“Vampire” viruses are designed to intrigue, attract, entice, and even scare employees into extending an “invitation” through actions like clicks, visits, and shares.
“Never invite a vampire into your home, you silly boy. It renders you powerless!”
Kudos if you recognized this line from “The Lost Boys.” You might be asking what a quote from a 1987 vampire movie has to do with cyber-security...
Your practice’s greatest vulnerability is the way your staff uses their computers and the tasks they choose to perform on them. In the I.T. world, tactics aimed at exploiting these human errors are referred to as social engineering, aka phishing, pharming, and spearing. These “vampire” viruses are designed to intrigue, attract, entice, and even scare employees into extending an “invitation” through actions like clicks, visits, and shares. If an invitation is extended, the virus is welcomed into your practice, rendering the vast majority of your network security tools (settings, anti-virus, and firewalls) powerless.
A trained, cyber-cautious staff is your best defense against these vampires. Training should include the creation and review of an Acceptable Software Policy, as well as an Acceptable Use Policy.
Your Acceptable Software Policy is simply a documented list of software that you as the business owner have approved to be on your network. This list should be specific and include any software needed to perform office duties/tasks, practice management software, imaging software, etc. Items that should be excluded from this list include games, file sharing applications, toolbars, and coupon printers and, as such, should be removed from any computer on your network.
You can search the Internet for example Acceptable Use Policies to get you started. Here are a few specific items to include:
- Do not check personal email at work (with practice property)
- Do not visit social media sites at work (with practice property)
- Do not log in to personal online banking accounts at work (with practice property)
Be extremely cautious of links and attachments in emails, sensationalized posts or offers in your social media feeds, and phone calls from “companies” wanting remote access to clean up a virus or speed up your computer.
When in doubt, defer to your chosen I.T. partner. “Sure, let me get a return phone number from you and I’ll pass it along to our I.T. people. They will give you a call and provide the access you need.” More than likely, you’ll hear a short pause followed by a click!
Nathan Colt, CISSP, HCISPP
This article was published in the Fall 2015 ISDA Newsletter