Ask Donna

Unit Chief Donna Gregory works for the Internet Crime Complaint Center (IC3), part of the FBI’s Cyber Division. We asked her for advice on ways to help prevent some of the most common threats.

Q: Donna, we found that just 13% of companies have four of the most basic security hygiene practices in place. What fundamental things do you think every company should make sure they are doing?

A: It’s important to patch the operating system, software and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier through the use of a UEM, EMM or MDM tool and their patch management capabilities.

Additionally, mobile threat detection (MTD) solutions can offer anti-virus and anti-malware protection. Make sure that applications are set to automatically update and that scans are conducted regularly.

And it might be a cliché,  but passwords, passwords, passwords. Despite all the evidence, many companies are still failing to ensure that all employees are setting strong passwords and keeping them secure. This makes life much easier for cybercriminals. Passwords should never be reused for more than one system and two-factor authentication should be enforced wherever possible.

But no matter how good your defenses are, there’s always a risk of a compromise. Implementing physical and logical separation of networks and data for different organizational units can help limit the potential damage.Companies should implement least-privilege access for file, directory and network-share permissions.
 

Q: How can companies reduce the impact of their devices being misplaced, lost or stolen?

A: Missing devices are a fact of life.But every company should be using whole-disk encryption and PIN security codes on all of their devices. This means that even if it’s stolen, the data on it will hopefully be rendered worthless to the attacker.

Q: Ransomware  remains one of the most prevalent threats. What can companies do to protect themselves?
 

A: If you are infected, backups may be the best way to recover yourcritical data. But just installing a backup solution isn’t enough. Companies should ensure that backups are not connected to the computers and networks they are backing up—for example, physically store them offline.It’s also crucial to verify backups. A real-life emergency, when you need to restore data, is a bad time to find out that there’s a problem.

Since end users are targeted, it’s important that employees be made aware of the threat of ransomware and how it is delivered, and be trained on information security principles and techniques.

We’d also recommend implementing policies or other controls to prevent the execution of programs in locations commonly used by ransomware, such as temporary folders used by browsers and compression/ decompression programs.

Q: Phishing has been around for years, but attackers’ techniques are getting much more sophisticated—especially when it comes to fraud, like business email compromise. How can companies keep their employees informed and vigilant?
 

A: Training is obviously crucial. Teach your employees to  check that an email address matches who it’s meant to be coming from, especially when using a mobile or handheld device. They also should check that the URL is associated with the business it claims to be from, and watch out for hyperlinks that contain misspellings of the actual domain name. And as a rule, they should  never supply login credentials or personally identifiable information (PII) in response to any emails.

There are also systems you can put in place to make it easier for your employees. For example, make sure the settings on their devices allow full email extensions and URLs to be viewed. And implement secondary channels or two-factor authentication to verify requests for changes in account information.

One simple thing you can do is configure your mail system to flag emails from outside your domain—many companies add a prefix, like [E], to the subject line. This makes it obvious when that email from the Managing Director is really from somebody masquerading as a colleague.

Q: Malware is another classic threat that’s getting increasingly sophisticated and harder to spot. How can organizations stay one step ahead of attackers?
 

A: I’ve already said to install and maintain anti-malware software. But companies should also disable macro scripts from Office files transmitted via email. And they should consider using Office Viewer software to open Microsoft Office files sent via email. The functionality of these  is limited—for example, macros don’t work, compared to the full versions.

When it comes to avoiding malware- infected apps, it’s true that sticking  to official app stores isn’t guaranteed to keep you safe, but it can  greatly improve your odds. So we recommend restricting which apps users can  install on their mobile devices and prohibiting those not from an official  or company store.

Q: Do you have any other advice to offer readers?
 

A: Every organization should have a response plan in place and make sure that employees know  how to report anything suspicious. This should be as easy to do as possible—employees are more likely to flag something if all they have to do is email security@yourcompany. com than if they have to log into an intranet, find a page and then fill out  a form. Especially if they are using a mobile device.

And, forgive the self-promotion, but if there is a compromise, we’d encourage organizations to file a complaint at www.ic3.gov (or bec.ic3.gov for BEC victims) as soon as possible.