Increased risk of cyberattacks
To reduce the chance of becoming victim to a cyberattack, the following 4 guidelines are essential:
- Never, ever share your password with anyone, not even internal IT
- The password on your work account must be unique
- Protect your user accounts with extra security, such as one-time codes by SMS or an authenticator app on your phone (Microsoft or Google Authenticator)
- Be extra careful if a document is shared with you from anywhere else than internal file shares or your own company’s file storage service.
Your password must be private. Do not share it with anyone. Not the police, your bank, Microsoft support or internal IT. If anyone asks you to share your password it is extremely likely that it is an attacker who is trying to impersonate someone you trust. This also applies to phone calls.
Web pages get hacked and passwords get stolen. As your username is usually your email address, it is extremely important that a stolen password does not match your work account. If you have used your work password as a password anywhere else, please change the password on your work account immediately.
Enable multi-factor authentication (MFA) on all your user accounts, everywhere. Using additional authentication, such as SMS, authentication apps, or code generators makes it harder for attackers to steal your identity. Account types that should always be protected by MFA is any e-mail account, work or private, Microsoft accounts, Google accounts, Apple IDs, Facebook accounts, PayPal accounts, web shop accounts, and to be honest, any other account you may have that can be accessed through the Internet.
A computer virus may be hidden in what looks like a normal document. An attacker will try to trick you into opening it by sending you an e-mail, possibly from the account of someone you would trust. Any document that is shared with you from a location you do not already know and trust is suspicious, no matter who sent it to you. If it is “urgent” it is doubly suspicious. If you wait, chances are that your anti-virus solution will be updated and block a real virus.
As a last advice, if you are in doubt, contact the sender – but not by e-mail! Use voice call! If an attacker has stolen your contact’s password, it will be the attacker who answers your e-mail, not the person you know and trust. A voice call or text message will usually be enough to find out whether the sender is legit.
Hugo Klemmestad is CISO in ECIT. He has over 20 years of experience in IT and security, and advises business leaders and top management on digital threats, risk management and cybersecurity. Hugo is passionate about fighting digital crime through collaboration and sharing knowledge across sectors and industries.Read more articles from Hugo Klemmestad