This final video in our three-part Cyber Hygiene series is the most important. It covers the three key areas to keep your organization’s data safe.
What you can do to keep your organization safe?
One of the biggest risks to your organization’s cybersecurity is people. 95% of cyber-attacks are caused by human error. As you saw in the first video, one accidental click can end up taking down a whole organization. And in extreme cases that can cause the organization to go out of business.
So, what can we do about it? More specifically, what do we need you to do to keep your organization safe?
There are three key areas where your actions can have a huge impact. They are:
- Software updates
- Awareness of social engineering
If you’re in the middle of doing something on your computer and a software update pop-up appears on your screen, it can be very annoying. The temptation is to hit “remind me later”. And it’s all too easy to keep on doing that because you’re busy.
However, avoiding software updates can give hackers a chance to be successful, which can have enormous repercussions for the organization.
If you think that sounds farfetched, consider this: 80% of companies that incurred a data breach could have prevented it if they’d installed key software updates when they were meant to.
Updates are essential. Sometimes they may feel like a nuisance, but they’re there to keep your computer and organization safe. So next time you’re tempted to snooze or delay an update, don’t. Save your work, run the updates, and find something else to do while you wait.
Or better still, get us to do the updates for you.
People can be very careless when it comes to passwords.
Let’s say your password is ‘password1’. How long do you think it would take a password cracker to gain access to your account? Just 0.19 milliseconds. And that’s not even the most commonly used password! That would be ‘123456’, and the second most popular is ‘123456789’. They’re an absolute gift to hackers.
Using pet names, children’s names, or birthdays is not much better. If you opt for ‘Fluffy1’, for example, it’ll take a bit longer to crack, but will still be easy to crack. These are not good options for passwords. Don’t use any personal information that links to you as a password.
Don’t ever give your password to anyone. That includes your IT support team. It can be tempting to jot down usernames and passwords on sticky notes and stick them to your monitor or inside your desk drawer. That’s making it too easy for anyone in your organization to access your account.
Make sure that you use a unique password for each account you have. If hackers get one password, the first thing they will do is try those credentials on all other sites.
What makes a good password?
Let’s look at the key components of a good password. They are:
- The longer your password, the better. Aim to use at least 16 characters
- A password should be random. You can create an easy to remember 16-character passphrase from a random collection of common words, for example: “yellowdogballoon”. Or use a random password generator
- A password should include additional complexity. Include upper- and lower-case letters, numbers, and special characters. The ideal password should contain at least three of these; for example: Yellow!DoG?BALLOON
Now you have a long, random password that includes upper-case and lower-case letters, and special characters. And even though it’s random, it’s memorable.
Additional ‘best practice’ steps
These additional steps may be outside of your control, but it’s important for you to be aware of them.
The first is multi-factor authentication, or MFA. This is where a system requires you to provide two or more pieces of evidence when logging into an account. You’re likely to have used this technology yourself; for example, when you’ve logged into your bank and been texted an access code, or had to generate it on a separate device.
The exciting thing about MFA is that it stops your password from being the sole gatekeeper to your account. A hacker needs the second piece of evidence – such as the code that’s been generated – to gain access.
The next very useful tool is a password manager. This is a secure platform that stores your passwords and even generates long random passwords for you. The benefit of this is that you’re only required to remember one master password; the password manager does the rest.
If your organization isn’t using these technologies but you feel they could help, speak to your line manager.
Awareness of social engineering
This is where hackers pretend to be someone in authority in an attempt to gain crucial information. This can be personal details, or even your password. They might email or telephone you, or even stop you in the street.
Here’s an example of social engineering from Jimmy Kimmel Live: https://www.youtube.com/watch?v=opRMrEfAIiI
Interviewer: Talking about cyber security today and how safe people’s passwords are, what is one of your online passwords currently?
Lady: It is my dog’s name and the year I graduated from high school.
Interviewer: What kind of dog do you have?
Lady: I have a 12 year old papillon.
