Be Cyber Vigilant All Year Long

Standard

Usernam

The following was published in yesterday’s Foster’s and Seacoast Sunday.

If you are a regular reader on my articles, you know October was National Cybersecurity Awareness Month. I have written about this for several years now and include links to resources to help you remain secure online. Now that we are in November, the hope is that these issues do not fade from the forefront.

If you’d like to review the various resources available from National Cybersecurity Awareness Month, visit https://staysafeonline.org/ncsam and review the Resources link for a wealth of information, tips and more.

Especially with election season in full swing, everyone should have a heightened awareness of cyber threats. Hopefully, you are well aware you should be suspect of just about everything you see posted on social media, even from your “friends.” Unless your “friend” is someone you know extremely well, you should be suspect of anything they post, especially links to “news.” Take the time to verify what you read online, don’t just take it for granted. Sites that seem quite legitimate may be facades for radical groups or even foreign actors looking to influence our elections and social discourse.

It’s not at all difficult to validate sites and check news for credible sources and reporting. Organizations as diverse as NPR, AARP and many, many others offer several suggestions to help you validate the source of your news. I encourage you to invest a little extra effort to verify what you read as news and be sure you are making decisions based on credible, verifiable sources. It’s more important than ever.

Hopefully, you read and took heed of some of the key themes of this year’s National Cybersecurity Awareness Month. One of the most basic themes was Lock Down Your Login. This is so easy to do, yet the most often overlooked thing to do. Simple usernames and passwords are the most used method to hack into networks and steal data and identities. These credentials are just too easy to break through. You should not be using passwords that are easy for you to remember, as if it is, it’s likely a hacker will be able to guess it or use tools to brute force their way through it and compromise your account.

Passwords should be replaced with passphrases, a sentence or collection of words that are easy for you to recall, but not easily breached. I’ve written about this a lot over the years, both here in the paper and online in my blog at https://mjshoer.com. Use a combination of letters, numbers and symbols, replacing letters in the phase with numbers and symbols where it makes sense. You should also be using multi-factor authentication everywhere it is available. Your bank, personal and corporate email and just about every online site you log into should support multi-factor authentication. Use it. Newer computers running Microsoft Windows 10 support facial recognition to login, enable it. Almost every portable computer has a finger print reader, use that. Just do it, as the famous Nike advertising campaign says.

Finally, though nothing is ever final when it comes to matters of cybersecurity, stay ever vigilant of phishing email campaigns. Don’t click links or open attachments you are not 100 percent certain of. If you get shipping documents, invoices or other attachments you are not accustomed to, don’t open them until you call the sender and verify they actually sent it. Same for links within email messages. Hover over the link and verify that the link is going to a valid domain associated with the company that sent the email. This is one of the easiest ways to spot a phish. Same for the senders email address.

Check carefully to be sure the senders name is not misspelled, even by just one letter. Check the name and check the email address attached to the name. These are simple steps that you should familiarize yourself with and regularly practice to stay safe online.

Please Use a VPN on Public WiFi

Standard

I’m sure you’ve heard the term VPN, which stands for Virtual Private Network.  Most people are familiar with it in the context of connecting remotely to their work network.  For those that aren’t familiar with a VPN, here’s a word picture I often paint to describe what a VPN does.

VPNThink of a four lane highway as the public Internet.  All the cars traveling on this highway are equivalent to each person’s Internet traffic.  As one car passes another, you can look at or in the car and possible see some of what’s there.  This is akin to unencrypted traffic traveling across the Internet, it can be seen and watched by others.  This is why sending sensitive information across the Internet is not safe, as it may be seen by those it’s not intended for.  When you use a VPN, your Internet traffic is sent across an encrypted connection.  Think of an encrypted connection as being like those pictures you see in Car and Driver Magazine when they publish “spy” reports on the next model year of vehicles.  The vehicles are typically wrapped to conceal what they actually look like and the windows may be tinted so darkly that you can’t see inside.  This is like encrypted traffic on the Internet.  You know it’s there, but you can’t tell what it is.  When you establish a VPN, it’s even better.  It’s like putting a tunnel over one of the four lanes on the highway.  The “public” traffic is happily driving along three of the lanes, able to see one another and get where they are going.  The traffic that is being sent across the VPN is being sent in the new tunnel that has taken over one of the lanes.  You know there is traffic there, but you can’t see it or access it.  It can only be seen at it’s starting and ending points.  It’s the safest way to send data, especially sensitive data.

