Imagine you work in the HR department for a medium-sized startup. A few days before payday, you receive an email from an external consultant about updates to their bank details. Apart from asking you to invoice them to their new bank account, there’s really nothing suspicious about this email.
What would you do? Would you update the consultant’s bank details or double-check with them directly? It’s certainly a difficult choice, as at this point you’re only days away from payday, and you’re probably overworked.
If your first thought was updating the consultant payment details, you’re not alone! This is a common data incident, where scammers get emails from legitimate team members (usually the email address looks almost exactly like the actual email) asking to be paid to a new bank account.
Data Incidents are common
Data Incidents are common
Cybersecurity incidents happen every day. In a recent study, 87% of CFOs in APAC responded that they had more than three security incidents in the last year. Here are some recent stories:
Medibank: A Rookie Mistake
Medibank, the Australian private health insurer, fell victim to a cyber-attack in October 2022, which the company initially believed had not resulted in sensitive customer data being accessed. However, on November 7 2022, the company admitted that all their customers (9.7 million) were affected. Medibank stated that the attacker accessed personal information like names, dates of birth, addresses, and phone numbers as well as sensitive data like Medicare, passport numbers, health claims data, and health provider details. Despite the attacker’s threat to release private medical information if a ransom was not paid, Medibank refused to pay. The attack resulted in hundreds of Medibank customers' health claims being posted on the dark web, including claims related to drug use, termination of pregnancy, and the harmful use of alcohol. According to the health insurer, their systems were breached through the use of a Medibank username and password that were stolen from a third-party IT service provider.
Woolworth’s Not Very Good Deal
MyDeal, a subsidiary of Woolworths, confirmed that a compromised user credential was used to access 2.2M of customer data, which include names, email addresses, phone numbers, and delivery addresses. The company reassured customers that payment details, passwords, and driver's licenses were not stolen. Only email addresses were exposed for 1.2 million of the affected customers. Woolworths stated that its other customers, including those of Everyday Rewards, were not affected by the breach. IT Team Warns of Email Scams Leading to Data Hijacking and Ransom Demands The IT team has shared multiple incidents where clients have clicked on links in emails, which appeared harmless at first, but later turned out to be part of a scam. As a result, the scammers were able to hijack the clients' data and demand a ransom. Fortunately, the IT team was able to resolve the issue without paying the ransom. However, during the process, all the computers in the workspace were completely shut down and locked.
Optus, the worst data breach in Australia's history?
Last year, the Australian telecoms company, Optus, announced that around 10 million customers - equivalent to 40% of the population - were affected by a data breach. Some experts believe that this could be the most significant data breach ever experienced in Australia. The attack involved ransom threats, public tension, and questions over whether this constitutes a "hack" at all. The breach has also raised concerns about how Australia handles data and privacy. Ransomware was demanded. After the incident was announced, an internet user posted data samples on an online forum and demanded a $1M AUD ransom in cryptocurrency from Optus. The person said that the company had one week to pay, or the remaining stolen data would be sold off in batches.
Avoid becoming part of the story with some simple hacks to protect your information on monday.com security features
Hack 1: Set Up Access Restrictions
The first step is to set up access restrictions. You can do this by assigning different levels of access to your team members. You can choose to give them read-only access or full access. It's important to only give access to those who need it. This will reduce the risk of data breaches and unauthorized access.
Here’s how to set up custom permissions:
Click on your profile picture in the bottom left corner of the screen.
Select "Administration" from the options that appear.
In the admin section, choose "Permissions" from the left-hand menu.
See a list of user types and features that can be enabled or disabled for each one.
Select the appropriate settings based on your preferences.
Here's hwo to setup account permissions:
1. Navigate to the "Account permissions" screen and choose the user type you want to apply the permissions to from the left side of the screen.
2. Select the permissions you want to allow for that user type or deselect the permissions you want to remove.
Keep in mind, this option is only available in the enterprise plan. Apart from multi-level permissions, this tier also includes enterprise-grade security and governance, advanced reporting and analytics, and tailored onboarding. Try Enterprise here.
Here are the most common monday.com permission types:
Item-viewing permissions (Our favourite!)
📌 See how to change account permissions in more detail.
Hack 2: Use Two-Factor Authentication
The second step is to use two-factor authentication. This is an extra layer of security that requires users to provide two forms of identification before accessing their accounts. It's a simple yet effective way to protect your client's data from hackers and cybercriminals.
Hack 3: Enable Audit Trails
By allowing audit trails on monday.com, you’ll be able to keep track of all the changes made to your client's data. You'll see who made the changes and when they were made. This will help you identify any unauthorized changes and take corrective action immediately.
Hack 4: Regularly Back Up Your Data
You can do this by exporting your data and storing it in a secure location. This will ensure that you have a copy of your client's data in case of any system failures or data breaches.
Hack 5: In case of panic, push the Panic Button
If your team's login information is at risk of being compromised, or you have detected suspicious activity on your account, monday.com launched a Panic Button; a "Panic mode" feature to temporarily block an account.
When you push select this option, no one, including account administrators, will be able to access it until an admin requests assistance.
Data incidents and cybersecurity threats happen almost every day. Recent stories like Medibank's rookie mistake and Optus' terrible data breach show how easily anyone can be tricked into revealing sensitive information. Setting up access restrictions is one simple hack to protect your information, and only giving access to those who need it will reduce the risk of data breaches and unauthorized access.
monday.com Permissions can help you keep data secure for you and your clients. Get a free consultation today from Kick Consulting, a monday.com partner and expert to make sure your data is safe and sound!