Cybersecurity Awareness Month may be behind us, but cybersecurity remains top-of-mind for leaders year-round. That’s why UDT CISO Mike Sanchez sat down with Corey LeBlanc, CTO and COO of Locality Bank, to discuss the increasingly chaotic world of cybersecurity in a webinar interview now available on YouTube, “Cybersecurity Chaos Q&A: Top Threats & Protection Tips for You and Your Business,” where they covered the importance of cybersecurity in business. 

In the hour-long discussion, the pair touched on multiple topics, such as increasingly common cybersecurity threats to today’s business information systems, election season-related cybersecurity challenges, and the actions of both domestic hackers and foreign state-sponsored bad actors on the current state of cyber resiliency. The conversation highlighted the heightened data security risks during this election period, a time when cyberthreats often escalate, targeting both individuals and organizations both private and gov. Let’s recap some of the cybersecurity awareness training and mitigation methods you might consider adding to your incident response and information security toolkit as you seek to keep your business’s data safe online and offline. 

1. Beware of BEC Attacks

Business Email Compromise (BEC) attacks are a form of social engineering and cybercrime where attackers gain access to a business email account and imitate the owner’s identity to defraud the company and its partners, customers, or employees. For example, cybercriminals might send a fraudulent email from the CEO’s account instructing the finance department to transfer funds to a seemingly legitimate but fraudulent account. 

Bad actors might also spoof a trusted email account for the same purpose. For example, your accounting department might receive an email that appears to be from a vendor with whom the company regularly does business. The email contains an unpaid invoice. However, it also states that the company payment information has changed and asks that the funds be sent to a new bank account. The problem, however, is that this email is not from the vendor and the funds are stolen as soon as they are transferred to the criminals’ fraudulent bank account. 

BEC attacks can lead to significant financial losses and damage to the company’s reputation. Be skeptical of any email that’s asking for payment to be made in a way that differs from previous transactions. The best thing to do in this situation is to call the vendor directly to verify the validity of the email. 

To protect yourself and your large, medium, or small business, remember to follow these traditional email security best practices: 

• Never open attachments or click on links from unknown senders. 
• Verify the sender’s email address before responding. 
• Use strong, unique passwords for email accounts as part of your password management policy. 
• Enable spam filters and regularly update them. 
• Educate employees about phishing scams and how to recognize them. 
• Immediately report any suspicious emails to your IT or security personnel. 

2. Separate Your Business & Personal Activity

It is safest from a business and data security perspective to do personal things on your personal devices and conduct business on your business devices. By “personal activities,” we mean things like checking personal email, scrolling through social media, making online purchases, etc. Mixing personal and business activities on the same device (whether it’s a laptop, desktop, or mobile device) can increase the risk of data breaches and malware infections. 

Personal devices may not have the same level of security controls as business devices, making them more vulnerable to attacks. Also, think about the consequences if you were to accidentally click a ransomware link in your personal email and it ended up infecting your business computer as well as possibly crippling operations for your company. This could be catastrophic, not only for your job but for the business itself. The best practice to avoid having this happen is to separate the two—business on your work devices, personal stuff on your own devices. 

3. Avoid QR Codes

QR Codes can be convenient, but they also pose security risks. Scanning a malicious QR code can lead to the download of malware or direct you to a phishing site designed to steal your personal information or login credentials. Always be cautious about scanning QR codes from unknown or untrusted sources. To combat the threat of fake QR codes, adopt a risk-first, zero-trust approach. This means treating all QR codes that you come across as potentially fraudulent until proven otherwise—and perhaps, freezing the use of QR codes altogether until alternative security solutions can be implemented. Here are some best practices:  

• Educate Leadership & Staff: Educate everyone at the company about the potential dangers of blindly trusting and scanning QR codes and provide tips on how to spot suspicious ones.  
• Use a Secure QR Code Scanner: QR code scanner apps (you can easily find a legit QR code reader on your provider’s app store) can give peace of mind through added security features. 
• Verify Before Scanning: If a QR code comes from an unknown source, don’t scan it. If it’s necessary to scan, verify the source first. Be wary of QR codes you find posted in public places. 
• When In Doubt, Don’t Scan: If you are unsure whether a QR code comes from a trusted source, the answer for what you should do is simple—just don’t scan it. 

4. When Using AI, Employ Security Best Practices

Artificial Intelligence (AI) is a powerful tool but using web-based AI platforms for company work, especially involving proprietary or confidential information, can be risky when it comes to data protection. These platforms may not have adequate security measures to protect sensitive data, potentially leading to data loss/theft or unauthorized access. You should never input sensitive information into a web-based AI. Instead, be sure to use a private, licensed version approved by your company. 

5. Use 2FA or MFA Whenever Possible

Single Sign-On (SSO) is no longer considered safe due to the increasing sophistication of cyberattacks. Implementing Two-Factor Authentication (2FA) and Multifactor Authentication (MFA) adds an extra layer of security, making it harder for bad actors to use your credentials if they become compromised. Be sure to encourage your end users to employ MFA or 2FA whenever it is made available. 

6. Be Wary of Public Wi-Fi

Using public Wi-Fi for private business can be risky because these networks are often unsecure, making it easier for cybercriminals to intercept your data. Hackers can exploit vulnerabilities to access sensitive information such as passwords, financial details, and personal communications. This can lead to identity theft, financial loss, and unauthorized access to your accounts. To protect yourself, it’s best to avoid conducting sensitive transactions on public Wi-Fi and use a secure, private connection instead. If you must use public Wi-Fi, consider using a virtual private network (VPN) to encrypt your data. 

7. Conduct Regular Penetration Testing

Regular penetration testing (also known as pen testing), which should be a part of any security awareness program, is crucial for identifying and addressing vulnerabilities in your systems before attackers can exploit them. Pen testing simulates real-world attacks to evaluate the effectiveness of your security measures and helps you stay ahead of potential threats. It also helps to identify instances of human error, such as failing to identify malicious links/phishing emails, so you can better train employees to withstand such attacks. 

8. Retire Accounts of “Stale Users”

Old user accounts are a security threat, especially if they belong to former employees who may have left on bad terms. For example, a disgruntled former employee with active login credentials could cause significant damage by accessing sensitive information or disrupting operations. Properly retiring these accounts ensures they cannot be misused by disgruntled former employees or hijacked by bad actors. 

9. Find a Trusted Cybersecurity Partner

Hiring a third-party security provider, such as UDT and its partner Locality Bank, can help you manage and enhance your cybersecurity posture in the modern digital world. A trusted partner brings expertise, advanced tools, and continuous monitoring to protect your organization from evolving threats. Contact us today to learn more about how UDT can support your company’s cybersecurity awareness program, data security training program, and other security initiatives to help make sure your business stays safe in this “Year of Cyber Chaos.” 

Disclaimer: The information provided in this content is for general educational purposes only and does not constitute professional advice. Locality Bank and UDT make no warranty, express or implied, nor assume any legal liability or any responsibility for the accuracy, correctness, completeness, or any actions taken based on the information provided. Always consult a qualified professional for specific guidance related to your situation.