10 Easy Actions To Improve Cybersecurity In Business and Life
Cyber threats are a persistent issue for businesses and individuals alike. At Kelser, we are always working with our clients to make their businesses more secure. October is Cybersecurity Awareness Month, so we've asked our in-house experts for some tips and insights you can use to better secure your business and home (especially now that the two have become more closely linked for so many of us).
Here some simple actions you can take to improve your cybersecurity at work and home.
1. Verify Before You Click
With the constant onslaught of email, it is important to pause for a moment when reading any email that asks you to do something. This becomes more important with the urgency of the request.
Any email that asks you to do something immediately, whether it is an unusual or normal request, should be suspect.
Verify that the email is legitimate by calling, texting, or instant messaging the person making the urgent request; DO NOT reply to the email. Be vigilant and verify all email BEFORE you click on a link or open an attachment!
Check where the email came from by looking at the headers. In Outlook, with the email open and the active window, click “File” from the menu and then the “Properties” box. There is a box at the bottom called “Internet Headers.” Consider this the packaging that the urgent request came in.
A few simple things to check:
|Received-SPF: PASS||(a form of validation for the sender - SoftFail usually means bulk email)|
|Sender: <email address>||(should be who you think it is from)|
|FROM: <email address>||(should be who you think it is from and should match the sender)|
|Reply-To: <email address>||(should be who you think it is from)|
It only takes a moment to verify the email or to get an infection on your computer. Email is still the most prevalent attack vector. Be vigilant!
2. Update Software
Keeping your devices patched and current is a must when it comes to security.
Your work devices may be centrally monitored and managed with updates pushed out to them. For personal devices like PCs that are running Windows you can "Check for Updates" in system settings. There should generally be none outstanding.
3. Encrypt Data
Encryption can go a long way toward protecting your data even if it falls into the wrong hands.
In Excel and Word, use “Encrypt with Password” on any documents containing remotely sensitive data. Find it under File > Info > Protect Document. In current versions of Word and Excel, this robustly encrypts the contents of the document.
If available, encrypt any email that contains sensitive information. Check with your email administrator or provider on how to do this.
4. Secure Wi-Fi And Devices
Securing your home Wi-Fi is more important than ever when you are working remotely.
Use guest Wi-Fi access for visitors to keep them off the Wi-Fi network/SSID that has your PCs on it.
If you have IoT devices (security cameras, thermostats, security systems, video and music streamers) segregate the network they are on from where you connect your desktop or laptop.
If you receive text messages as part of MFA (multi factor authentication), make sure that your phone does not show contents of text messages on the home screen when it is locked.
The same is true for an MFA application – it should not show any MFA codes on the locked home screen. If MFA codes are displayed on the lock screen and someone steals your device, it is that much easier for them to access your most confidential accounts.
5. Beware of Phishing
If you receive an email from someone you don’t know or from someone you do know asking you something out of the ordinary, consider these five things to figure out if it is a phishing email:
- Ask Why: If anyone asks about your personal information over email, don’t hesitate to ask WHY. A legitimate email will never ask personal information like your passwords or other personally identifiable information (PII).
- Think Before Opening: Always think twice before clicking any attachment or link in an email. Make sure it’s legit and came from someone you know or that you were expecting that email. That file or link could lead to something malicious.
- Verify Sender and Time: You should always verify a sender email address before replying. When dealing with work matters, a legitimate email should come from an organization’s email domain not from a personal email address. Work emails also typically come in during office hours - important emails frequently don’t come in after hours.
- Don’t Act Out of Pressure: If an email comes in asking you to do something urgently or ASAP, don’t immediately reply due to that pressure. Reach out to the email sender or appropriate department by phone or in person for validation.
- Report Phishing: Report the email if it seems like a phishing attempt. How that is done will vary by application, organization, and other factors so make sure to check with your appropriate department so you’ll know how to report one if it makes it into your inbox.
6. Use Caution with Public Wi-Fi
Always use public Wi-Fi with caution.
Even if a Wi-Fi network requires a password that you must obtain, it doesn’t mean the network is secure. Potential attackers can leverage that public Wi-Fi in order to compromise your sensitive personal and professional information.
