Neohapsis, a security and risk management consulting company specializing in mobile and cloud security services, noted that there are some tactics that employers can adopt to mitigate their exposure to all of that e-commerce.
For one, companies should remind employees to use HTTP(S) to make sure all data between them and the site is encrypted and cannot be eavesdropped, and to ensure the site they’re visiting is in fact the one they intended to visit.
Also, IT departments should take the time to install the latest updates. While Microsoft does an excellent job patching vulnerabilities when they arise, many users don’t install them, opening themselves and the network up to attacks from those that have reverse engineered the updates to exploit vulnerabilities. Departments should also install Apple updates and patches from internet browsers, Java and Adobe products.
Also, “consider deploying blacklist filters on your outbound web traffic to stop anyone accessing any sites known to be malicious,” added Neohapsis, in an email. “Depending on web browser choice and configuration, this may already be in place.”
It added that companies should make sure the sentries are awake. “In addition to keeping your systems patched and updated, ensure that any anomaly monitoring systems are watched closely around the holidays,” the company warned. “Unfortunately, criminals don’t take a holiday, which means security can’t take one either.”
To that end, employees should obey the old mantra: “If it’s too good to be true, it probably is” has never been more applicable when it comes to common phishing schemes. “While most users know by now to not trust a pop-up that reads ‘You’ve won an iPad – click here!’, modern phishing techniques are much more subtle, and much more dangerous,” Neohapsis cautioned. “Let employees know it’s okay to mistrust emails and links. If something seems phishy, it probably is. Remind them that services like Paypal and online banks will never ask for personal information over email, chat, or any avenue besides their main website.”
Also, if the department manage mobile devices with sensitive company data on bring-your-own device (BYOD) or company-owned devices and there are enough IT resources to handle the load, consider temporarily routing their traffic through your security systems.
As always, IT departments should try to keep personal web traffic outside the business walls by reminding employees of any established policies around personal internet use in the workplace. IT should also encourage them to use their own mobile devices to browse personal websites.