We’re at the end of October already (can you believe it?) and most people have been busy with their little witches and ghosts, and “goblin’” up those Kit Kats! While this month is typically known for spooks and ghouls, since it’s also deemed Cyber Security Awareness Month we felt that we should remind you of the many other reasons to be scared.
Over the past year, we’ve seen local small businesses get hacked. It’s happening more than ever. Businesses from our area have had sensitive data stolen that includes medical diagnoses, Social Security Numbers, and more! The same businesses who have always said, “we’re too small, no one would ever attack us,” were the same ones to get breached. Being small doesn’t matter anymore… it makes you more of a target because hackers realize that small businesses probably don’t spend enough money on cyber security and, as such, are easily hacked.
Think of it from a hacker’s perspective: if I want to break into the local major hospital network, how would I do it? Would I attack them directly? Probably not, because they’re large and most likely spend lots of money on security. It would be difficult to break through their defenses. Hackers go for the low hanging fruit. A hacker would rather attack some small physician’s practice in Podunk, PA who has privileges at the major hospital (and who’s company’s network is probably connected in some way to the major hospital’s network for patient data transfer), because the probability is high that getting into the physician’s network would allow them to pivot, undetected, into the major hospital’s network.
This is exactly how Target was hacked years ago: a small heating and A/C company was hacked and when they connected their computers to Target’s network the attackers had full access.
The bottom line is you’re not safe anymore just because you’re small. So, what can you do?
Those of you who work for organizations that deal with various forms of sensitive data (healthcare, government, financial, etc.) are probably already aware of the various safeguards you can put in place because those safeguards are mandated by law. Let’s talk about some of the things that you, individually, can do at the office or at home to keep yourself (and your company/clients/patients) safe.
1) Use passphrases. The key to good passwords is their length. They don’t have to be ridiculously complex, just long. Also, be sure people who know you personally wouldn’t be able to guess the passphrase. Using something like “My house is the color dog!” is perfect because its length means a computer can’t reasonably crack it and people wouldn’t be able to guess it because it doesn’t make sense.
2) Use different passwords for EVERY site. The fastest way to ensure your life is destroyed is to use the same password everywhere, so if someone breaks into your email they can also get to your checking account, Amazon, mortgage, etc.
3) Change your passwords on a regular basis (~90 days). Most of the time when you get hacked you won’t even know it, so it’s possible for a hacker to have access to your bank account for months. Changing your passwords regularly means you’re limiting the time an intruder can access your accounts if you were to be hacked.
4) Enable 2-factor authentication everywhere. Most websites now offer 2-factor authentication, where you can’t sign into your account until you enter the secret code that was texted to your phone. If they offer it, better 2-factor authentication uses apps, such as Google Authenticator or Duo. In any case, enabling this feature means that even if an attacker figures out your password they still need physical access to your phone to get the secret code. This makes it one step harder for them.
5) Don’t click links in emails… ever! Phishing has been around for a long time and the tactics are getting better every day. It’s sometimes extremely difficult to distinguish between legitimate emails and phishing emails. For that reason, don’t click links. Copy/paste the URL from the email into your web browser so you can see exactly where it’s taking you.
6) Don’t put sensitive data on unsecured computers (such as your personal computer). This includes anything from medical records to tax returns to work documents with people’s addresses/phone numbers/birthdays/etc. Personal computers are often less secure than company computers and are easy targets for hackers. For some organizations it’s even illegal to do that!
7) Don’t login to your computer using an account with administrative privileges. How does most malicious software work? By installing viruses and such on your computer. That can’t happen if you’re not logged into your computer with an administrative account. Sure, this means that when you need to install something you’ll have to logout of your normal account and temporarily login with an admin account (which takes all of 30 seconds), but the benefits HIGHLY outweigh the costs.
8) Don’t use CDs/USB sticks/etc. from unknown sources. Removable media is a highly used method of transferring malicious software. In many cases, simply plugging in the device can hack your machine without your knowledge.
9) Pay for antivirus/antimalware/antispyware software. The free software isn’t as good as detecting malicious activity as the reputable brands that cost money. Usually this is less than $100/year, so in the grand scheme of things it’s not so bad.
10) Don’t use websites that aren’t secured using the HTTPS protocol. Be sure that any website that requires login or asks for personal information is secure. You can tell by either seeing https:// in the address bar or, if that’s hidden, seeing the padlock image.
Most articles like this often promote safe computing for adults, but what about children? It’s an unfortunate situation that many parents today are giving their young children unrestricted access to technology. We’ve all seen in the news how awful this can be (e.g., Momo), so what can we do to protect our children online?
1) Parental controls. Most devices have them. Ensure that your children cannot install anything or access any applications other than the ones you specify. This includes any applications that have web browsing functionality, because that means unrestricted access to the entire internet.
2) Pick the allowed applications carefully. The YouTube for kids app still allows children to view explicit videos that somehow make their way into the video list. Other apps add full web browsing functionality or the ability to purchase addons, which can run up your credit card bill. Parents need to scrutinize each and every app they allow their children to use to ensure it only does what they think it does.
3) Don’t allow your children on the public Internet (at least not unsupervised). This includes having Facebook accounts, WhatsApp accounts, etc. The minds of children are not mature enough to understand when they are being taken advantage of and they don’t realize when they have put themselves in danger.
4) Don’t give them cell phones. It’s, really, unnecessary. But if you do, ensure that the parental controls are as strict as possible. Remember, cell phones are computers and can do everything computers can. Your children will find a way around lax security controls to access whatever they want.
Going online in 2019 is like walking to the middle of a bull-fighting arena wearing all red. No one is safe. Everyone is a target. Even if you have never used a computer in your life, you most likely have a bank account, and your bank is connected to the internet, and hackers can attack your bank. I can list many examples just like this to prove that you’re not safe even when you think you are. So, take this opportunity during Cyber Security Awareness Month to tighten your defenses and keep you, your company, and your family safe from the spooks and ghouls of the online underworld.