Mark Pribish

Employees Continue to be the Weak Link in Cybersecurity

By Mark Pribish
Vice President and ID Theft Practice Leader

I recently read two articles with a focus on training employees to become more aware of cyber security and helping employees understand that they have a responsibility to protect company information, just as the employer has responsibility in protecting the employee.

The first article titled Despite advancements, training and fears of breaches, employees still practice bad cyber hygiene (please see here) which states that "despite the majority of consumers being afraid of having their personal data compromised by a breach, employees are still continuing to engage in risky behavior."

In fact, a recent survey to help identify cybersecurity habits and gaps in information security of full-time employees by OpenVPN Technologies found 25 percent of employees reuse the same password for everything. In addition, the report found that 23 percent admit to frequently clicking on links before verifying they lead to the website they intended to visit.

The lesson learned from this survey is that "despite advancements in cybersecurity training, researchers found employees are by and large creating passwords they can easily remember, resulting in weak security that hackers can bypass with brute force attacks."

This also means that employers need to improve how they communicate to employees to help improve cyber habits that support a holistic information security and awareness program.

The second article titled It's your employees, stupid! How to fix your cyber security weakest link (please see here) reports that raising employees' awareness of cyber security and their role in being alert to potential scams such as phishing emails can help mitigate the cyber risk for any size business.

For years I have written and spoken publicly about the need for small business owners, senior executives and board members of larger businesses to have a heightened awareness in cybersecurity and data-breach risk management as employee and customer information, along with intellectual property, are targets for identity thieves and cyber criminals.

Heightened awareness means, for example, employees are more likely to question the authenticity of an email that could conceal a phishing scam.

I have also written and spoken on how poor communication, the lack of leadership and lack of board oversight can be barriers to effective employee education on information security governance and data breach incident response.

The best security technology in the world will not help an organization unless employees understand their roles and responsibilities in safeguarding sensitive data and protecting company resources. This will involve putting practices and policies in place that promote cyber security and training employees to be able to identify and avoid risks.

Also, the goal of an awareness program is not merely to educate employees on potential security threats and what they can do to prevent them. A larger goal should be to change the culture of an organization to focus on the importance of security and get buy-in from end users to serve as an added layer of defense against security threats.

Finally, negligent and malicious insiders are considered the biggest security risks to any size organization. Small business owners and senior executives should be equally concerned about the threat within, along with external threats such as cyber criminals.


To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters at the Merchants Identity Theft Educational Website at www.idtheftedu.com.


A New Kind of Phone Scam: Neighbor Spoofing

By Better Business Bureau of Western PA. May 11, 2018.

Are you experiencing an increase in the number of local calls to your home and/or cell phone? You're not alone. This phenomenon is called "neighbor spoofing" and it's the latest caller ID spoof strategy being used by phone scam artists in an attempt to get people to answer the phone.

For phone scams to be successful, scammers need people to pick up the phone so they can initiate the conversation. Neighbor spoofing uses a spoof caller ID to trick a person into thinking somebody local, possibly even someone they know, is calling. According to experts, this may interest someone just enough to answer their phone.

Con artists and robocallers use technology to modify what phone numbers appear on caller ID, impersonating phone numbers from neighbors, friends and local businesses to try to get you to answer the call. In many instances, it is a random number with the same area code and first three digits as your own phone number. In other cases, the number displays as coming from a local business or person in which you've previously communicated.

Answering one of these caller ID spoofed calls will indicate to the robocaller that you have an active phone line. Active phone lines are valuable to phone scammers and will often put you on what is referred to as a "sucker list," potentially opening your phone line up to more scam calls.

Here are a few BBB tips to help identify and handle "neighbor spoofing" phone calls:

  • Avoid answering calls from phone numbers you don't recognize, even if they appear to be local. If it's important, the caller will leave a message.
  • If your own phone number is used in a caller ID spoof call, you may receive calls and messages from people asking why you called them in the first place. This can lead to a lot of confusion between the two parties, but knowing your own number can be used by scammers may help explain the situation.
  • Be aware that phone numbers of local businesses, including doctor's offices and/or insurance agents, may appear to be calling you. If you're not certain whether the call is legitimate or a spoof, hang up and dial the known phone number for the contact to verify the communication, especially if personal and/or financial information is being requested.
  • There are call blocking apps that may help decrease the amount of spam calls, including those using a spoof caller ID. Your phone carrier may also provide a similar service or offer advice.
  • Make sure your phone number is on the National Do Not Call Registry. Though it is unlikely to prevent most phone scam calls, it will help to reduce calls received from legitimate telemarketers, which can be helpful in screening fraudulent calls.

For more information on nuisance calls, contact the Federal Trade Commission (FTC) and report phone scam calls to BBB Scam Tracker.

If you have been the victim of identity theft, go to identitytheft.gov for a personalized recovery plan from the Federal Trade Commission.

Courtesy of the Better Business Bureau - for more information visit: http://www.bbb.org/phoenix/news-events/.

To learn more about scams, go to BBB Scam Tips (bbb.org/scamtips). To report a scam, go to BBB Scam Tracker (bbb.org/scamtracker).

If you believe your identity has been stolen, call 866.SMART68 today!