Op-Ed: Cybersecurity is Not Just for IT Professionals Anymore
October was National Cybersecurity Awareness Month, and as it wrapped up for the 16th year, it’s never been more important. Cybercrime has reached epidemic levels, The University of Maryland found that an attack occurs every 39 seconds on average, affecting one in three Americans every year, and security company McAfee reported there are 480 new high-tech threats now introduced every minute.
No individual or organization is too small or insignificant to be a target and cyberattacks are increasing in frequency, impact and cost, the FBI has said that Business Email Compromise (BEC) is a $26 billion-dollar enterprise, and recent a study by Dr. Michael McGuire from the University of Surrey, UK, put the value of the cybercrime economy at $1.5 trillion dollars.
Sadly, this epidemic shows no signs of slowing down in large part because many attacks are automated, victims often make it easy for the bad guys, criminals are raking in vast sums of ill-gotten gains, and they are difficult to track down and prosecute.
Let’s start with some widespread misconceptions about cybersecurity that must be dispelled:
My data (or the data I have access to) has no value to anyone else: All data is valuable to someone and the bad guys, sometimes called “Black Hat” hackers, are constantly working to get it. From identity theft, to fraud, to marketing, there are many ways that your data is valuable, and you must attempt to protect it.
Cybersecurity is a technology only issue: There are key technological solutions that will help you defend against cyberattacks (more on that later), but no technology is fool-proof, and many attacks rely on social engineering and deception to allow hackers to bypass even the best technological solutions. A layered approach to security is necessary, and education and awareness coupled with technology are key to defeating the Black Hats.
Strong cybersecurity is expensive: There are many good technological solutions that can be implemented at little or no cost. Many vulnerabilities (some experts say as high as 95%) are the result of human error, so a little education will go a very long way towards helping you implement practices and configure systems so they are harder to hack.
All hackers are technology geniuses: Some are, but many are using readily available free or low-cost hacking tools and platforms to launch sophisticated, automated attacks. You may not be able to stop a genius hacker that specifically targets you, but you can stop the bulk of these automated attacks.
I need 100% bulletproof security: It’s nearly impossible and very expensive to be impervious to every possible attack. For most people, you merely need make yourself a hard target so that hackers will move on to a softer target. As you will see, this is not as difficult and expensive as you might think.
New software and devices are secure out of the box: Many devices are rushed to market with security as an afterthought. The software they contain may have millions of lines of code that could contain flaws and bugs. Hackers know they only need to find one flaw, but the good guys (sometimes called “White Hat” hackers) must try to find and fix all the flaws. Any device may have security issues straight out of the box and updating the software on it regularly is critical!
Here are some concrete steps you can take to harden your systems and protect yourself, your family and your organization.
Ensure that you have anti-virus/anti-malware software on any/all devices that support it, ensure that the virus definitions are updated regularly, and schedule regular malware scans of your devices. There are many excellent low-cost and free options. If you’re a Windows user, Windows Defender is free and competitive with most of today’s quality products. Check this guide to compare products: https://www.pcmag.com/roundup/256703/the-best-antivirus-protection
Install software updates regularly, on ALL your devices. All reputable vendors regularly release software updates for their products and it’s critical that you install them regularly. This includes the firmware in your devices, their operating systems (Windows, Android, iOS) and the software on the devices. For example, ensure that you keep your web browser (Chrome, Firefox) updated. In many cases, these updates can be automated, for help Google “automatic updates for ” and fill in the blank for your situation. Don’t forget your “smart” Internet of Things (IoT) devices like TV’s, doorbells, lights, toasters, baby monitors, toys, cameras, etc. Additionally, be sure to change the default configuration. Bad guys can use the Shodan search engine to find and compromise your devices if they are not updated or are still running the default configuration.
Use a strong, unique password for each account. While this sounds painful, password manager applications allow you to store strong, unique passwords for each site and make it easy for you to use these passwords across your devices. At Intrust-IT we recommend LastPass, but you can check out other good password manager software here: https://www.cnet.com/news/the-best-password-managers-of-2019/
Enable Multi-factor Authentication (MFA) everywhere you can! MFA, sometimes called Two-factor Authentication or Two-Step Verification is a very powerful way to protect your accounts because an attacker requires an additional code to login. The code is typically sent to you via text message and only valid for a short period of time. While MFA is not failsafe, both Microsoft and Google have recently said that enabling MFA will stop nearly 99% of all automated attacks. If you do nothing else, enable MFA on every account you can! This web site can help you get started: https://twofactorauth.org/
Use a Virtual Private Network (VPN) to encrypt your data before it hits the Internet. A VPN provides a certain amount of anonymity and makes it difficult for hackers to access your data because it’s encrypted. While I generally recommend not using free Public Wi-Fi in any case, a VPN is an absolute must if you do. Even if you only access the Internet from a secure, trusted network, a VPN is generally a good thing. This guide can help you select a quality VPN: https://www.techradar.com/vpn/best-vpn
Carefully vet any software/app before you install it on any device. I know it’s hard to believe, but most developers don’t build free software out of the goodness of their hearts. If you’re not paying with money, you’re paying with data, you’re the product, not the customer. Many apps are nothing more than thinly veiled malware. Pay attention to the permissions software asks for and provide the least permissions possible. Only install what you really need and vet it first. The sites I’ve linked above have editors and experts that vet software, use them before you download something. Finally, when you no longer use an app, remove it.
Backup your data. Device failure, human error and malware such as ransomware can be devasting if critical data is lost forever. A good, secure backup can be the difference between disaster and recovery. Be sure to consider the sensitivity of any data you backup and secure it appropriately with strong passwords, MFA and encryption. There are many excellent low-cost options, here’s a good starting point: https://www.pcmag.com/roundup/226992/the-best-online-backup-services.
Don’t forget your mobile devices! Everything above applies here are well. You should use a strong, unique password and enable encryption. Don’t install any apps you don’t need and limit sensitive data on your devices when possible. Enable remote wipe so that if the device is lost or stolen, you can erase it.
Consider Identity Theft protection and regularly scan the Dark Web to see if your credentials (user name and password) have been breached. You can use https://haveibeenpwned.com/ to check your credentials.
Be skeptical. Take a zero-trust stance and remember, just because you’re paranoid doesn’t mean that they’re not out to get you. They are! The IRS, the FBI and your bank don’t need your password and won’t ask you to pay in gift cards. Many attacks are delivered via Phishing and these attacks are becoming increasingly sophisticated and realistic. Think twice before you click a link in an email, text message, instant message, on social media or even in a voicemail. This is especially true for anything you did not expect. When in doubt, reach out to the organization in question by calling them on the phone or going to their website from information that you lookup, NOT by using any links or information in the message.
Stay educated. The bad guys are constantly coming up with new attacks and you must remain vigilant. Here are some excellent resources to help you understand the fast-changing cybersecurity landscape:
A layered approach to security is critical so that the Black Hats can’t simply circumvent any single defensive mechanism. While the list above is not exhaustive, for a small cost and a little work, you will make yourself a very hard target and most bad guys will move along to the next soft target they find. Stay safe our there and follow me on Twitter where I share a steady stream of relevant and timely cybersecurity information that will help you stay safe.
Dave Hatter is a cybersecurity consultant at Intrust IT and an adjunct instructor at Cincinnati State. He is also the mayor of Ft. Wright.