Secure your world: tips and tricks to stay cybersecure
Recently, I sat down with Jim Nelson, Information Systems Consultant with FRSecure, during a Foundant Coffee Talk discussion to dig in on the current state and practices of cyber security. While our commitment to security is all year long, we wanted to take the opportunity that October – Cybersecurity Awareness Month – offers to promote cybersecurity education across our platforms.
What is cybersecurity? And why does it have a month?
Cybersecurity is defined as the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized disclosure, theft of, or damage to hardware, software, or data. Where there is technology, there must be cybersecurity. Cybersecurity functions include providing business continuity, ensuring compliance and confidentiality, upholding data integrity, and protecting against security threats.
Since 2004, October has been Cybersecurity Awareness Month. Each year, time is dedicated to raising awareness about the importance of cybersecurity. It has grown into a collaborative effort between the government and the cybersecurity industry to encourage discussion and education of the public about the risks of cyber threats. The theme for Cybersecurity Awareness Month is “Secure Our World,” which recognizes the importance of taking daily action to reduce security risks (Cybersecurity Awareness Month).
Why is cybersecurity important?
Cybersecurity is important because it protects sensitive data, which includes personal, financial, and confidential information. Ways this information can be compromised include breaches and theft. In protecting sensitive data, cybersecurity also prevents a type of malware called ransomware, which can cause financial damage to a company if not protected against. 94% of malware is delivered by email (Data Security: Partnerships and Practices for a Successful Quest).
Adequate cybersecurity maintains client trust, improving business reputations. It also ensures compliance with cybersecurity regulations, helping organizations avoid fines and legal repercussions. Protection against breaches and theft safeguards business operations and ensures a smoother workflow. Sufficient cybersecurity measures minimize workflow disruptions and software downtime that can be caused by inadequate security.
Staying safe in an online landmine
Sometimes it can feel like you should just avoid the internet all-together, but there are several easy ways to protect any sensitive information that is stored online. One way is to continuously check for software updates so that your computer always has the most up-to-date security measures and is protected from the latest threats. Do not click “remind me later” when asked to update your software; it can leave you vulnerable to cyber threats. Automatic updates are the easiest way to stay secure. You should always check notifications on your phone and computer and check the upper corner of your browser for alerts. Software updates can also be found in the settings app.
Another way to stay secure is to turn on multifactor authentication (MFA), which adds an extra layer of protection for online information. You can have an authenticator app, get a code sent to your phone or email, add a security key that is needed to access information, or enable biometrics. Biometrics uses physical characteristics, such as fingerprint and facial recognition, to prevent people from getting private information without approved access. MFA should be used in email, accounts with financial information, such as online stores, and accounts with personal information, such as social media accounts.
Password security
All passwords should fit the following requirements to be considered strong: (Know Thy Passwords: A Guide to Security)
-
Be at least 16 characters in length
-
Mix of uppercase and lowercase letters
-
Use numbers and special characters
-
Spaces and passphrases utilized
Passwords should never be reused or shared. Google and Apple provide resources that outline how to change compromised passwords. The website haveibeenpwned.com allows you to check whether your email or login has been part of a recent security breach. It even runs your passwords against known, compromised passwords. Password managers are also helpful and have the following functions:
-
Store your passwords
-
Alerts you of duplicate passwords
-
generates strong new passwords
-
Some automatically fill your login credentials into websites to make sign-in easy
Don’t get phished
Password managers don’t fall for phishing websites, even if you do. Hackers use different types of phishing (Gone Phishin': What to Watch for and How to Keep from Being a "Big Phish"). One is spear phishing, which is when hackers target specific individuals and use information that is personal to the target to gain trust. The hackers' goal is to access company information. Another type of phishing is CEO fraud or whaling. This is when hackers impersonate the CEO of the target company to get them to reveal information.
In terms of reporting phishing attacks, there are things that should and shouldn’t be done.
Do not:
-
Click any links you don’t trust
-
Click any attachments you were not expecting or do not recognize
-
Send personal information online or over the phone
Do:
-
Verify that the communication is real
-
Contact the sender directly through known phone numbers or emails
-
Report attacks to your IT department or your email/phone provider
-
Use email filters
-
Check hyperlinks
-
Verify attachments
There are red flags present in most phishing attacks that you should look out for when you receive online communication. With the development of AI, phishers are getting more creative. They are using better grammar and providing more accurate data points in their requests. This makes it even more essential to be aware of phishing red flags.
-
Tone that’s urgent or makes you scared
-
Sender's email address that does not match the company it is coming from
-
Unexpected communications such as an email you were not expecting
-
Requests to send personal information
-
Misspelled words, bad grammar, and odd URLs
Keeping your organization safe online
Employers should provide employees with security measures to ensure that personal and company information stays safe. They can provide employees working from home with a VPN connection to create a secure encrypted tunnel back to the office. Employers can also take a current inventory of sensitive information, how it is collected, by whom it is collected, where it is kept, who has access, and how access is controlled. This would also be a good time to double-check that you are up to date on software, firewall, anti-virus, and anti-malware updates. (Data Security: Partnerships and Practices for a Successful Quest).