Interviewer: And what’s his name?
Interviewer: Jameson. And where’d you go to school?
Lady: I went to school back in Greensburg, Pennsylvania.
Interviewer: What school?
Lady: Hempfield Area Senior High School.
Interviewer: When did you graduate?
Lady: In 2009.
Interviewer: Oh great.
I know that was for a TV show… but isn’t it scary how easy it was for the interviewer to get that information?
Social engineering comes in many forms. I want to focus on phishing now, as this is one of the most common types of cybercrime. Phishing is where a hacker uses an email to fool you into visiting a fake website or downloading a trojan.
Six basic checks
Here are six basic checks you should do with any form of communication you receive. You need to look at:
- The sender’s address
- Discrepancies in the writing format
- Spelling and grammar issues
- Link destination
Let’s take a closer look.
The sender’s address
Always make sure the email address is legitimate. Amateur hackers will send emails from Gmail or Hotmail accounts and hope you don’t notice. More sophisticated hackers will closely mimic an actual email domain, like amazonnprime.com rather than amazon.com.
Double-check the email address before opening, clicking links, or responding.
Discrepancies in the writing format
If the attack is coming from overseas, you’re likely to notice some small issues in writing format, like writing a date as 4th April 2021, rather than April 4, 2021. While this is subtle, it should be a red flag.
Spelling and grammar issues
You might find an occasional typo in any email, but if you receive one riddled with grammar and spelling mistakes, consider the source. It’s likely a hacker – especially if the email supposedly comes from a major organization.
Before you click on any link in an email, hover over it. The destination URL should pop up. Check out the domain name of this URL. Similar to the sender’s email address, make sure that this address is legitimate before clicking.
Don’t open any attachment you didn’t expect to receive, whether it’s a zip file, PDF, or anything else. Hackers want you to launch attachments so they can access your computer, as we saw in the first video.
Hackers try their best to mimic the look and feel of a business in their emails, including replicating logos. Often, they get very close, but they won’t be perfect. If something feels off, it probably is.
Three more red flags
Hackers are getting smarter so, as well as doing your six basic checks, look out for these three red flags:
If you’re ever put under pressure to action something immediately, you should always question whether it’s a legitimate request. Pick up the phone and check.
If any type of request comes through that plays on your emotions, you’re less likely to question it and so more likely to make a mistake. Whether it be fear of a fine, joy from a new job offer, or sadness due to something you hold dear being under threat, emotion can be a huge action trigger. Pause and think before you react.
If you’re being offered money and you’re not expecting it, make sure to question the source. It’s more than likely it will be a scam.
What to do when you’re not sure if something is genuine
Phishing attacks aren’t just limited to emails. They can come in voice calls and texts as well. In fact, any form of communication can be vulnerable.
If you’re not sure about the authenticity of something you receive, remember these three simple steps:
Stop – don’t click or react to the communication you’re not sure about.
Think – make yourself a drink, or chat to a colleague to see what they think.
Check – pick up the phone and try to verify the email is real.
Don’t rely on the information that you’ve been provided. Always use your own resources, such as Google, to find legitimate contact information.
What if, despite your best efforts, you fall victim to a scam?
First up, don’t panic. We understand the power of that initial rush of adrenalin, but take a deep breath. Panic solves nothing.
Next, take whatever mitigating action you can. For example:
Did you give away a password? Change it immediately. If you’ve used the same password on another system or platform, change it there, too.
Did you download an unknown file? Disconnect your computer from the network and turn it off. This will could stop the infection from spreading.
Finally, get in touch with us and explain what happened. We can check for any spread of the infection, disinfect the system, and look to see if anyone might still have access to your data.
We’ve covered a lot of ground in these videos.
Our goal is not to scare you; but to give you the ability to protect your organization and its data.
If something does go wrong, never try to cover it up – it can potentially make things many times worse. Honesty is always the best policy.
Remember, we’re here to help you. If you have any questions or concerns, or just want to learn more cyber security best practice, get in touch.