When you connect to a wireless hotspot in a public location like a town square, a restaurant, hotel, etc., you are connecting to a very “public” network.  You should never log in to your bank or other sensitive site over a public wireless network.  Unless you are using a VPN.  If you use a VPN when connecting to these public networks, then you can safely connect to secure sites and protect your traffic from being seen by others.  I have used a VPN for years, for this very reason.

There are many excellent VPN’s on the market, but I am very excited that a company I trust a lot, Webroot, has a VPN specifically designed for WiFi.  Webroot has been an innovator in the cybersecurity space for years.  Their anti-virus/anti-malware tool, Webroot SecureAnywhere is a leader.  They have now added Webroot WiFi Security.  If you already have an anti-virus/anti-malware solution that you are happy with, you can add any VPN easily.  If you are looking for a better anti-virus/anti-malware solution and a VPN, there is a great bundle of both available as well.

I encourage you to check out Webroot’s WiFiSecurity.  Whether you decide to use that solution or another VPN, just pick one and stick with it.  You’ll be glad you did and a whole lot safer as well.

It’s a Wrap! #CyberAware

Standard

Today is not only Halloween, it’s the last day of National Cybersecurity Awareness Month!

As a reminder, the major themes this year have been:

Make Your Home A Haven For Online Safety.

Millions Of Rewarding Jobs: Educating For A Career In Cybersecurity.

It’s Everyone’s Job To Ensure Online Safety At Work.

Safeguarding The Nation’s Critical Infrastructure.

Please be sure to visit staysafeonline.org/ncsam and browse the resources for a ton of helpful guides, tip sheets and other resources to help you be as secure as possible.

My friends at KnowBe4, a security training company that I work closely with also have some excellent resources I’ve inserted here.  Feel free to share within your company to help maintain a culture of cybersecurity awareness well beyond today.

#CyberAware

You may click on each image to download the PDF version.

SocialEngineeringRedFlags

 

BlockMobileAttacks.jpg

5TipSheets.jpg

 

 

 

 

 

 

I’m Back!

Standard

I’ve been on vacation, so hope you haven’t minded the lack of posts 🙂  I’m back and want to share the latest article I wrote for Foster’s and Seacoast Sunday on the 21st.  Enjoy.

protect-your-business-v2

Small Businesses at Risk to Cybersecurity Attacks

In my last article, I wrote about October being National Cybersecurity Awareness Month. We have just finished week 3 and are about to move into week 4. Week 3′s theme was “It’s Everyone’s Job to Ensure Online Safety at Work.” Week 4′s theme is “Safeguarding the Nation’s Critical Infrastructure.”

When thinking about the workplace and the prevalence of small business throughout New England, the story is not a pleasant one. Too many small businesses think they are not at risk for a cybersecurity event. However, consider in 2017, 61 percent of small businesses reported a cyberattack, up from 55 percent the year before. The average cost of these attacks exceeded $1 million, enough to bankrupt many small businesses.

All industries are impacted by cyberattacks, but the most targeted industries are financial services, technology and communications, manufacturing, retail and professional services. The reasons for the attacks vary widely, from financial fraud to identity theft to the theft of intellectual property, the lifeblood of many businesses.

The attack methods vary and defending against these attacks often feels like a game of leap frog. The bad guys figure out a way to penetrate a network and the technologists figure out how to block that attack. The problem is the attackers are sophisticated and have access to increasingly powerful computing resources, so they figure a new way around the defenses and the cycle starts over again, millions of times a day.

Defending your business is not a trivial task, but in the quest to secure businesses, especially small businesses, the most often overlooked thing is employee training. You must invest in training your staff to understand their role in protecting your business. From what they say on social media about their job to the email messages they open and the links they click, people are the last and most important line of defense.

I have heard too many stories where someone in an accounting department gets an email asking them to login to a website to check something. It could be anything from an invoice to a tracking number or to update security information about their account. Messages like this are easy to spoof and get the person targeted to try to login to what looks like a legitimate site, but they often get an error telling them their login failed and to try again. The problem is the site was fake and hacker just captured the username and password the person was using. The hacker is often then able to access and monitor that accounting person’s email traffic and eventually will trick that person, or one of their colleagues into initiating a fraudulent transaction that could cost hundreds if not millions of dollars.

The news is awash with stories similar to the scenario above. Law enforcement is overwhelmed with reports like this. If you haven’t lost millions of dollars, likely tens of millions, it’s unlikely law enforcement will be able to act on your case fast enough to help recover any funds. This is how real and present a danger these cyber threats are.

