How To Keep Control Of Your Data, And Avoid Becoming A Cybercrime Victim
by Earl Foote – CEO/Founder | Nexus IT Consultants
2020 was a banner year for cybercriminals. The number of phishing emails and social engineering scams that use the COVID-19 pandemic as a topic represents the single largest thematic series of cybercrime attacks ever.
From credential phishing and malicious attachments to business email compromise and fake landing pages, the coronavirus has been a veritable gold rush for cybercriminals. That’s in addition to the many unrelated cybercrime attacks that took place, including when the US Government and numerous corporations around the world were hit by a devastating supply chain attack.
The bottom line is that cybercrime is more prevalent, destructive, and expensive than ever. If you want to take the power back from hackers, you have to take action.
Be Smart With Your Passwords
This is a basic part of safe computing. Have you considered how strong your passwords are?
- Length and Complexity. Keep in mind that the easier it is for you to remember a password, the easier it’ll be for a hacker to figure it out. That’s why short and simple passwords are so common – users worry about forgetting them, so they make them too easy to remember, which presents an easy target for hackers.
- Numbers, Case, and Symbols. Another factor in the password’s complexity is whether or not it incorporates numbers, cases, and symbols. While it may be easier to remember a password that’s all lower-case letters, it’s important to mix in numbers, capitals, and symbols in order to increase the complexity.
- Personal Information. Many users assume that information specific to them will be more secure — the thinking, for example, is that your birthday is one of 365 possible options in a calendar year, not to mention your birth year itself. The same methodology applies to your pet’s name, your mother’s maiden name, etc. However, given the ubiquity of social media, it’s not difficult for hackers to research a target through Facebook, LinkedIn, and other sites to determine when they were born, information about their family, personal interests, etc.
- Pattern and Sequences. Like the other common mistakes, many people use patterns as passwords in order to better remember them, but again, that makes the password really easy to guess. “abc123”, or the first row of letters on the keyboard, “qwerty”, etc., are extremely easy for hackers to guess.
Use A Firewall
Your firewall is your first line of defense for keeping your information safe.
A firewall is a particular type of solution that maintains the security of your network. It blocks unauthorized users from gaining access to your data. Firewalls are deployed via hardware, software, or a combination of the two.
A firewall inspects and filters incoming and outgoing data in the following ways:
- With Packet Filtering that filters incoming and outgoing data and accepts or rejects it depending on your predefined rules.
- Via an Application Gateway that applies security to applications like Telnet (a software program that can access remote computers and terminals over the Internet, or a TCP/IP computer network) and File Transfer Protocol Servers.
- By using a Circuit-Level Gateway when a connection such as a Transmission Control Protocol is made, and small pieces called packets are transported.
- With Proxy Servers: Proxy servers mask your true network address and capture every message that enters or leaves your network.
Manage Account Lifecycles And Access
This is one of the more basic steps on the list, but no less important. It can’t really be automated or outsourced to any technological aids; it’s just about doing the work. You need to have a carefully implemented process to track the lifecycle of accounts on your network.
- Follow a careful system for how accounts are created for new members, how their security is maintained and verified through their life, and how they are removed when no longer needed.
- Implement secure configuration settings (complex passwords, multi-factor authentication, etc.) for all accounts.
- Implement controls for login and use, such as lockouts for too many unsuccessful logins, unsuccessful login alerts, and automatic log-off after a period of inactivity
Have Your Patches And Updates Managed
Did you know that one of the most common ways that cybercriminals get into a network is through loopholes in popular software? Much of the software you rely on to get work done every day could have flaws — or “exploits” — that leave you vulnerable to security breaches.
To address this, developers regularly release software patches and updates to fix those flaws and protect users. This is why keeping your applications and systems up to date is a key part of safe computing.
Backup Your Data
Do you have a data backup policy in place?
If you have a data backup solution, then it doesn’t matter if your data has been encrypted. You can just replace it with your backup, simple as that.
A physical air gapped backup solution will truly eliminate all risks and will ensure total protection against both malicious cyberattacks and rogue administrators, or other insider threats.
We recommend the Granite Cloud Isolated Tier solution by Perpetual Storage Inc. which is not a software-based solution. Your critical corporate data will be placed into a physically offsite and offline storage, safe and secure, deep in a maximum-security granite mountain vault.
Making this affordable investment into a comprehensive backup data recovery solution enables you to restore your data at a moment’s notice when necessary. Be sure to:
- Back up data on a regular basis (at least daily).
- Validate your backups to verify that they maintain their integrity.
- Secure your backups and keep them independent from the networks and computers they are backing up.
- Make sure your backup is in a physical air gapped state.
Delegate And Be Resourceful With Your Team
Appoint a reliable staff member to liaison with your IT team and make sure that your employees and volunteers strictly adhere to your cybersecurity plan.