Foundant utilizes several cybersecurity tactics to protect employees from theft and breaches. One is a SOC 2 Type 2 certification, which entails a thorough, third-party security review. This shows that the company is achieving and maintaining current certification. Internal controls around safeguarding customer data and determining the effectiveness of those controls are core components of the annual certification process. Foundant’s software is a fully cloud-based solution hosted by Amazon Web Services (AWS), which uses the highest standards for data security. Data in the AWS network is encrypted and hosted at secure data centers. Foundant adheres to all facets of the “shared responsibility model” outlined by AWS and all the data processing partners we engage with.
Foundant also practices “least necessary access” protocols for employee access to sensitive areas. This entails strict access and usage guidelines, including monitoring activity and having a second person provide dual control where needed. Regardless of position, all employees are trained and tested in data and internet security protocols. Access to Foundant office locations is restricted, and confidential payment data is not processed or saved on Foundant systems.
Cyber-security FAQs
Frequently asked questions regarding cybersecurity can help you avoid getting into a cyber-security situation:
-
How secure is Dropbox?
Dropbox was a victim of a password breach a few years ago, but improvements have likely been made since the attack. Solutions such as Dropbox, Office 365, and Google Drive can be made more secure by using unique passwords and multifactor authentication.
-
What about sending the password as a picture in a separate email?
If someone has access to a person’s entire email account, that tactic would not prevent them from looking for the corresponding message.
-
Is Office 365 safer than a shared network drive?
It depends on how the information is accessed and the files' security. Office 365 offers multifactor authentication as well as data loss prevention.
-
How secure is Adobe password protection on files?
Utilizing Adobe password protection is a great approach, but there is a risk depending on how passwords are being shared.
-
Can having a VPN help security?
It depends on the type of VPN being utilized. There are two types: full tunnel and split tunnel. A full tunnel is when all traffic that goes through the network is encrypted back to the firewall. A split tunnel is when only office resources are encrypted back to the firewall. Both can be helpful depending on the information being accessed through the VPN, but a full tunnel network would be more secure.
-
How should you choose a VPN service for a small office?
Some recommendations are SonicWall, PaloAlto, Sophos, and Office 365.
Cyber-security from your peers
There were open discussion topics in the cybersecurity coffee talk webinar. The first is general sentiment on cybersecurity and if users feel they have adequate cybersecurity measures. Jim Nelson stated that the landscape of cybersecurity is always changing. It is important to always be vigilant and strive to be more secure. Preparedness is dynamic. One threat that was brought up in discussion is smaller companies being more at risk for security threats due to less protection methods and possibly a lack of an IT team. Another is employees being unaware of risks and not using their security resources.
The second topic discussed was security measures and practices. Cory and Jim discussed the importance of using password managers such as Dashlane, Keeper, and LastPass. A question was raised about browser password vaults, to which Jim responded that if you are utilizing a browser password manager, you should make sure the password to your computer is secure so no one can get in easily and find the passwords. In terms of using saved passwords in an organization, it is essential for employers to remember that when an employee leaves, any sensitive passwords that they had knew should be changed. Several software options for cybersecurity training that were brought up are KnowBe4, Mimecast, and Barracuda Networks. LogMeOnce is also a useful platform that offers password management, MFA, and cloud storage encryption.
The third topic discussed was incident response and recovery. FRSecure offers free policy templates that organizations can use to build an adequate cybersecurity plan. Jim Nelson said that the three must haves he recommends for a cybersecurity plan are an acceptable use policy, an incident response plan, and an identity and access management policy, which deals with account management and information. It is important to remember that these policies should be updated regularly to ensure the highest level of protection and recovery. Options for file sharing software include Microsoft 365 and Google for less advanced sharing and ShareFile for advanced sharing. Options for MFA software include Okta and Duo Security; it is important to make sure that you have a PIN enabled for your authenticating device when using MFA. As with policies, it is essential to keep track of your software and update it consistently.
The final topic discussed in the webinar was investment in cybersecurity. Having strong cybersecurity measures will give you a high return on investment because it prevents ransomware, which can cause significant financial damages to an organization. Cybersecurity software has high value because of the threats it protects against, and there is a variety of tools available for free or at a minimal cost. However, we must keep in mind that buying every tool doesn’t solve every problem. Cybersecurity is only as effective as individuals make it; prevention of risks is dependent on an organization’s culture and willingness of employees to uphold the responsibility. One way to encourage this is to implement a reward system for employees to create an incentive for them to practice cybersecurity. These practices will protect your organization and prevent risks.
Additional cyber-security resources
-
CISA
-
NCA
-
Toolkits
Take the Next Step in Securing Your Mission
At Foundant, we're committed to safeguarding your data while empowering you to focus on what matters most—fulfilling your mission. Want to learn more about how we protect your information and how we can help your organization thrive? Visit our Security Hub to explore our robust security measures and discover how Foundant can be your trusted partner in success.