Many people do their online shopping and ordering at work – with unintended consequences for the business. Some employees do it because it’s easier, while others think it’s safer, believing that big companies have the security to make it safer to do their online shopping at work, rather than doing it at home or on their phone.
What employees don’t know is that they could be compromising their employer’s security, especially if their employer is an SME. Small businesses are often more vulnerable, having less sophisticated cyber security systems than their counterparts from the big end of town.
Many employees subscribe to and log in to a range of websites using their work email. Some of these sites, and their customers’ emails and logins, have been hacked. Compromised email addresses and passwords are the result of data breaches at LinkedIn, Yahoo, Adobe Systems, eBay, Uber and most recently Twitter and Under Armour.
Just last year, the Australian government said 12.5 million Australian email addresses have been published online*. That was just on a single identified server. These emails often find their way to marketplaces on the “Dark Web”.
Recently, I caught up with one of the leading threat intelligence companies in the US. They showed us through some Dark Web monitoring that showed compromised email addresses and passwords available for sale. What we saw was striking. Emails that had been compromised were for sale alongside the password in use at the time.
With an email address and password cyber criminals may be able to quickly work out how to gain access to your business network. At the very least, they are well equipped to launch phishing and/or social engineering campaigns against you, which may result in significant cost to your business.. These cyber criminals can:
- launch a fraud scam on your unsuspecting staff to pay funds into a fraudulent account,
- use ransomware to lock your network down and extort funds from you to regain access, or
- steal your client data and putting it up for sale on the Dark Web.
It is hard to stop people using their work email for subscriptions and online shopping, but there are steps organisations can take to protect themselves. SME owners and managers need to ensure their employees:
- Practice good password hygiene, such as using different types of characters.
- Change their passwords regularly.
- Change them to something very different from the previous one.
- Do not open email attachments they are uncertain about, such as those with poor spelling or spelling mistakes.
- Check if the email wants you to click on shortened URL link, that you can check the full address without compromising your security by hovering above it with the mouse or pasting it into a Google search.
Richard Smith, Co-founder and Director, Edmund Insurance
