October is National Cyber Security Awareness Month (NCSAM). NCSAM is a great initiative to help educate and inform our friends and family on the importance of taking your digital security seriously. Week Three in particular aims to help users fuse cybersecurity across their work and personal lives and emphasizes the shared responsibility of employees to help manage risk and improve resilience.
To help continue to support this initiative, we asked a range of industry experts to share some of their tips to help us stay safe online.
Angus Macrae | Head of Cyber Security | @AMACSIA
As distinctions between our personal and professional digital lives become ever-blurred, what your employees choose to share and give access to online, both in and out of work, becomes another ‘defence in depth’ consideration when protecting the workplace. Too many people operate online in ways they would perhaps think twice about when outside the digital realm, and we all need to be a bit more questioning and savvier.
For example, imagine you walked into a high street, ‘bricks and mortar’ shop to purchase some fairly benign items and were approached by someone claiming to work there. What if they started asking you a load of personal and intrusive questions whilst requesting that you unlock your phone and let them have access to it? Many of us would hopefully refuse and likely walk out, having considered that what was asked for was neither relevant nor proportionate to the intended transaction. Yet too many people give away all sorts of information when registering with websites or grant privileges to the messaging, geo-location and other capabilities of their devices when installing apps without a second thought. Often to the same device they access business email or hold other business-related information, however tenuously.
Personal responsibility is essential, but ‘to err is human,’ and it’s not always possible to refuse or spot what less scrupulous sites and apps are up to. Which is why anyone with ‘administrative’, ‘root’ or other elevated or privileged access to your core systems and databases or those with access to large sets of personal datasets or other sensitive information should still only be logging in with those credentials from hardened, trusted devices that your organisation manages.
Tim Erlin | VP, Product Management and Strategy, Tripwire | @terlin
Get yourself a privacy screen for your laptop.
We’re all worried about nation-state cyberattacks, but the reality is that for most individuals, shoulder surfing is probably a bigger concern. Organizations need to deal with significant threats, but individuals should take action to protect their privacy. As we join an increasingly mobile world, the potential for someone to see something on your screen that they shouldn’t grows. Think about all the time you might spend working on an airplane or at a Starbucks. In these situations, it’s easy for someone to casually observe what you’re doing. A privacy screen is a simple, inexpensive and an effective way to mitigate this threat.
Bev Robb | Infosecurity Writer | @teksquisite
I’ve always implemented a layered approach when it comes to network security. Because I have a background in system administration, I firmly believe in building a network from the ground up. In my book, great security begins with a strong foundation – at home, in my office and while traveling.
I currently use a DD-WRT VPN router and replaced my ISP cable modem with a less popular one (giving me the control over configuration, security options and firmware updates). The bad guys tend to go after popular ISP devices that boast a huge user base anyway, so I feel my decision puts me two steps and one leap ahead of acquiring any device with potential security vulnerabilities.
My security sauce changes default device passwords and SSID, enables WPA2 wireless encryption, disables remote access and WPS dedicates an alternative browser (private mode) to access the admin interface, utilizes the guest network for all IoT devices … and the beat goes on.
The one tip I can offer to everyone (regardless of technical ability) is to change default passwords (use a unique and complex password) and always keep device firmware updated. If it is within your budget, please steer away from ISP cable modems, buy a secure router (do your research) or hire a security professional to secure your home network.
If you take work home or work from home, your home network should always include the securing of company (or client) data. Hence, this should always be a crucial ingredient flavoring your security sauce. Bon appétit!
Kim Crawley | Cybersecurity Journalist | @kim_crawley
Always assume that everything on the internet is public. There are areas of the internet that seem private, such as your Facebook messages or your email inbox. Most outsiders would have real trouble trying to access those areas of your online life unless you were very careless. Nonetheless, data breaches to online services are more common than ever, and employees and contractors of third-party platforms such as Google’s may be able to access your seemingly private communications. Depending on your jurisdiction, they may not be obligated to inform you if they share your data because law enforcement presented them with a search warrant. If your contracts with your employer involve NDAs (non-disclosure agreements) or any other legal mechanisms to protect private intellectual property, avoid communicating that information in unencrypted email, “private” social media communications or in any other way your employer may not authorize. The same applies to private information about your personal life. Err on the side of caution.
Anthony Israel-Davis | Sr. Manager, R&D, Tripwire | @anthony_id
Phishing is one of the top ways attackers find success. Whether it’s attempting to install malware, steal credentials or lure you into sending information or money to them, deceptive emails remain a favorite tool of the trade. My favorite way to combat this is to use conditional formatting in Outlook to identify internal or ‘safe’ senders and flag email I need to be more wary of. With conditional formatting, I can color code my inbox, which adds a quick visual que to all my email. I think of it as caution striping for my inbox. I’ve also found this has improved my email efficiency – like many security controls, it has operational benefits, as well!
If you don’t use Outlook or are unable to conditionally format your inbox, consider what rules or workflows you can use in your client to add a bit of warning to suspicious email for instance by moving email to a different folder.
Chuck Brooks | Principal Market Growth Strategist – Cybersecurity & Emerging Technologies | @ChuckDBrooks
At its very core, the practice of cybersecurity is risk management. It requires being vigilant and encompasses identifying gaps, assessing vulnerabilities, mitigating threats and having updated resilience plans to respond to incidents. A working understanding of risk management (and risk exposure) correlated to different arrays of threats and threat actors is a first step. I suggest whether creating a cybersecurity action list. My Cybersecurity Awareness Month short list includes:
• Know the threats and threat actors and be vigilant; treat everything digital as potential risk.
• Identify all sensitive data and store securely. Consider encryption of that data.
• Adhere to cyber-hygiene best practices to prevent social engineering and phishing attacks.