While this may all seem daunting, there are several things a small business is able to do to help protect themselves. Take the time to take inventory of your critical data and systems. Be sure you understand what you can live without and what you can’t. If you do ever suffer from a cyberattack, be sure you know what you need to continue operating while you assess the damage and recover. Also, be sure you have a communication plan ready to inform your staff, your business partners, your customers and if necessary, the public about what has happened to your business. Get in front of the matter, so your business does not suffer damage to its reputation and not just its technology.

Today’s cyberattacks are evolving nearly in real-time. Businesses large and small across all industries need to understand their risk profile, take appropriate steps to protect their technology infrastructures, educate their employees how to help protect the business and have appropriate response plans in place for when, not if, you are attacked. Try not to feel overwhelmed by the risks. Be prudent in your approach. There are plenty of talented professionals out there to help you understand and mitigate your risk. Just don’t ignore it.

Week 3 Tips #CyberAware

Standard

protect-your-business.png

Week 3 of National Cybersecurity Awareness Month is all about protecting your place of work from cyber threats.  In addition to identify what assets you need to protect, consider the following key considerations:

Protect your assets: Ultimately, your goal is to build a culture of cybersecurity that includes employees knowing how to protect themselves and the business and understanding the cyber risks as your business grows or adds new technologies or functions.

Use employee training to communicate the message and gain employee buy-in.  Don’t make this a one time event, have recurring training throughout the year to maintain a culture of cybersecurity awareness.

Be able to detect incidents: We have fire alarms in our businesses and homes that alert us to problems. In cybersecurity, the more quickly you know about an incident, the more quickly you can mitigate the impact and get back to normal operations.

While everyone has a firewall and anti-virus software, who is monitoring it?  Just the basics are not enough.  You should have intrusion detection and prevention and other security technologies in place that are designed to look for patterns that are not normal.  The tools alone are not enough, you need to have a qualified cybersecurity professional reviewing this information in real-time to catch potential risk.

Have a plan for responding: Having a recovery plan created before an attack occurs is critical. Make and practice an incident response plan to contain an attack or incident and maintain business operations in the short term.

You never want to put your head in the sand if you think you are the victim of a cybersecurity event.  You need ot have a plan to rapidly response and protect your business.  This includes internal communication and external communication as well.  Be sure you have a message that will contain the fallout and not risk damage to your business reputation.

Quickly recover normal operations: The goal of recovery is to move from the immediate aftermath of a cyber incident to full restoration of normal systems and operations. Like the response step, recovery requires planning. Recovery is not just about fixing the causes and preventing the recurrence of a single incident. It’s about building out your cybersecurity posture across the whole organization (not just the
IT person or group), including increasing the focus on planning for potential future events.

Be sure the technology is in place to recover quickly and maintain business operations.  This may mean having to operate in a somewhat reduced state while the full impact is assessed.  You need to be sure you have reliable backups of your systems and the ability to bring them online in locations other than your offices, should the event warrant that.  be sure you understand the concepts of RPO and RTO, Recovery Point Objective and Recovery Time Objective respectively.  You may have a Disaster Recovery (DR) Plan that addresses this, but do you also have a Business Continuity Plan (BCP) to account for ongoing operations?  You should.

Here are some helpful resources to help you assess these critical areas:

SMB Cybersecurity Awareness Toolkit
CyberSecure My Business
Federal Trade Commission’s Business Center for Privacy and Security
NIST Cybersecurity Framework
Better Business Bureau Cybersecurity

Welcome to Week 3 #CyberAware

Standard

This week’s National Cybersecurity Awareness Month theme is “It’s Everyone’s Job to Ensure Online Safety at Work.”  While you’d think this is obvious, it’s still not.

educate-all-employess-v1.png

Consider these stats:

  • Verizon‘s 2018 Data Breach Report, a highly respected annual report on the state of cybersecurity, notes that 58% of cybercrime is taking place in small and mid-size businesses (SMB’s).
  • The cost of cyber attacks to SMB’s was more than $2,235,000, on average.
  • The Better Business Bureau finds that more than half of small businesses would be unprofitable within a month, if they were to permanently lost access to their critical data.
  • Nine of our ten small business report some basic security in place.  This consists of anti-virus protection, firewalls and employee education.

The first topic for this week is indentifying your digital “crown jewels.”  This remains an annual part of National Cybsecurity Awareness Month as knowing what is important is the first step to protecting it.

