In particular, I’m going to talk about phishing scams, since I recently had to handle a situation where a firm fell victim to a scam and then had to quickly re-act to the resulting problems. Data security takes many other forms, but even with the best security software, people training is key. If your administrative assistant keeps her password on a sticky note, you are vulnerable. Or you’re not required to regularly change your password, you are vulnerable. If you’re using the same password for everything, you are vulnerable.
Phishing emails are becoming increasingly sophisticated. These are emails that appear to some from someone you trust asking you to do something, click on a link, or simply respond with some details. Phishing emails use a person’s digital signature and sometimes, can even come from their account (if it has been compromised).
To some extent, you have to trust your gut – does the email seem normal? Were you expecting to hear from this person? Is their signature right or is the picture missing? Is this the sort of thing they would normally ask you to do? Does the language sound like them or are they more chatty? If you’re unsure, don’t open the file or click the link, contact the individual and ask.
If your office falls victim to a phishing scam, the first action item is to secure your system. Your IT person should be able to do this quickly, forcing everyone out of the system and making them change their passwords to limit future breaches. Your IT person may also recommend additional security procedures, as necessary, to prevent future attempts.
Sadly, once a phishing email has left your server, you cannot claw it back. You want to notify anyone who received an email from your address that it was a phishing attempt and not to open any attachments. Remember as you’re sending out a large email to protect client confidentiality! Using an email service designed to send mass communications such as MailChimp or Constant Contact (among many others) might be wise. Even with the notice, however, prepare your staff to expect phone calls asking about the email or alerting you to the problems.