Thanksgiving is just around the corner in the U.S., and so are Black Friday and Cyber Monday, two of the busiest shopping days of the year. It's also a peak period for malware, phishing and spam. Since employees are increasingly using their own devices to access corporate resources (or simply using a work PC to sneak in a little shopping on Cyber Monday), it's a good idea to share some best practices with your users to help protect them and your network from threats.
"You could tell them no," says Bob Bunge, professor of Cyber Security in the College of Engineering and Information Sciences at DeVry University. "In some circumstances, that's absolutely what you should be telling them. Don't use the office network for retail. It's just a bad idea, period. It's a lousy, bad thing to do."
However, employees often don't perceive the security threat as acutely as IT managers do, so a few pointers on keeping safe are a good idea. After all, shopping sites are among the top malware-infected sites on the Web, according to Symantec.
Five Best Practices to Stay Safe Online
When it comes to dodging malware and phishing attacks, there are a few simple things you can watch for on shopping sites to help keep you safe:
- Look for an HTTPS and/or padlock in the address bar before submitting personal information on a website. This is a sign that the site is leveraging the SSL/TLS cryptographic protocol to secure your communications with the website in question. This helps protect against man-in-the-middle attacks that allow an attacker to intercept your communications with the site and inject new ones.
- Look for your browser address bar to light up green. This is an indication that the identity of the website you're visiting has been strictly validated with an Extended Validation Certificate. In other words, you really are at the website of the merchant you're trying to shop with rather than fake site created by a malicious attacker to fool you into sharing personal information.
- If an offer in an online ad or email sounds too good to be true, avoid it. These are often lures to infect you with malware or gather your personal information. "If it sounds scammy, it's probably scammy," Bunge says. "If I had to cut a large IT security training program into just a paragraph or so, probably the first thing I'd say is 'Don't click on that link!' The whole phishing industry nowadays is based on finding ever more creative ways to get you to click on some link.
- Use good passwords. Pay attention to the passwords for your email, social networking and online banking accounts. Don't use the same one for everything. "Add up the asset value of everything in the world you have attached to that password," Bunge says. "All your email, all your online storage, all your credit cards and bank accounts—that's an awful lot of asset attached to just one password." Symantec recommends you use passwords that are at least eight characters, a random mixture of upper and lower case characters (including numbers, punctuation and symbols) and are not found in the dictionary. Additionally, never use the same password twice and change your passwords every six months.
"My main advice to consumers is to get yourself simple, reliable routines," Bunge says. "Find three, four or five online merchants that you trust and stick to known commodities. If you do want to branch out and surf the general Internet and try some merchants you haven't work with before, do some research. Put the name of the merchant in a search engine and see how often "fraud" or "rip off" pop up.
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at email@example.com