Recently, I had a chance to talk with staffing industry thought leaders Rob Mann and Lauren B. Jones on You Own the Experience Podcast, and we dove into one of my favorite topics: which security practices can keep staffing companies safe. We had a little fun at the beginning of the episode before digging into the cybersecurity best practices your staffing firm needs to keep in mind. You can listen to the episode at the following link or read the highlights of our conversation below:
Why Security Is Hard
Rob: We’re here to talk about security as it pertains to the industry we know and love: the staffing industry. Dave gets called in to do lots of consulting for implementation and any part of the business going through the digital transformation process.
We were chatting at Bullhorn Engage 2023 and he said, “Do you know what would be really good for people? A good 20-minute episode on five key things you can do to improve your security.”
Security is hard. There is a lot of human engineering to it. Hackers can take advantage of not only the owners but everyone in the organization who gives them access to things that they shouldn’t. So, Dave is here to help us out.
Dave: What you just said. Security is hard. It is. It’s constantly trying to anticipate holes that exist within a network or environment before there is actually a problem. Not only that, you need to respond to those holes before they cause issues. It’s a very difficult thing to anticipate what a problem will be before it actually happens.
Rob: They only need to be right once but as an organization, you need to be right every time.
Dave: Right.
Lauren: It feels like so much pressure. It feels like fraud is on the rise and hacking is on the rise. It feels so tense out there right now from a security perspective. How do you help calm people?
Rob: Yeah, give us the tips.
Dave: Really, the calming comes from being prepared. In Florida, you’re going to get hit with a hurricane; it’s inevitable. So, if you prepare for that hurricane, the aftermath is a lot easier to deal with. Security is the same thing. If you know something is going to happen, be prepared. Do whatever you can to have your environment ready for that potential breach so, if and when it does happen, you’re prepared to come back from it, combat it, and do what you need to do.
Zero-Day Exploits
Dave: For those who don’t know, a zero-day exploit happens when hackers target vulnerabilities in software or solutions before a vendor is aware of it and able to address it. At a high level, there’s a time when it’s out there in the wild and people can exploit it before the patch is available and deployed to everyone.
This happened with the government yesterday, this whole MOVEit exploit situation, where the vendor didn’t update their software and the government was breached with the zero-day exploit. Now, to the credit to the company, they did release a patch, but people were slow to deploy as people are sometimes.
Everyone suffers from this threat. WordPress, Microsoft, and every other platform in existence can deal with zero days. The worst part is when those patches get released, it’s time when the hackers say, “Okay, why did they release the patch? Can we exploit this before everybody fixes their environment?”
Zero days are dangerous in that respect and that’s why security is hard. We have to anticipate if this patch comes out, how quickly can we deploy a fix to make sure everyone is safe?
Lauren: Is there public information that these hackers can use? We talked to a cybersecurity expert last year and he was all about daily security hygiene. This proper planning, this zero-day exploit idea, it’s one of those things where you need to concentrate on it every day. Where are some of the weaknesses?
When I was hacked a couple years ago, they were shopping for smaller firms that had just become corporations. They are shopping from the Secretary of State database where incorporateds are made public. Is there a place where hackers are looking for weaknesses or certain size firms?
Dave: Everyone’s a target and has all their data out there. Everything’s on LinkedIn and social media. Let’s say you do a job posting and say, “Hey, I’m looking for someone with these particular skills.” That’s enough. They are looking for someone who is inquiring and can emulate your business on another platform, have the same company name, and redirect all the information. Done, right? That’s all it takes.
If you’re incorporated in State A, they can incorporate in State Y knowing that you’re not going to find out about them for a period of time. Cyber criminals will send all their information to their own destinations and banks will let them open accounts because it’s all digital and no one is checking anything. It’s super simple. It can be a larger corporation or a small corporation.
Sometimes large corporations are even easier because they don’t capture the fraud. All this stuff goes on, happening for months at a time, and they shut down only after hackers have taken all the information and money they could have got from the scam. So, there’s no one place.
Identity theft protection services like LifeLock are good to have in case something does happen but they’re not the answer. From a personal standpoint, lock your credit, but that’s another story.
Email Phishing
Dave: Email phishing. Everyone is getting this right now. The first thing is that most people can’t identify a phishing scam and separate that from real interactions, and I can show you the support tickets to prove it. If we look at the reports over a month from our clients, about 25% of support tickets are asking, “Hey, is this real?” They can’t identify whether it is phishing or not. That number dwindles as time goes on, but the fact is that everybody gets phishing emails.
When you look at Office 365, they show that almost 25% of the emails inbound get past their filters and show up in your inbox. That’s how good phishing emails are. One of every nine of my emails is a phishing attack. Trying to identify them is difficult, but there are some tips to figure out a phishing email versus a real one.
First and foremost, when you get those emails from Microsoft saying “Hey, your password has expired” or “Hey, your quota is up,” usually it’s phishing. Most IT departments are good about handling those types of emails. Don’t worry about that as much, but if you’re not sure, ask.
With that said, here’s are things to look for:
- Look at the body of the email – If the body seems suspicious, if it has words misspelled or is in broken English, chances are that it’s a phishing email.
