Insider Threats
“Insider threat” is a term for people inside your organization (or home) who mess things up. Whether on purpose or by accident, because they are angry and have a momentary lapse in judgement; because they are malicious and really want to do you and your business harm; or are well intentioned but somehow negligent or ignorant of good practice.
It is the last one I want to talk about. These months have been particularly intense for everyone. For those fortunate enough to continue working from home, isolation and distractions lead to carelessness and mistakes. Phishing campaigns, bad links, and phone scams work because they know we are not all at our best right now.
Here’s some reminders for you and your employees - or housemates - to remain vigilant.
MOVE
Get up. Move away from your computer. Are you noticing you are spending WAY more time in front of the computer these days? I know I am. Take breaks throughout the day and move your body to avoid attention fatigue.
Follow the 20x20x20 Rule:
Every 20 minutes
Look at something 20 feet away
For 20 seconds
CLICK CAREFULLY
Be extra vigilant about clicking on links and downloading documents. If it looks suspicious, assume that it is. If you get an email attachment from someone you weren’t expecting, pick up the phone and call them to confirm they really sent it.
My kids sometimes tease me that I send them an email, then call them to tell them I sent them an email. Well, tease away, kids. It’s a habit we should probably get into especially when sending PDF attachments to each other.
GET FREQUENT REALITY CHECKS
Being solitary has adverse effects on decision making. Small business teams rely on trust and close working relationships. If someone interprets an email message the wrong way, or a seemingly benign decision makes teammates feel left out, it pays to clear up misunderstandings quickly..
Take time to talk to each other. Check in with others on the team; if you have an instinct that someone is feeling out of sorts, pick up the phone and call them. Talk through it and correct any misunderstandings sooner rather than later.
Conversely, if you are feeling out of sorts, avoid passive aggressive remarks and keep your professional act together. Go back up to the first tip and move away from your computer. Take a walk, get something to eat, meditate or pray. Then go back and re-read what set you off in the first place. You’ll probably see it in a different light.
ALLOW YOURSELF SOME PARANOIA
If you get an unusual request via voice mail or text message from someone you think you know or trust, confirm by calling them back. I know from personal experience it feels awkward to call someone on the phone to verify their communications. I usually start by saying, “I’m probably being paranoid, but…”.
Well, be paranoid. Attackers are skilled at mimicking trusted entities like banks, government agencies, and insurance companies. For a good example of how elaborate these schemes are, check out the Exploiting our Distractions episode of the Hacking Humans podcast, starting at about the 09:30 point. https://thecyberwire.com/podcasts/hacking-humans/97/transcript
Keep a paper copy of emergency work numbers handy while you are at home. If you or someone on your team experiences a breach, or loses power/Internet service, those numbers are no use inside the computer.
Make a list of key contacts for everyone to print and post off-line. If your business is small enough where everyone is key, but use personal devices, ask if they are ok with sharing their personal phone numbers for everyone’s convenience.
Be sure to include numbers for your support services - tech support, vendors, banks, credit card companies. If something does go wrong and you need to unplug, you’ll need those numbers.
I hope that helps. Stay safe out there!