Along with your IT professionals, this person will be your point-of-contact to make sure you are adhering to IT security compliance regulations and standards so you can stay in good standing with governments and donors.
It’s essential that you determine exactly what data or security breach regulations could affect you. You need to know how to respond to data loss. All employees and contractors should be educated on how to report any loss or theft of data, and who to report to.
Data loss can expose you to costly state and federal regulations and litigation. You must be able to launch a rapid and coordinated response to a data breach to protect your reputation.
Your plan should include input from all departments that could be affected by a cybersecurity incident. This is a critical component of emergency preparedness and resilience. It should also include instructions for reacting to destructive malware. Additionally, departments should be prepared to isolate their networks to protect them if necessary.
Make Your Staff A Cybersecurity Asset
Your staff can have a significant effect on your cybersecurity – either they know enough to keep your assets secure, or they don’t, and thus present a serious threat to your security.
So, which is it? Do your employees and volunteers have the knowledge they need to spot cybercrime scams, avoid common pitfalls and keep your data secure?
Security awareness training helps your employees and volunteers know how to recognize and avoid being victimized by phishing emails and scam websites.
They learn how to handle security incidents when they occur. If your employees and volunteers are informed about what to watch for, how to block attempts and where they can turn for help, this alone is worth the investment.
Roll Out A Security Policy
Every organization should set a security policy, review it regularly for gaps, publish it, and make sure employees follow it. It should include such things as:
- Not opening attachments or clicking on links from an unknown source.
- Not using USB drives on office computers.
- A Password Management Policy (no reusing passwords, no Post-it Notes on screens as password reminders, etc.).
- Required security training for all employees.
- A review of policies on Wi-Fi access. Include contractors and partners as part of this if they need wireless access when onsite.
Have An Incident Response Plan In Place
When you suspect an attack has taken place, you need to act quickly. Contrary to popular belief, some businesses take weeks or even months to realize they’ve been penetrated. If you suspect something has occurred, do the following:
- Make sure all your software is up to date.
- Scan your systems for virus or malware infections.
- Disconnect devices from the Internet and perform a factory reset – ideally, your data will all be backed up elsewhere.
- File a report with the local police and make sure there is a record of the incident.
Don’t Forget About Mobile Devices
This type of comprehensive policy dictates how your employees can use their personal devices for work purposes, dictating which security apps should be installed, and what best practices need to be followed.
An effective MDM policy should also instill safe and secure practices for employees that use personal devices for business purposes.
Only Visit Secure Websites
There’s an easy way to tell whether a website is secure or not: only use web pages with URLs that begin with “https” – if it’s missing that “s”, then it’s not secure.
Be Careful Who You Meet Online
Cybercriminals have been known to make fake social media accounts online in order to get to know their targets, develop relationships with them, and then steal their information. Don’t be fooled – be skeptical of anyone you know only through a digital medium, and never reveal valuable or sensitive information to them.
Watch What You Click
Fake URLs are a popular tool for cybercriminals. Always be sure to hover your mouse over a link in an email, or on an unfamiliar website, before clicking it. That allows you to see where it actually leads. While it may look harmless, the actual URL may show otherwise, so always look, and rarely click.
Be Careful About What You Download
One of the primary ways that cybercriminals take advantage of users is to trick them into downloading malware. That’s why you need to train yourself to act cautiously to avoid downloading malware.
It’s a matter of thinking before you click something — never download a file, whether online or as an attachment from an email if you’re unsure of the source. It’s always better to check with the sender to confirm, prior to downloading or opening a suspect file.
Be Careful With Public Wi-Fi
Safe computing means being careful about who and what you trust. It’s important to use discretion when determining whether a free Wi-Fi hotspot is really worth the risk.
Keep these tips in mind when considering the risks of unsecured Wi-Fi:
- Avoid accessing sensitive info when using public Wi-Fi, such as online banking, shopping, etc.
- Set your smartphone up with a Virtual Private Network (VPN) that encrypts your data to keep it safe from hackers.
- Configure your smartphone so that it doesn’t automatically connect to open Wi-Fi hotspots.
- Keep your Bluetooth function turned off unless you’re specifically using it with another device.
- Invest in a larger data plan so that you don’t have to rely on public Wi-Fi.
Test And Assess Your Cybersecurity
Determine how your data is handled and protected. Also, define who has access to your data and under what circumstances. Create a list of the employees, volunteers, donors, or contractors who have access to specific data, under what circumstances, and how those access privileges will be managed and tracked.
You must know precisely what data you have, where it’s kept, and who has rights to access it.
Don’t Make It Easy For Cybercriminals
The point of all this is that you can’t afford to overlook your cybersecurity. Depending on the current state of your digital defenses, improving your security may not be all that complicated or expensive.
As that old saying goes, “An ounce of prevention is worth a pound of cure”. Do what you need to do to “prevent” now, so you don’t have to pay for the “cure” later. To start, that means understanding the threats you currently face.