3 Security Issues Impacting Retailers Today
By Bill DeLisi, GOFBA, Inc.
National Cybersecurity Awareness Month is now in its 17th year. With the unprecedented amount of remote working and a massive increase in data breaches due to the COVID-19 pandemic, cybersecurity awareness has never been more important.
In March alone, email scams related to COVID-19 surged by 667%, and a recent report shows that employees are three times more likely to click on a phishing email than they were pre-COVID. Needless to say, many company leaders now see cybersecurity as a major risk to their organization.
While many large retailers, with the help of robust IT departments that can prevent cybersecurity attacks, have been able to weather the storm, many small businesses lack the proper resources to limit cyberattack entry points. A smaller retailer’s vulnerability to security risks means these businesses must be ready for the inevitable security breach.
In honor of Cybersecurity Awareness Month, here are three COVID-19 driven security threats for small business, along with tips for mitigating the risks:
Malware Attacks
Malware attacks come through either email or websites and they are designed to infect computers and networks. Sometimes these intrusions are “scareware,” which are crafted to trick users into thinking they are downloading legitimate software. It’s important to caution your employees to never download unapproved software, such as PDF viewers from an unknown source, or other similar programs. The COVID-19 pandemic provides hackers with new entry points, such as hiding malware links on live maps of the outbreak.
There are ways to mitigate malware attacks, including the use of firewalls and anti-malware solutions that must be set to automatic updates for greatest protection. Another way to manage malware is for staff to use a secure search engine that limits malware and stops users from reaching inappropriate and dangerous sites that serve as malware entry points.
Your employees should examine URLs and use sites that have padlocks next to the URL, which shows that the information is encrypted. These URLs will start with “HTTPS” instead of “HTTP.”
Phishing Schemes
As its name implies, hackers try out phishing schemes the same way an angler might throw a hook in a lake. They are trying to get someone to bite. In this case, the “bait” is an email from a hacker designed to look like a bank email or one from the Social Security Administration. There are often clues to scrutinize these emails, such as the design will look amateurish, the language may sound unprofessional or the sender’s URL will be off by a letter.
Additionally, recipients should hover over any links in their emails (without clicking them) to see if the URLs or sender’s email address match the actual company/organization the email is referring to or representing. This is because the links in phishing emails have executable cookies, which will allow the hacker to get into the network, giving them access to data and other valuable information. These groups can then steal personal and/or company information and even take over their websites and hold them for ransom, which will severely disrupt the company’s ability to operate.
Employees should broaden their understanding about what types of emails they are likely to receive during and after the pandemic, and how to decide if they are fake or “phishing.” For example, the CDC will not contact people directly with a “cure” or other “breakthrough.” Deleting these types of emails as a matter of habit is the best way to reduce phishing.
Managing BYOD
BYOD, or “Bring Your Own Device,” is a workplace trend that does require consistent management. And with social distancing rules in place throughout the country, working from home is now the rule instead of the exception. When employees use their phones or laptops for both work and business, they are often engaging in riskier behaviors in terms of accessibility and cybersecurity. Employers should develop strong BYOD plans that determine a range of parameters, such as where BYOD data is stored, and how much data access is allowed through personal devices.
Will employees use their personal laptops and save data to on-site servers or the cloud? Are these laptops already infected? Will phones be partitioned so that work-related apps are separated from personal apps? Companies need to balance employee’s privacy with protecting the company. Make sure every phone and laptop are free from infections. Talk with staff about the need to restrict certain activities.
An alternative to BYOD is to provide company phones and laptops to all staff. This may be difficult due to a limited budget, but it does provide your company with much broader control over content and activities.
A compromise is to allow BYOD but to have IT implement mobile device management software that enables automatic security updates, control over some settings, and virus alerts.
Key Takeaway
For smaller retailers to protect their data, transparency with your employees is vital. As the owner of your business, you should discuss BYOD and any policies with your staff to be sure everyone is on the same page regarding control, privacy, and security. This openness should extend to all potential security threats, so employees can understand how their actions impact the fortunes of the company and their jobs.
About the Author
Bill DeLisi is one of the world’s most authoritative experts on cybersecurity. He is currently the Chief Executive Officer, Chief Technology Officer, and a founding member of the Board of Directors for GOFBA, Inc. DeLisi has more than 30 years of experience in the computer industry, including holding the position of Chief Technology Officer at several companies. He has worked closely with Microsoft Gold Certified Partners, helping pioneer “cloud” computing and creating security infrastructures that are still in use today. DeLisi is responsible for the development of proprietary technology that serves as the backbone of GOFBA’s platform and has over 30 certifications with Microsoft, Cisco, Apple, and others, which includes the coveted Systems Engineer with Advanced Security certification, as well as expert status in Cloud Design and Implementation.