Check out the CyberSecure My Business resource page related to “Identify.”

There you will find a wealth of resources to help you identify your most important data and systems.  I encourage you to review all of the resources listed on that page.  I strongly recommend you watch the National Cyber Security Alliance webinar titled “Learn to Identify Key Assets and Data.”

Before you can implement an effective plan to protect your organization, you must take the necessary steps to understand what needs to be protected.  These resources will help you do this efficiently.  Get to it!

Why Careers in Cybersecurity? #CyberAware

Standard

teach-kids-about-cybersecurity-careers-v1

As we continue along in Week 2 of National Cybersecurity Awareness Month, the focus is on careers in cybersecurity.  Consider some of these stats:

  • There will be 3.5 million cybsecurity jobs by 2021.
  • Cybercrimes cost victims $3 trillion dollars in 2015 and is predicted to double to $6 trillion by 2021!
  • The median salary for an information security professional was $95,510 in 2017, more than double the median average of all U.S. careers.
  • Most millennials look to their parents for career advice (40%).  That percentage rises to 57% when talking about cybersecurity careers.
  • Over the last several years, the number of teachers who talk with their students about cybersecurity has tripled.  This is great!

Here’s what you can do, especially if you are a parent:

  1. Volunteer at a school and talk about the growing career options in cybersecurity.  We can’t start too young.  Check out this link for resources you can use to start the discussion.
  2. Check out CyberPatriot and think about mentoring kids in a cybersecurity challenge event.
  3. If you know someone who works in the cybersecurity field, see if you can get them to come and talk with students or host an open house for students at their company.
  4. Educate youself about cybersecurity careers so you can help spread the message.
  5. Work with your schools and school boards to educate them on the importance of cybersecurity education to help prepare our kids for their future.
  6. Visit CompTIA, the Computing Technology Industry Association and explore the resources related to cybersecurity education and workforce development.

Welcome to Week 2 #CyberAware

Standard

week-2-twitterToday starts week two of National Cybersecurity Awareness Month.  This week’s theme is “Millions of Rewarding Jobs: Educating for a Career in Cybersecurity.”

It’s estimated that there will be more than 3.5 million cybersecurity jobs by 2021.  According to the Bureau of Labor Statitistics, that’s a 28% growth rate over the 10 year period from 2016 to 2026.  It’s not just about coding anymore!

The most important thing we can do to help build our cybersecurity workforce is talk with our kids.  Too much of our public education system is focused on coding as the only IT career path.  To be clear, software development is an important and needed skill, but it’s not the only skill that our kids can pursue.  It’s our obligation, as parents and professionals, to educate our kids on all of the IT career options available to them and cyberecurity is a significant area of growth and need.

There are some excellent resources available at this link to help start these conversations.  Download the tip sheet on that page and share it with your kids and your schools, to help start the discussion.

Veterans make up a significant group of individuals entering the workforce who have a strong foundation in cybersecurity.  Hiring veterans for careers in IT is a great way to bring highly qualified and motivated technical professionals into your company.  Many university’s are now offering degrees in cybersecurity, so for college age kids or those pursuing higher education at a later age, there are more options now than ever.  If you are a cybersecurity professional, think about becoming a mentor in the workplace or at local schools.

If you know kids that may be interested, have them check out the excellent CyberPatriot site where they can learn more and participate in online learning and competitions.  Together, let’s build the next generation workforce of technical professionals that our country needs.

 

It’s National Cybersecurity Awareness Month

Standard

The following article was published in todays Fosters and Seacoast Sunday.

oct-is-ncsam-twitter-v2.png

Every October the National Cyber Security Alliance and Department of Homeland Security declare National Cybersecurity Awareness Month. In this age of ever-increasing cyber threats, this is such an important initiative everyone should pay attention to at home and work.

This year is the 15th year for National Cybersecurity Awareness Month. The themes this year are about our shared responsibility for protecting ourselves online. Each week has a specific theme with useful recommendations to help you be more secure. Week 1 is just wrapping up and the theme was “Make Your Home a Haven for Online Safety.” The following are some suggestions for doing this:

Lock down your login: Visit www.lockdownyourlogin.org for recommendations to improve the safety of your logins. Where ever you are able, you should enable multi-factor authentication and leverage biometrics to secure your login so it’s just not your login name and password that’s required to access your accounts and systems.

