.
Risk Questionnaire. During Treasury Management visits with commercial customers, go over a brief questionnaire that reveals if they are at risk of financial loss due to cyber threats.
Commercial Service Security Newsletter. Educate your commercial customers to specific cyber-threats that face small businesses today. Your proactive measure just may save your customer from a devastating cyber-event and earn you a loyal customer for life.
Interactive Training. Many firms share interactive security quizzes with their customers on their website; it’s fun and educational.
Tip 21: Do not give out information about fellow employees, remote network access, organizational practices, or strategies to people you do not know. Avoid being the victim of a social engineer. If a person you don’t know calls, sends an email or text, or visits you in person and asks for confidential information about your organization, do not supply any data until the person’s identity has been verified. Tip 22: Use your computer with the assumption that everyone can see what you’re doing. You might be audited for acceptable use of equipment. Most of us are familiar with the idea that cookies help identify us to advertisers and website owners when we visit websites. However, your computer type, model, operating system, and even what version of Web browser you are using are also known to every site that you visit. This combined data results in another method to identify you and the types of information you access. Only visit websites for which you have a legitimate need when doing work for your organization.
