With 1,293 data breaches compromising 174 million records, 2017 saw more security attacks than any prior year – 45 percent more than 2016 alone. 2018 broke that record. And the numbers for 2019 are growing. FEMA, Facebook, FedEx, universities, school districts, medical facilities and insurance giants have all been victims, and an attempt on any of us could be next. But here’s the good news: you can control the outcome.
Information security isn’t simply a one-and-done matter. You need a consistent, ongoing defense as well as a strong offense to prevent and preempt an attack. Here are a few of my recommendations to use when building and reinforcing your security fortress.
- Multi-factor authentication
You’ve probably used multi-factor authentication or MFA when logging into a banking or credit card online system. You should put one to work for your business. MFA requires “multiple touches” via additional information outside of passwords – such as a one-time token, a fingerprint, a signature – to complete the login process. The use of “something you have” used in combination with “something you know” or “something that is a piece of your unique identity” helps secure access by verifying and authenticating that the person attempting to gain access is the person who should be accessing it.
- Strong passwords
Strong passwords are lengthy (12-16 characters), complex (using alpha and numeric characters and symbols), and less likely to be guessed by illegitimate users. Avoid short and obvious phrases or common words that can be figured out by computer hackers. When a computer scientist at Cambridge University analyzed 70 million passwords from Yahoo users, he found that 10 percent could be identified using an algorithm and only 1,000 of the most common words in the dictionary. Use complex passwords, especially those that cannot be pronounced.
- Security awareness training
One of your best defenses is your employees. But you are only as strong as your weakest link! When did you last take time to train everyone in your organization – technical and business – on the latest malicious activities, fraud and unauthorized access schemes? Training helps prevent security incidents by keeping users on the lookout and cautious about opening e-mails or clicking on links during events such as these:
• Phishing is a social engineering attack that uses spoofing. An attacker sets up a spoof website, link or e-mail that is fake but looks real to trick a person into giving up important or private information. An attacker may, for example, send an e-mail that looks like a banking alert containing links and asking the user to log in and check a banking account. When the user does this, banking profile login information is shared with the attacker. According to the APWG “Phishing Activity Trends Report” for first quarter 2018, the number of unique phishing websites grew 45 percent in the first three months of the year.
• There’s also vshing (voice or VoIP phishing), SMiShing (SMS phishing), and lots of others that let the bad guys get the goods from the ill-informed.
• Before a spear phishing attack, the attacker has gathered information about the target to use to entice the victim. For example, if an attacker finds out a person is a fan of a certain sports team. They might send an e-mail saying, “You’ve won free tickets to the next game of (insert favorite team here)! All you have to do is download your tickets right now, right here by clicking this link.” The click downloads a file that can end up taking over the victim’s machine and life.
• Whaling is a specific type of phishing that targets specific individuals – the “big guys:” leaders, executives, and upper management – asking for things such as money transfers through their organizations. Think of the “Friend Stranded Abroad” hoax, but from your CEO. It might be tough to leave her stranded when you know she’s on the road.
Now, let’s talk for a minute about ransomware. “Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid,” explains the Cybersecurity and Infrastructure Security Agency (CISA), the official website of the Department of Homeland Security. The agency reports that ransomware attacks are escalating worldwide.
How can you be proactive against a ransomware attack typically spread through phishing e-mails or infected websites? The CISA and I recommend these best practices:
• Restrict users’ permissions to install and run software applications and apply the principle of “least privilege” to all systems and services.
• Use application whitelisting to allow only approved programs to run on a network.
• Enable strong sp-am filters to prevent phishing e-mails from reaching the end users and authenticate inbound e-mail to prevent e-mail spoofing.
• Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching end users.
• Configure firewalls to block access to known malicious IP addresses.
• Keep all software applications up to date with the latest vendor patches.
• Back up data regularly and verify backups on thumb drives or external hard drives.
• Keep your anti-virus or anti-malware programs set to automatically update and scan your PCs and systems.
• Use a VPN service and duo- or multi-factor authentication.
How should you respond to a ransomware attack?
• Disconnect your computer, laptop and all other devices from your network.
• Shut off all wireless or Bluetooth connections.
• Call a cybersecurity professional.
• DO NOT respond to the ransomware attacker.
How else can you advise your employees to act in order to help ensure the safety of your organization?
When using e-mail:
Most sites that require logins ask for your e-mail address for notifications and password recovery. A hacker that gains access to your e-mail can quickly determine what bank you use, what credit card you carry, and which other online accounts you log into. The hacker can then go to these sites and request a password reset. The new password comes to your e-mail address. And you know the rest.
So even if your bank password is different than your e-mail password (and it should be), make sure you use a secure password for your email. Also:
1. If you do not know who an email is from, do not open it.
2. If an e-mail is from someone you do know but is using language or sent at a time of day or night that is out of character for that sender, do not open it.
3. Do not click on any link or hyperlink unless it is from a known, trusted person and you are expecting it.
4. Do not open any attachment unless you’re certain you know who it’s from.
During social media activity:
1. Be mindful of what you share! Everything you post can be seen by anyone, and the spear phishers collect data on the people they target.
2. Check your privacy settings. Ensure you’re comfortable with the information you’re letting be distributed.
3. Secure each account with strong passwords. Use complex passwords, not something people can guess about you.
4. Employ duo- or multi-factor authentication when it’s available to prevent unauthorized access to your accounts.
5. Do not accept unknown connections or friend requests. These can distribute spam and malicious links to your accounts.
When browsing the internet:
When on a mobile phone:
You need a password on your mobile phone. A simple four-digit number doesn’t count. For most of us, our cell phones are integral parts of our lives. We use them to make calls, access social media sites, get news, and even log into our bank accounts. Your phone should be better protected better than your laptop or computer as you have a much higher risk of losing it. Secure your devices with biometric password options (fingerprint and facial recognition) if they are available.
The bottom line:
In all things security related, more than hackers, more than phishers, scammers, or Nigerian princes, complacency is, by far, your biggest enemy. Be proactive. Operate under the tried and true adage, “The best defense is a good offense,” or as it’s stated in the Wing Chun style of Kung Fu: “The hand which strikes also blocks.”
In this article, some identity theft statistics are from the Identity Theft Resource Center (ITRC) and data breach information for 2018 and 2019 from IdentityForce.com.