Under the overarching theme of ‘Own IT. Secure IT. Protect IT.’, the 16th annual National Cybersecurity Awareness Month (NCSAM) is focused on encouraging personal accountability and proactive behavior in security best practices, digital privacy and draw attention to careers in cybersecurity. This week we discuss what is meant by Secure IT!
In our first post on “Own It” one of the important things to remember was that nothing is “Set-it-and-forget-it.” Keeping anything about how you secure your information the same invites cybercriminals to break in and target you. To “Secure IT” effectively, you really need to toss it up.
Never Pass on Password Changes
Many systems require you to change your password every 30 days. These are your friends, and they’re trying to protect you. The more time you give a fraudster to crack your password the likelier they will. When you change regularly be sure to use strong passwords that are unguessable. Some systems now allow you to use complete sentences as your “passphrase.” Even if you only have the option of a password you can easily make it much more difficult to impersonate you by including upper and lower case letters, numerals, and special symbols.
A frightening number of users still use “password” or “123456” as their password. Don’t be one of these.
Also, don’t post your password near your computer. There is always a balance between what is convenient and what is secure. All too many people write their password on a “post-it” note which they affix to the side of their display or the underside of their keyboard. They make it too easy to exploit their ID.
More and more online services are asking you to supply a mobile number when signing up. When you try to login they send a text to your mobile with a multi-digit number. You enter that number into the sign-in for the system. Password is no longer good enough. You must also have that number from the multi-factor sign-in system. This technique began with online services issuing a small device that the secret number appeared on instead of your own mobile. The important part is that it combines something you know, your password, with something in your possession, your mobile device or multi-factor number generator device.
Whenever you’re given the option to enable two-factor or multi-factor authentication by all means say YES!
Shop Safe Online
In the earliest days of online shopping many feared to do so because they worried it would expose their credit card information and cybercriminals could steal from them.
The credit card companies stepped in to assure they were secure. So assuring, in fact, that they committed to cover any losses experienced due to online shopping with their card. This remains true today.
Despite this vote of high confidence, it is important to engage your skepticism when considering a purchase from an unknown website. Clearly there are major sites you can shop on with confidence from vendors you know you can trust. But when you see an ad online for a product sold on a site you have never heard of engage your highest skepticism. Research them online. Are they listed and reviewed by the Better Business Bureau? Do they offer a protected connection? Take a look at the link. Does it start with “https” or “http”? That “s” stands for security and you should take it seriously. On the far right of the box where you enter the URL should be a picture of a lock which indicates that the site has privacy protection.
Remember the age-old admonition that if something seems too good to be true it probably is and don’t trust those offers.
All your best efforts may not prevent someone from obtaining your identity information. When you find unknown charges on your credit card statement you’ll know something’s wrong. At that point it makes sense to obtain the Federal Trade Commission’s identity theft recovery plan with very specific guidance as to exactly what to do.
When Something Smells Phishy
The most prevalent online security threat these days is ransomware. In this scheme a fraudster sends you an email that has been carefully (sometimes not so much) created to look just like an email you would ordinarily receive from your bank, a trusted vendor, or some other organization you know well. You open that “phishing” email and read it. After all, you know the sender. In the course of the content you are invited to click a link or open an attachment. Doing so launches an insidious invasion that corrupts, steals, or encrypts your data with a key you do not have, making it unavailable to you. Your data is lost.
You then receive a ransom note telling you just how much you’ll need to pay to get your data back. Lately that ransom amount has skyrocketed for large victims. For small victims the ransoms have actually become lower because the fraudsters found those smaller companies will not or cannot payl
The first thing to do with absolutely every email you receive is to examine the URL or link address very carefully. Even when it looks like the real deal it may not be. For example, zeroes are often swapped out for “O”s and lower case “L” for the numeral “1”. Remember that you usually see what you expect to see so slow down and be more deliberate. When in doubt, throw it out.
Trust Your Instincts
Fraudsters do a startlingly good job of making their emails look genuine, but every vendor has a “brand voice” designed to become very familiar to you. When you feel like an email just doesn’t sound right enter the link address in manually to assure that you get to the right site. Securing your online transactions begins with your own diligence and vigilance.