- Look at the email address – Don’t look at the name, but the email address it says it came from. For example, if your CEO sent you an email asking for credit card information or a gift card and they need your help. Hopefully the context is enough for you to realize it’s phishing, but beyond that, when it’s from your CEO but BobSmith@gmail.com, it’s probably not your CEO from that email address.
- Hover over links – Put your mouse over a link that says reset your password and instead of going to Amazon.com, it’s going to Amoz0n.com, chances are it’s a phishing email.
- Check for attachments – If there’s an attachment and you don’t know why and it doesn’t make sense, don’t open it. Ignore it. It’s not there.
The fact is you should be cautious. That’s the piece to understand. If you’re not sure, err on the side of caution. Don’t open it and don’t click on it. Delete it. Chances are that if it’s that critical, they’ll email you or give you a call. In fact, if it was that urgent for you to reset your banking password, they would have called you or texted you.
Attachments
Dave: Don’t open things you don’t know. It’s as simple as that. As recruiters, you are dealing with attachments nonstop. DOCX, XLS, PTPX—those are formats that are usable and modern Microsoft formats. If someone sends you a DOC file, which is the format you’d see for old resumes, don’t open it, or ask them to send it in a different format. Those files can have macros and different data within them that can be problematic. Just don’t open Word documents or Excel documents from anyone you don’t know.
I promise you. That one resume that has the DOC extension? It’s not the one you want.
Rob: Always look at the email address it’s coming from.
Lauren: Yeah, I think you should just always take a stance of constant cautiousness.
Dave: Listen, there are tools. Most IT departments have tools in place to prevent you from getting things that are bad. Microsoft has an attachment engine where they scan it, put it in a virtual environment, and run it to see what happens. If they see something malicious happening, they will deny the ability to get that attachment.
Rob: I got a phishing email as we’ve been sitting here.
Dave: See! And I didn’t send it. This wasn’t a set up. Nonetheless, that’s the way a lot of departments handle emails before you get them, but it’s not foolproof. Something could be buried in a PDF. You don’t recognize it. If you’re getting an invoice from your gardener from six months ago saying, “Hey, you owe me money,” respond with, “I don’t owe you money. What’s going on here?” Just be aware.
Encryption
Dave: At a high level, what is encryption? It’s taking data and making data unreadable without keys to unlock that information. Let’s break it down a little bit. These are going to be some big numbers. 128-bit encryption has 2128 possible key combinations. That means if somebody encrypts something with 128-bit encryption, it will have the following number of possibilities to unlock it.
They say 128-bit encryption is too weak. Now, we’re at 256-bit encryption. That’s not twice as hard. Ransomware is taking your data and encrypting it so you can’t get it back.
When you say, “Why can’t I click this to undo it? Why can’t I type in a password I remember for a platform? Am I still unable to get it open again?” Because encryption is very difficult and the number of combinations to try to get back at it is impossibly high.
Ransomware
Ransomware is continuing to grow and grow and the payments that people are asking for are growing and growing. Bitcoin becomes a negative because it is anonymous money. These guys, whoever they are, can say, “Hey, make a payment to this coin wallet” and it’s very difficult to find them.
Also, you’ve heard of software as a service, you’ve heard of platforms as a service, and now, there is ransomware as a service. This is not an exaggeration. You can go to the dark web, spend a couple hundred bucks, hire someone to attack a company, and you will split the earnings. This is the world we’re living in now.
What You Can Do to Protect Your Business
Lauren: What are some of the products that can make us feel a little bit safe? I’m a high-anxiety type of gal and this fills my tummy full of butterflies. What can I do?
Dave: So, this comes back to what we said at the beginning. We know the hurricane is going to hit Florida. You have to be prepared for when the security risk hits your firm. What do we do?
Number one is backup everything critical. If your data and systems are backed up somewhere else and ransomware hits a machine or your network, your data is safe and you can get it back without having to pay that ransom. Unfortunately, one of the things that hackers are doing lately is not only encrypting that data but stealing it and threatening to release it to the public. That’s a whole other animal that I’m not going to get into, but that something to be aware of. Back up Office 365 and internal data, locally and in the cloud. If one gets compromised, chances are the other data is still okay.
Other tools? You had mentioned Proofpoint (they’re great), Mimecast, and even the built-in Microsoft security measures. It’s not overly expensive on your license. It’s just a click. It starts doing that scanning immediately. Get that stuff turned on because email is going to be the vector of entry.
One thing I tell people is that encryption, anti-virus, and all these different tools are great, but at the end of the day, if someone can compromise your computer and email to see what you’re looking at, it’s over. That’s all they need to do. You can encrypt everything up the wazoo while it’s being sent, but if they can see what’s being sent, it’s irrelevant.
Some of our clients are outside of the staffing industry, they’re in New York real estate, and they’ve had man-in-the-middle attacks. Our clients weren’t even the ones who were compromised. That means the following:
- I send an email to Rob, who has a compromised email.
- My email is intercepted by that bad actor who compromised his account.
- They take that message, transform it, and change routing information for wiring money.
- They send the adjusted message to Rob, who wires money to the hacker’s address.
- Rob sends an email response to the title agency, which the hackers intercept, and change the response slightly so no one is the wiser.
That’s why when you’re dealing with large sums of money, get on the phone and talk to somebody. And don’t let them call you, you call them. There have been situations where bad actors have called them before businesses can reach customers first.