Written by The Business Journal Staff
In 2016, we saw Hillary’s emails exposed on Wikileaks, the Democratic National Committee email leak, taxpayers affected when the Internal Revenue Service was hacked, the U.S. Department of Justice breach exposing 20,000 FBI employees, Verizon customer data exposed, San Francisco’s public railway system shut down, and most recently Yahoo’s billion account hack. The theft of Protected Health Information continues to accelerate, with over 15 million patient records compromised in 2016. The FBI estimates that ransomware will be a $1-billion industry this year. Consumer identities are stolen hundreds of thousands of times, per day, and sold on the black market (The Dark Web) to the highest bidder. This disturbing trend continues to build with no signs of slowing down.
With crime organizations, drug cartels, and nation states driving these attacks, how does the average consumer and business owner make a stand? It begins with understanding the attacker’s motivation and opportunistic nature.
Imagine a densely populated neighborhood. All of the homes have highly sought after valuables. When thieves come to steal, they indiscriminately check every home. If the door is locked, they move on. Why? Because they know, with certainty, that the majority of the homes have their doors unlocked with the windows open! The same principal applies to cyber theft. Hackers have little desire to kick down your door, so to speak. Why go to all the trouble when so many other potential victims have done little to prevent a breach in the first place? Hackers are opportunistic in nature. Understanding this is your best defense.
If you want to make a stand, if you want to push back, then take a moment and lock your door! By implementing the steps below, you will significantly reduce the likelihood of a cyber breach.
For the consumer
● Install anti-virus software on every computer you own! Sounds simple enough, but a lot of people still don’t do it.
● Keep your operating system (Windows, MAC) up-to-date. When your computer wants to perform those security updates, do not delay.
● Always use complex passwords. Using ‘password1’ or ‘123456’ doesn’t cut it. If remembering complex passwords is too difficult, we recommend using a sentence as your password. Example: “I always like to travel when on vacation!” This password would be cracked in approximately 30 quattuordecillion years. I think you will be safe.
● Never use the same password across multiple online accounts. While a nuisance, the fact is that hackers know that once they have obtained an initial password, it is likely used over and over for other sites such as banking, social media, computer logins, etc.
● Limit the amount of personal information you share online! When teaching awareness classes, we can often ‘reset’ a student’s online account by leveraging the personal information in their publically available social media profiles. Too easy.
● Be so vigilant with email that you are perhaps flirting with paranoia. The overwhelming majority of breaches begin with targeting your email accounts. Never open an attachment unless you are absolutely positive of its contents. Never reveal personal information via email.
For the business owner
We recommend implementing all of the consumer tips as well as the list of precautions below. It has been estimated that nearly 85 percent of attacks can be prevented with the following measures:
● Regularly update and patch all operating systems and applications within your company. By not having a regular patch management schedule, you are giving hackers an edge.
● Whitelist applications on your network. You essentially only allow designated applications to run, while all other applications are implicitly denied. Depending on your company’s use of technology, this can be an involved strategy to institute.
● Restrict administrative privileges among your employees. If someone doesn’t need certain access to perform their job, remove it. You are not restricting their access because you do not trust them as an employee, you are restricting their access because hackers seek to compromise and steal your employee’s passwords. The less your employees have access to, the less damage can be done in the event of a breach.
● Segment your network! Too many times we see the ‘free lobby Wi-Fi’ on the same network as the accounting system, or other sensitive data. This is a very bad idea.
● If your organization has custom web applications, ensure your developer has instituted Input Validation. This helps to minimize malformed data sent by a hacker through your website, or similar web applications.
● Consider enabling File Reputation. Some anti-virus software manufacturers have excellent file reputation services that stop untrusted code in its tracks.
● Check your firewall settings. A qualified and experienced engineer should ensure all settings have been properly configured and maintained.
● Backups! When is the last time you have verified your backups work? Are they stored offsite?
● Institute regular and intentional staff training sessions, and hold staff accountable. The fact is, your staff is the number one target for those seeking to breach your corporate network. Your staff needs to be prepared, and it’s your job to prepare them.
● Lastly, conduct an annual security review and vulnerability assessment. A seasoned cyber security professional will have the ability to test and validate your defenses against attacks.
To read more from Brian Horton, CEO of IT Strategy, Inc., follow our company page and subscribe to the ITSI Blog. IT Strategy, Inc. is a Fresno-based cyber security consulting firm.