Back it up: Back up your important information. Large-capacity external USB hard drives are affordable. At a minimum, you should back up your data to an external drive and store it outside your home for safe keeping. Even better, an online Cloud backup solution can back up your data in real time and safely store it offsite.

Personal information is like money. Value it. Protect it: Be careful with what you share online, especially on social media. You should always safeguard your personal details, not just online, but even over the phone. Be careful what information you share and be absolutely certain of who you are sharing it with.

Keep a clean machine: Always keep computers, mobile phones and tablets up to date and protected with proper security tools. If you no longer need a previously installed software application, remove it. Don’t let it sit there as over time, it may become a risk.

Pay attention to the WiFi router in your home: Change the factory password to something very secure and enable the highest level of security for your wireless password to keep non-authorized people from connecting to your wireless network. Lastly, keep the router software up to date so any known risks are patched and eliminated.

Share with care: Those online games that ask you how many states you’ve been to or naming your first pet, the street you grew up on, etc. can be used to steal your identity. Just don’t play them.

Next week’s theme is “Millions of Rewarding Jobs: Educating for a Career in Cybersecurity.” The IT workforce is experiencing a massive shortage of skilled talent. IT careers, especially cybersecurity, are widely available. Encourage schools to expand curriculum beyond coding. We need to get our kids interested in IT careers as our economy continues to evolve to a technology driven engine. We are importing more technical talent than we are developing at home. This is an economic and national security risk. We need a grassroots effort to change the mindset of parents and teachers so kids are exposed to all of the opportunities available to them.

The week of Oct. 15 has the theme “It’s Everyone’s Job to Ensure Online Safety at Work.” No matter where you work or the size of your company, you play a critical role in ensuring your business is safe. All employees need to be aware of your company’s most important data. You handle easily replaced material very differently from material that is expensive or hard to replace. The same should hold true for your digital data. Every person in the company has a responsibility to protect the data they work with even it’s as simple as swiping a customer’s credit card on care reader in a restaurant.

Companies need to have processes to identify potential cybersecurity risks and trigger a response plan should an incident occur. It’s critically important for your teams to know how to detect an event and how to respond. It’s also critically important for your teams to know what they are authorized to do or say in these situations and who needs to be made aware.

The final week has the theme “Safeguarding the Nation’s Critical Infrastructure.” Critical infrastructure encompasses a wide range of industries. Public utilities, the financial system, health care entities and information technology firms make up some of the major components of our nation’s critical infrastructure. These firms must have robust and cybersecurity plans and collaborate with many government agencies in real time to ensure the safety of these systems for the good of all.

For more about National Cybersecurity Awareness Month, visit https://staysafeonline.org/ncsam/ and follow the hashtag #CyberAware on social media.

Your Facebook Account May Not Be Hacked

Standard

But telling all your Facebook friends not to accept your fake friend requests may actually be helping the hackers, so you may want to think about deleting those posts.

Facebook Fake AccountI don’t know about you, but my Facebook feed was inundated with friends warning me not to accept friend requests from them as their account got hacked and these are fake.  While the requests may be fake, the account has probably not been hacked.  Yes, Facebook had a significant security breach recently, with over 50 million accounts potentially impacted.  You may have noticed after that news broke, that you were logged out of your Facebook account and had to log back in and create a new password.  This was Facebook’s proactive response after the breach, to try to require all its members to be safe.

Here’s the reality of the situation:

  1. Your account may not be actually hacked.  An account does not have to be actually hacked in order for a hacker to copy your profile picture and pretend to be you and send out friend requests.
  2. Your friends should know if they are already friends with you.  They should not accept a friend request from you if you are already friends.  This is simply common sense.
  3. By posting not to accept friend requests, you may be playing in to the hackers hands.  They want to disrupt Facebook and clutter feeds to make people frustrated with Facebook.  Don’t help them.
  4. Definitely don’t forward messages on Facebook messenger.  Those could spread a potential virus without you knowing.  Just ignore and delete the messages.
  5. You should never copy and report Facebook statuses like this or others that seem innocent enough.  These often let the hackers know who is vulnerable to their ploys and they will use this against you, now or in the future.
  6. If you want to know if you account has actually be duplicated, just search Facebook for your name.  If you see more than one of you, then someone is trying to impersonate you.  Follow Facebook’s process to report a fake account.  That’s the best way to deal with these things.

At the end of the day, just use common sense.  Ignore friend requests from people you are already friends with.  Don’t help the hackers out by telling all your friends to ignore those requests, just ignore them and move on.