Security is Everyone’s Job
“Never was anything great achieved without danger.” -Niccolo Machiavelli
As we begin National Cybersecurity Month, it's a great time to reflect on how we can all protect ourselves at work and home. Let’s look at some current risks and see what changes we can adopt to mitigate these risks.
Email - we need it, love it, live it, but it’s risky.
Phishing is still the number one risk for most of us. Whether it’s an automatic preview in our work email system, or a browser injection on Web mail, SPAM and phishing are both a security risk and an irksome annoyance.
Unfortunately, we are not winning the battle against email cybercriminals and overzealous marketers, despite almost ubiquitous deployment of spam filters. Here we are in 2015, and spam still represents >10% of our inboxes. The statistics on phishing are even worse. From 2014 to 2015, the number of phishing sites increased from about 25,000 to 33,500, according to Google.
Furthermore, malicious email is becoming more sophisticated by embedding macros in ordinary looking attachments. In our busy lives, it’s easy to accidentally click on an attachment or link with malicious content.
The following are some email checks to keep top of mind:
Stay in familiar territory
Make sure the to: and reply to: emails match, or are from a company you know. Email phishers will try to fool you with an email that looks like someone you know, when it isn’t.
Watch out for typosquatters
These are email domains that are just slightly different from the real company name. These are commonly used in Business Email Compromise campaigns, where fraudsters trick businesses and consumers into sending money to a bank outside the US, often China or Russia. This money is very difficult to recover because we don’t have the right legal relationships, and international banking laws don’t provide the same protection as US laws.
These transactions pose a big business risk. We’ve lost 1.2 billion dollars in recent years. Even worse, this type of fraud is on the rise, up by 270% according to the FBI results released just last month.
Personal email accounts are not safe from fraudsters
Personal email account breaches are difficult to detect because the fraudulent request comes from a real account. Hackers use the compromised account to steal money from relatives and friends. Particularly vulnerable are older parents and grandparents.
Don’t be a victim. Here are some safe computing practices that can help you avert email fraud:
Keep private information private
Never share your password. If someone genuinely needs access to your account (should never happen at work), change your password, then change it back when they are done.
Add variety to your login credentials
If you use a free email account, use a unique password for this account—not the one you use for social media, websites, and especially banking. Change your password frequently—at least once a quarter. It doesn’t need to be complicated, use your current password and add a special character for each quarter (see example below), or create your own that you can remember. Also, make your change date memorable, like the beginning of the quarter, or when you pay your mortgage.
- 1st quarter “!”
- 2nd quarter “?”
- 3rd quarter “&”
- 4th quarter “%”
This makes it more difficult for password crackers to guess your password, and if there is a password leak at another site, you haven’t handed over the keys to your email house as well.
Keep your system patched
Many of the security vulnerabilities exploited by hackers to compromise accounts are old and have been fixed by the vendors. If you are in a corporation, talk to IT about automatic updates. If you can’t patch because you are running an older application, ask IT about creating a VM (virtual machine) for you to run that old application. This helps you keep your system patched and up to date. At home, make sure your operating system, pdf reader (adobe.com), and browsers are set for automatic updates. Patching these three things will protect you from the majority of risks.
Educate your friends and relatives
Warn your less tech-savvy acquaintances of the dangers of cyber fraud. Remind them that no true friend would ever ask for money in an email. If they do get such a request, advise them to make a phone call to the person. Also, give them the numbers of the fraud department at their bank so they have someone to call if they need advice.
Make sure your security software is current
Make sure everyone in your house has up-to-date anti-malware software. Put it on an auto-renewing charge if needed.
You may hear a lot of talk about next generation endpoint protection. And yes, anti-malware software is not perfect, but you still brush and floss your teeth. If you can’t afford an anti-malware software package, at least run the free Windows® Essentials (for Vista to Windows 8, after Windows 8, it is called Windows Defender). For Mac users, Sophos™ offers a free antivirus solution.
As Albert Einstein said, “A ship is always safe at the shore - but that is NOT what it is built for.” If we want to fully utilize the Internet, a little caution and paranoia can reduce the risks.