In light of a number of hacking incidents targeting retailers, and the increasing prevalence of cybercrime within the jewelry industry, the Jewelers’ Security Alliance has issued the following basic tips for jewelers wishing to increase their cybersecurity:
- Have proper firewalls, as well as antivirus and antimalware programs for all systems. Keep them up-to-date.
- Don’t permit employees to download software without permission or to introduce personal memory sticks into a company system.
- Have strong, unique passwords for email and other programs.
- To avoid phishing—emails that get you to open and click on a link in an email and unleash malware onto your system—don’t open or click unknown or suspicious emails. Even emails with names that you recognize can be spoofed. Look for email address that have slight changes to the actual address. In some case, crooks add an extra letter, or they change the address to .net, .org, or some other extension.
- When evaluating suspicious emails, look for unfamiliar foreign domains, misspellings, and other anomalies.
- Jewelers are sometimes the targets of social engineering, where crooks, through impersonating a known vendor or customer (sometimes by using information gleaned on social media), can trick employees into giving out information about company personnel, customers, ordering and shipping procedures, or payment methods. They then use this to make fraudulent transactions.
To avoid becoming a target for social engineering, be careful of the information you provide the public by email, website, social media, or phone. When someone calls up and you don’t know their voice, confirm their identity. If a transaction is involved, call the person back to make sure there hasn’t been an impersonation. And never give out the tracking number of a FedEx or other merchandise shipment, as a crook can then use this to have the shipment redirected.
- Avoid visiting questionable and risky sites, such as those on the so-called “dark web.”
- Don’t download questionable apps from obscure or unknown companies.
- Have a written cybersecurity policy which employees must read and sign.
- Have regular staff meetings and periodic reviews of cyber protocols for the firm.