By Ken Ketsdever, Chief of Information Security
October is Cybersecurity Awareness Month, a time when government and industry collaborate to raise awareness about cybersecurity and help individuals protect themselves against cyber threats, which are becoming more and more commonplace. As FI$Cal’s Information Security Officer, I am often asked, “What is cybersecurity?”, and my favorite, “Isn’t that your job?” Cybersecurity is the practice of protecting information technology (IT) systems, networks and programs and everyone has a role.
In a work environment, cybersecurity efforts are usually led by a chief information security officer and a team of cybersecurity professionals – people who are trained and experienced in the implementation of controls to protect IT infrastructure, programs and data. For the most part, this team does not actually perform the tasks that ensure systems are secure. Instead, they provide the policies, standards, guidelines and monitoring to ensure the system is adequately protected.
Much of the actual hands-on work is performed by other teams. Teams such as the application development team, who ensure an application’s security concerns are considered in the early stages of development and coding, or the network and infrastructure team, who ensure a solid network architecture and keep network assets patched and updated regularly.
However, the responsibility doesn’t stop in the IT domain. Business units review the need for data and data retention, to ensure it is limited to only what is needed, and access is available to only those who require it. The administrative and facilities teams, who are involved in the physical security of data, the office, and the people and assets in the office, play an important role in cybersecurity too.
The one thing that all of these teams have in common, is they are made of people who have different jobs and responsibilities, yet they all have access to IT systems. This is the most important aspect of security – that it is everyone’s responsibility.
It is critical to keep everyone informed on the latest security trends and concerns. Annual security awareness training is one way of providing the latest information on how everyone can do their part, and the lessons learned from this training are equally as important and effective at home, as they are in the business environment. Here are a few tips to remember.
Create Strong Passwords:
There are three considerations in regards to passwords: creation, reuse and management.
When creating a password, there are two primary aspects to keep in mind: length and complexity. There are four character types: upper case letters, lower case letters, numbers and special characters. The more of these four types you use, the more secure your password will be. However, gone are the days of the hard to remember password. Where extremely complex passwords that were changed frequently was once the gold standard, the current guidance is to use phrases that use at least three of the four character types and are 15 or more characters in length. To test the strength of your password, you can use security.org’s password strength tool. It will let you know how long it will take a computer to crack your password. See the results below when testing the strength of the old and current password guidance.
Old guidance: G7&fX$na (8 hours to crack)
New guidance: My2003 Crush-Joe (2 trillion years to crack)
Over 50% of people reuse the same password for multiple accounts, however, once a username and password have been compromised, the culprit will use that combination on other accounts to see if they work. Using different passwords for each of your accounts will protect you, even if one login is compromised.
Following this guidance, if you are using a different password for each account, you are likely to have over 100 passwords according to a 2021 study by Nordpass. Today, there are dozens of password management tools that store and protect login information. PC Magazine recently provided a list of their top 10 picks.
Activate Automatic Updates:
In a work environment, there are procedures for the testing and implementation of patches and updates. However, most people do not have test environments in their home. Ensure your computers and other devices are up to date with the latest software updates and patches by activating automatic updates. The vast majority of compromises are due to unpatched systems. Once a vulnerability is discovered, it is a race between bad guys trying to exploit them and companies creating patches to remediate the vulnerability. If you are not updating your devices on a regular basis, there is a high likelihood that you are leaving yourself vulnerable.
Be Vigilant with Phishing Scams:
Phishing is one of the most-used methods of compromise. Remember to be skeptical of any email you are not expecting. The goal of a phishing email is to get you to click on bad links, or to provide information, such as your username and password, to be used in nefarious ways. As phishing attacks have become more sophisticated, they are becoming harder to identify. The intent is to trick users into thinking the request is real. Watch for signs such as typos, misspellings and hyperlinks that don’t match the text of the link. You can also verify the validity of a link by copying and pasting into a link checker.
Secure Your Home Devices:
Change the default password on your smart devices. It is estimated that 28% to 55% of users do not change the default password on their personal devices. It is likely you have multiple wireless devices in your home, from your wireless routers, to a host of smart devices such as Alexa, wireless light controllers and smart TVs. Failing to change your password is a welcome mat to hackers who have lists of the manufacturer or device default passwords at their fingertips.
Taking the time to implement these security precautions will help in securing your devices and valuable information. We can all do our part by staying informed and remaining vigilant.
For more information on cybersecurity and best practices, please visit, https://staysafeonline.org/resources/online-safety-privacy-basics/.