• Have anti-virus software loaded and active on all systems.
• Ensure that the latest security patches are applied on operating systems and software.
• Do not use public WiFI.
• Use a VPN for general browsing.
Tyler Reguly | Manager, Software Development, Tripwire | @treguly
Password reuse is still a major issue. Not only are people breached due to password reuse, but they are now also being extorted via email scams. These scams are increasing in frequency and popularity. We see emails with a known breached password demanding payment before releasing data about you. This data doesn’t exist, but they attempt to scare you with the known password. If every password is different, you don’t need to be concerned when you see emails like this. If you’ve decided that password reuse is a part of your life, you simply refuse to learn multiple passwords or and you won’t use a password manager, it’s unlikely that this write-up will change your mind.
You should, however, be aware that certain financial institutions have language that absolve them of responsibility should an account breach result from password reuse or weak password terms. Additionally, you should, at a minimum, use different passwords for work and home simply to avoid your employer suffering a breach and terminating you as a result of password reuse.
Justin Sherman | Co-Founder & VP of Ethical Tech | @ethicaltechorg
Don’t email work documents to your personal email account. Not only could this be detected by your employer—which could get you in trouble—but this is actually a security concern as well! Your personal device that you later use to open the file will probably have different security standards than your device at work, which means you could risk compromising sensitive information by accessing it on a weakly-protected system. As much as possible, keep your work email for work stuff, and keep your personal email for personal stuff!
Maribeth Pusieski | Regional Account Executive | @mb_pdx
One of my favorite activities is listening to audio books, typically with my wireless headset using the Bluetooth connection to my iPhone. Easy peasy. I get either entertained or educated while taking a walk, doing the dishes or gardening. Sometimes when waiting to meet a friend for dinner or a drink, I may also take a moment to listen to a podcast via Bluetooth, and when my friend walks in, I stop the podcast, but I commonly forget to turn Bluetooth off.
I have come to realize that this is both a device and a personal security issue to be taken seriously.
Leaving Bluetooth on makes the device (think smartphone, laptop, tablet) vulnerable to, well, vulnerabilities that the bad guys might use to create havoc, and it is not just to the private data on the device.
Here is a quick personal story: having a drink alone at my neighborhood bar (feeling very safe since all know me), listening to music while journaling, strike up a conversation with a gentleman from out of town, say goodbye and head home. Get home and I have a ‘text’ from the gentleman that it was a pleasure to meet. The only problem, I did not give him my number, nor did anyone else. So how did he get my number? Pretty sure it was my open Bluetooth. Yes, there are nefarious folks out there that will use open Bluetooth devices to whatever end they want. So be safe and make it a priority to turn OFF Bluetooth whenever you are NOT using for not only the health of your private information but also possibly for your personal security.
Stuart Coulson | Manager, Business Engagement, Cyber Security Challenge | @SPCoulson
In our workplaces, we handle information every day. From names, telephone numbers, orders, payment information and other sensitive information, there is just so much that sometimes we forget how important it is. We collect the information and type it into our computers, and behind these systems are technology and people who are working hard to secure it.
When you go home, however, we are still typing information into systems. Think about social media, the shopping sites we use. At home, it is your responsibility to look after your own data. You are your own security officer. So take a moment to think about the devices you use:
• Does it have a good password? —> Try a password manager
• Is it safe? —> Check you are on the latest versions of your software and operating systems
• Is it protected? —> Install antivirus and run it regularly to check your device
• Uninstall the junk? —> If you have apps you never use, uninstall them
One of the more important things is to keep checking all of the above, so set yourself a diary reminder at the start of the month. When you are comfortable doing this regularly, help others who may not be as technical you including parents, friends and neighbours. Stay Safe!
Irfahn Khimji | Strategic Account Manager, Tripwire | @TheRealKhimji
“Think before you click.” Whether you are looking at something at home or at work, be sure to think twice before clicking a link in an e-mail or social media message. Ask yourself questions like the following: Do I know who sent this to me? Was I expecting them to send me something? Does the message look like something they would write?
You can always ask the person for verification to ensure that they did, in fact, send you something. Pick up the phone and give them a call; we tend not to talk to people enough these days!
David Shipley | CEO, Beauceron Security | @davidshipley
When in doubt, call it out. If you’re not sure about an e-mail, text, phone call or the behaviour of your devices, ask someone for advice and help. You may have spotted the start of a security issue, and the sooner you can get help, the more likely it is to be contained and dealt with minimum impact to you or your organization. We often place too much trust by default in devices and assume layers of technology security that are often not there. The first, best and often last line of defence for an organization isn’t it’s technology; it is its people.
Ben Layer | Principal Software Engineer, Tripwire | @benlayer
If you transport data to and from the office, be sure to encrypt it, whether it is your entire computer or removable media such as USB flash drives. Drives may be accidentally lost, forgotten in a public place or stolen in a targeted attack. They often contain valuable data which is critical to keep secure. They can hold sensitive personal information or confidential company secrets that could put your employer at risk. All major operating systems including Windows and macOS have methods for easily encrypting entire drives or individual files. Adding encryption to your computer or portable flash drive is a strong step towards keeping your private and confidential information safe from loss or theft.
Stuart Peck | Director, Cyber Security Strategy | @cybersecstu
Trust is an easily exploitable commodity. There is a lot of advice around trying to verify the origin or identity of someone making contact through email, phone or social media. The latter has conditioned society to naturally trust the person trying to connect to us, this is emphasized further through the likes of Twitter. Trust but verify is an idea thought by many to solve the issues surrounding social engineering, but when trust is easily manipulated, we need to flip the switch. Verify first, only and always be suspicious, because many attackers find it all too easy to exploit this.