As Cyber Liability awareness month comes to a close, AIM recaps it’s top ten tips to avoid Cyber liability.
#1 - USE STRONG PASSWORDS. The National Institute for Standards and Technology (“NIST”) guidelines suggest that we use passwords with an eight character minimum and special characters ($#%@!). Make sure to restrict sequential and repetitive characters, restrict context specific passwords (e.g., the name of the site), and restrict commonly used passwords (e.g., “P@ssw0rd”). Change passwords often. The new NIST Guidelines for secure passwords can be found here: https://pages.nist.gov/800-63-3/sp800-63b.html #2 - PATCH TO PROTECT. Make sure to run timely updates to your security software, browser and operating systems. Software updates patch security flaws to keep hackers out of your systems. Proactive patch management eliminates vulnerabilities that can expose your firm to cyber attacks. Don’t ignore those pop-ups telling you it is time to update your software! #3 - NO “PHISHING”. Cyber criminals use phishing attacks to access passwords, credit cards, or other sensitive information. Phishing emails and text messages try to trick you into clicking on a link or opening an attachment. They may
say they’ve noticed some suspicious activity or log-in attemptsclaim there’s a problem with your account or your payment informationsay you must confirm some personal informationinclude a fake invoicewant you to click on a link to make a paymentsay you’re eligible to register for a government refundoffer a coupon for free stuff
Even if it looks legit, check the IP address, confirm the actual sender, and don’t click links unless you are sure. Don’t take the bait! #4 - DOUBLE YOUR LOGIN PROTECTION BY USING MULTI-FACTOR AUTHENTICATION (MFA). Ensure that the only person who has access to your account is you. MFA strengthens access security by requiring two methods (or factors) to verify your identity. Use it for email, VPN, banking, social media, and any other service that requires logging in. Enable MFA by using a trusted mobile device, such as your smartphone, an authenticator app, or a secure token—a small physical device that can hook onto your key ring. #5 – DON’T CLICK AND TELL. Limit the information you post on social media. Don’t post random personal details that allow criminals to target you. Keep Social Security numbers, account numbers, and passwords private. Don’t share specific information about yourself, such as your full name, address, birthday, and vacation plans. Disable location services that allow others to see where you are at any given time. #6 – PROTECT WHEN YOU CONNECT. Before you connect to any public wireless hotspot – like at an airport, hotel, or café – confirm the name of the network and exact login procedures to ensure that the network is legitimate. Avoid sensitive activities (e.g., accessing client information, banking) that require passwords or credit cards, while using an unsecured public access point. If possible, use your personal hotspot – it is safer than public Wi-Fi. Only use sites that begin with “https://” when online shopping or banking. #7 – AVOID THE BUSINESS EMAIL COMPROMISE. In a typical Business Email Compromise (BEC) fraud, the scammer poses as a reliable source who sends an email from a spoofed or hacked account to an accountant or chief financial officer (CFO), asking them to wire money, buy gift cards or send personal information, often for a plausible reason. If money is sent, it goes into an account controlled by the con artist. Never send money in response to an email. Beware of last-minute email changes to wiring instructions. Do not provide account details in response to an email. If in doubt, call a trusted number for the person who supposedly sent the email and ask if it is legitimate. #8 – KEEP TABS ON YOUR APPS. Most connected devices – including appliances and toys - are supported by a mobile application. Your device could be filled with suspicious apps running in the background or using default permissions you never realized you approved. These apps gather your personal information without your knowledge, putting your identity and privacy at risk. Check your app permissions and use the “rule of least privilege” to delete what you don’t need or no longer use. Decline privilege requests that don’t make sense. Only download apps from trusted vendors and sources. #9 – HAVE A CONTINGENCY PLAN. 44% of small businesses report being victims of a cyber attack. Yet, almost 60 percent of U.S. small and medium-sized businesses do not have a contingency plan that outlines procedures for responding to and reporting data breach losses. Establish security practices and policies to protect your organization’s sensitive information and its employees, patrons, and stakeholders. Then, establish a continuity plan to ensure that business functions can continue in the event of an emergency. Find templates for continuity plans at http://www.fema.gov/planning-templates. #10 – PRACTICE GOOD CYBER HYGIENE. What is cyber hygiene? It is a routine that implements practices and steps that computer/device users can take to maintain system health and improve online security. Good cyber hygiene requires everyone in your organization to participate – security protocols created by your IT department will only work if every employee implements them. Here are a few ways your organization can practice good cyber hygiene: 1. Keep an inventory of your firm’s hardware and software. 2. Develop a process for software installation by end users. That may mean limiting installation of trusted software or prohibiting and blocking all installation without prior approval from IT. 3. Educate users on practicing good cyber behavior, including password management, identifying potential phishing efforts, and which devices to connect to the network. 4. Identify vulnerable apps that aren’t in use and disable them. 5. Consistently back up data and keep multiple copies. Consider using a secure cloud solution in addition to on premise backup. 6. Look to industry-accepted secure configurations and standards like NIST and CIS Benchmark for guidance on password length, encryption, port access, and multifactor authentication. 7. Run updates and patch all applications right away–regularly. Unpatched systems are one of the biggest risk factors in attacks. 8. Use complex passwords and change them frequently. 9. Limit the number of users with administrative privileges. 10. Upgrade aging systems and infrastructure.