If you access public Wi-Fi, use a VPN solution in order to encrypt your traffic.
The VPN solution adds another layer of protection and instills peace of mind.
7. Think Before You Install
Always take caution with browser extensions.
Though they may have the functionality you want, make sure to review their permissions, reviews, and the reputation of the developers.
If you no longer use a mobile app, take the time to remove your account. Permissions and the security of apps can constantly change between updates as features are added and vulnerabilities uncovered. If you’re not keeping up with that app, even more reason to jettison it.
8. Teach Children Safe Online Habits
Explain the risks of technology and how to be responsible online.
Reduce their risk by setting guidelines for and monitoring their use of the internet and other electronic media.
9. Protect When You Connect
If It’s Connected, It Must Be Protected: Always make sure your devices have anti-virus/anti-malware protection and that it is up-to-date. Consider adding other layers of security where possible.
Look for the lock: When browsing the internet, look for the lock symbol next to the web address which indicates that the site is secure (see example below).
If there isn’t a lock icon or if your browser presents a warning, think twice before you enter any personal or sensitive information on that web site. If you’re unsure if a site is safe to use, consult your IT or appropriate department.
10. Use Complex Passwords
How secure is your password and how secure should it be?
If your password is changed every 90 days, you need a password that, on average, takes at least 91 days to crack. But how can you know how long your password would take to crack?
The following chart (from CloudNine) depicts how long it takes to crack a password of a given length and complexity. This one and others have been circling the internet for a long time.
While it provides a useful guideline, it makes many assumptions. For example, the time period shown is for an “average” password of the complexity and length listed. It’s also basing these figures purely on brute force cracking with no other guidance.
To put that in context, it shows that a 12-character, numbers only password would take one hour to crack. Who thinks “000000000001” will take the same amount of time as “654788139021”? Most attempts are likely to sequence the possible passwords in some manner so passwords at either end of the sequence may not take close to the average time to crack.
Hackers use dictionary lists which present multitudes of common words and phrases then combine them with rule sets that define common substitutions to generate many potential alternatives per wordlist entry.
For rule sets, think of things like replacing “a” with “@” or replacing “1” with “!”. These methods significantly shorten the time to crack passwords of a given complexity and length by accounting for the most common possibilities and ruling out the least common.
Today, hackers also mine public information about targeted users including readily available information such as birthdates, family member names, family member birthdates, and anniversaries. Add to this the current practice of mining social media for user interests, hobbies, language, and a veritable ocean of information becomes available to tailor any attack.
If your social platform footprint is extensive and you comment on classic movies, books, TV series, perhaps it wouldn’t take a hacker as long to crack your password as listed above just by character count. If you list your favorite movie as Gone With The Wind, a password of “FranklyMyDearIDontGiveADamn” may not take the over one quintillion years to crack.
Similarly, if you list your favorite book series as The Lord of the Rings and you have a password of, “On3R1ngT0Rul3Th3m@ll”, it may not take the over one quintillion years to crack but it still may take longer than 90 days. Or maybe not.
“The Prophecy of the North” on the other hand may suffice if you can reliably type it each time but that’s an example of a password (or passphrase) that’s so complex that it actually may be detrimental to actually use it in practice.
So, when making passwords keep in mind:
- If you change your password every 90 days, you need a password that can’t be cracked in fewer than 91 days
- Don’t use personal information that can be gathered about you when creating a password even if it meets the complexity and length requirements
- If this seems overwhelming, consider using a password manager to generate and store sufficiently complex passwords and passphrases for you
Find More Ways To Secure Your Business
We've outlined some ways you can help protect your personal data and your organization’s data from cyber criminals. Whether you use more complex passwords, beef up the security of your home W-Fi, or are just generally more aware of cybersecurity best practices, all of these steps add up to a more secure environment for your home and business.
If you’d like even more ways to improve the cybersecurity at your organization, check out 10 Simple Things You Can Do to Improve Your Company’s Cybersecurity Posture eBook.
"True cybersecurity is preparing for what's next, not what was last." Cybersecurity Expert Neil Rerup
Wishing you a cyber-safe day and a cyber-safer tomorrow.