Don’t Push Any Buttons!

The security of corporate data is under double threat in our new, work-from-home environment

By Bill Zolis

If you’re like me, you probably still have a mental image of a “hacker” as a person sitting in front of a computer trying different tricks to break into your computer. And you may also think, well, I’m just an ordinary person, and I don’t have national security files on my laptop, or access codes to bank accounts in the Cayman Islands, so no one is going to bother with me.

Wrong.

Today’s hackers tend to be sophisticated information technology enterprises that use very large and very powerful computers, driven by artificial intelligence programs, to constantly scan and probe the Internet for any weaknesses, any cracks, any openings.

That’s a big problem for all of us when we’re using our personal devices. It’s an even bigger problem, says my friend Anthony Curcuroto of Miele Technology International, when people are using their work computers for their personal business.

“You don’t mix corporate and personal business,” he says. “There are people out there who exploit vulnerabilities, and when are we more vulnerable than during a pandemic, when everyone is working from home?”

The two biggest vulnerabilities, says Anthony, are e-mail and web browsing. Do either of those on your work computer – signed in to your work account and connected to your work server – and you might as well leave the front door open and all the lights on when everyone goes home for the long weekend.

How do the bad guys get in?

Say you get a spam e-mail that pretends to be from a major on-line retailer telling you that your package is ready for delivery. You know it’s probably a scam. But you open the e-mail anyway, and you click on the link, and it asks you for personal information. You say, “No way!” and close the page. Done, right?

Wrong.

First, at a bare minimum, you have confirmed your e-mail address. You, your company, and the structure of your e-mail address system are now on their radar. That address goes on a list – a list of millions of other e-mail addresses from other people who have opened spam – and that list gets sold again and again on the dark web – a sort of underworld Internet that bypasses security and ethics and legal standards. But you also clicked on a link in a spam e-mail and, even though you didn’t follow through, this still profiles you as more vulnerable. So the list you go on probably sells for a higher price, and opens you up to other scammers who will try different variations and different scams on you next time.

If you’re lucky.

If you’re not lucky, that link you clicked might have downloaded a small program onto your system. Malware, as it’s called. It means that they own your computer now and can connect to it any time they like. They can rummage through you files, your data, your contacts and all you e-mails at their leisure. And remember, this is not a kid in front of a laptop in a basement somewhere, it’s basically a supercomputer running AI that can identify and extract every last little bit of information that you’ve ever saved or sent or received in about two seconds flat.

Web browsing, says Anthony, is even scarier. It’s very easy to click on an address in your search results, browse the page and then maybe click on a link within the page. And here we go: you’ve just downloaded a malware program onto corporate system.

That malware, whether it came in through a spam e-mail or through a random click on a sketchy website, can sit and wait and watch. It’s driven, remember, by a large computer somewhere running artificial intelligence that knows just what to look for. Log into something sensitive on your system and, yes, it’s tracking your keystrokes and it’s in.

At a minimum, they will extract your data and put it up for sale on the dark web. Customer lists, with all their profiles and contact information. Staff lists. Sensitive e-mails. Pricing information, accounting records… everything. And here’s another scary thing: you may never even know that it’s happened.

Or they can go for identity theft. Apply for a credit card in your name, with all your personal data. Empty a bank account. Or lock down your corporate system and demand – and usually get – a big ransom to give the system back.

The big thing that everyone has to learn, says Anthony, is that we have to completely separate personal business from work business. When you browse the web, or send a receive personal e-mails on a work machine, he says, you are “leaving the front door open.”

When you are using your work computer, he says, “It’s not our property. It’s not your data. Period. Get your own laptop, get your own phone.”

The three main things you can do, says Anthony, are as follows.

Separate your personal business from your work. Don’t use the same devices. Don’t use your company e-mail address for any private business.Never click on a non-business link, for any reason, from our work computer.
Be very carefulwhen you give out any information, your e-mail address, your contact information,anything. If you fill in your contact information for any reason – a contest, a free coupon, a survey – you can be sure that that information will be sold and passed on to anyone who wants to buy that list.
Monitor your e-mails – private and business – very carefully. Take those extra few seconds to read them carefully, and think before you click.

Yes, there are other things you – and your employer – can and should be doing. Installing and updating anti-virus software, using strong passwords and keeping them secure, never logging into public WiFi unless you have VPN – virtual private network – software, and so on.

But, says Anthony, the most important habit to get into is to think twice and “Don’t push any buttons!”

***

I really appreciate comments, ideas, suggestions or just observations about the blog or any other topics in benefits management. I always look forward to hearing from readers. If there’s anything you want to share, please email me at bill@penmore.com.

© Penmore Callery Group 2021. All rights reserved. All of the content herein is the sole property of the Penmore Callery Group, and may not be reproduced, transmitted, or stored in a retrieval system – in whole or in part – without the written permission of the Penmore Callery Group. Links to the originating article at www.callerygroup.com are permitted.