This blog was written by an independent guest blogger.
It is that time of year again where we start planning resolutions for the coming year. A good start is putting cybersecurity on the top of the list whether you are a business or individual. According to a University of Maryland study, Hackers attack every 39 seconds, on average 2,244 times a day. It may be even higher now that more of us are working remotely because of Covid19 and the attack surface has greatly expanded in numbers and vulnerability. Clearly, with the plethora of breaches, spams, and ransomware we already experienced in 2020, we need to be better prepared in 2021.
What are a couple of cybersecurity hygiene action upgrades that will improve outcomes in 2021?
Poor passwords have always been viewed as the low hanging fruit for hackers as the easiest way into the crown jewels of data. Yet, many still use common passwords such as #132456 #password, or birthdays that pose little barriers to letting the bad guys access your accounts, In fact, a UK National Cyber Security Centre 2019 survey analysis discovered that 23.2 million victim accounts from all parts of the world used 123456 as a password. Another 7.8 million data breach victims chose a 12345678 password. More than 3.5 million people globally picked up the word "password" to protect access to their sensitive information.
Now that we have all become creatures of social media, hackers can use social engineering tactics by exploring your social media accounts that often highlight pet names (quite often used as passwords - I admit I have been guilty of that too) or other identifiable items that may give clues to passwords and interests. What is particularly alarming is that there are algorithmic programs that can also utilize public social sites and marketing information to “guess” passwords.
Actions: remedies are easy to get beyond that bad habit of using easy passwords to crack. Do not use default passwords on your devices and when you do create passwords make them complicated. Consider making them long or using phrases with letters, numbers and characters. Also, do not use the same password for multiple accounts. Make it difficult for hackers to get in with one try. Make their challenges more difficult by using multifactor or biometric authentication such as a fingerprint, facial recognition, or texts to verify it is you when you sign in. And if you want to make things less stressful on your memory (we all forget our passwords), consider using a security token and/or password manager. The bottom line is that secure passwords are a basic step to stronger cyber hygiene.
Phishing is the tool of choice for many hackers. Phishing is commonly defined as a technique of hackers to exfiltrate your valuable data, or to spread malware. Anyone can be fooled by a targeted phish, especially when it appears to be coming as a personal email from someone higher up the work chain, or from a bank, organization or a website you may frequent. Usually the phishing malware comes via email attachments but can also be web-based. According to an analysis by Webroot, 46,000 new phishing sites are created every day and 1.385 million new, unique phishing sites are created each month. At a more granular level, the firm Wandera says that a new phishing site launches every 20 seconds.
Advances in technologies have made it easier for hackers to phish. They can use readily available digital graphics, apply social engineering data, and a vast array of phishing tools, including some automated by machine learning. Phishing is often accompanied by ransomware and a tactic for hackers is to target leadership at companies or organizations (spear-phishing) because they usually have better access to valuable data and make ready targets because of lack of training.
Actions: No one is invulnerable to a crafty phish, but steps can be taken to lessen chances and costs of a breach. For one thing, do not click on any attachment you do not know, and even if you think you know it, double check and verify the sender. Beware of visually appealing pop ups on your computer too. Cybercriminals are sophisticated and creative. An easy rule to follow is to automatically discard any communications asking you for personal information. Chances are you are not the recipient of long lost funds found in a obscure bank account, nor did you randomly win a contest. If something is too good to be true, it likely isn’t.
Some other important advice is to make sure you backup your valuable data, preferably on another device segmented from the targeted PC or phone. If you are a small business or an individual, it is not a bad idea to invest in anti-phishing software. It adds another barrier. I also recommend monitoring your social accounts and credit accounts to see if there are any anomalies on a regular basis. And if you are with a larger company, consider getting anti-phishing training. Companies often use gamification for employees to enhance cybersecurity awareness (and can make learning fun).
These are just two basic cyber hygiene actions that anyone can take to make their digital identities more secure. Certainly, there are many other steps that should be instituted for a layered and more holistic zero trust defense. For example, some things you can do is regularly update security patches, install firewalls, secure your routers, wifi, and use virtual private networks (VPNs).
For better protection also consider adding antivirus & intrusion detection software to your devices. Another means of protection to contemplate is to store your data in the cloud where it can also be agile and encrypted. For many of these security implementations and applications I suggest using professionals in the field who can determine gaps and requirements through risk management vulnerability assessments. There are also some excellent managed service providers who can outsource and coordinate your cybersecurity needs.
Next year please be aware of the benefits of using strong passwords and how to avoid the phish in the cyber threat landscape. Hopefully these two steps alone will make 2021 a safer year.