“Every case involving cybercrime that I’ve been involved in, I’ve never found a master criminal sitting somewhere in Russia or Hong Kong or Beijing. It always ends up that somebody at the company did something they weren’t supposed to do. They read an email, [or] went to a website they weren’t supposed to.” Frank Abagnale.
Frank Abagnale, the man that we’ve snatched this quote from was the inspiration for Leonardo DiCaprio’s character for the film ‘Catch me if you can’. Frank, an intelligent and capable con man was able to get the better of many people, which – after his career as a conman as finished – made him a prime candidate to be a security consultant.
What he was able to do better than many, was use human nature to his advantage, which hackers use as one of their primary weapons as they try to acquire your sensitive data. In recognition of this, we’ve compiled a list of some of the most effective tricks and pieces of advice that we’ve gathered from conversations with industry professionals and data protection specialists.
Use Strong, unique Passwords, and change them frequently.
From our discussions with IT specialists and security consultants, the most common complain levelled against the general public in terms of keeping their accounts safe is a widespread use of simple passwords that are used across multiple platforms. There’s a few problems here, namely the fact that if you’re using the same password for multiple account log-ins, you’re potentially setting yourself up for a disaster; making that hacker’s job significantly easier in compromising just one of your passwords, but gaining access to potentially the entirety of your data.
In terms of passwords, ideally, you’ll want one per log in- no duplicates. More specifically, you’ll want each of those passwords to be a long, complicated mix of letters, numbers, symbols, capitalised and not. Somewhat ironically, you don’t actually want a password you can remember from the top of your head. Keep a notebook hidden away in your home or office with a list of your passwords; make sure this is a physical and not a digital copy.
“Passwords are like toothbrushes. They are best when new, and should never be shared.” Kara Kirschner-Brooks
Our final point on passwords is to update them frequently. It may seem like more effort than you’d like to put in, however, it could be one of the most effective strategies you can put in place to save your bacon. Maybe you signed up for a service that you haven’t used for a number of months with your primary password. Imagine if that one, largely dormant account of yours were to be hacked, and all of a sudden, from a password saved on your Netflix account, someone suddenly has access to your email, or online banking account. There’s a variety of password management services that update your password frequently, minimising the chance your password will ever fall into the wrong hands.
“Turn on all security features like two-factor authentication. People who do that generally don't get hacked. Don't care? You will when you get hacked. Do the same for your email and other social services, too.” –Robert Scoble, former Microsoft employee and tech author.
You know that message you sometimes receive when you’re using online banking? That’s T.F.A -two-factor authentication - and you’re going to find it a more prevalent part of the digital landscape as we move further into the 21st century. Two-factor authentication is one of the most effective means for a service provider – like your bank – to make sure you’re who you say you are, when logging in to their service.
Moving into 2019, more and more service providers are set to offer two-factor authentication, and may already be doing so in their security preferences, so check your respective service provider and see if they’re already, or plan to implement two-factor authentication. If not, consider moving your account to a provider that takes into account the necessity for two-factor authentication.
Biometrics, using your phone’s camera and/or fingerprint scanner are already expediting the adoption, accuracy and improving the user experience of TFA. It’s also worth having a quick look at the security preferences of high-priority software and applications that you’re currently using, to see if your two-factor authentication setting has been dormant all this time.
Keep your software up-to-date
“Software updates often fix security problems, so download updates as soon as they become available.” – California Small Business Development Center
Ever clicked “Remind me tomorrow” on that painfully persistent software update that pops up like clockwork when you log in? Well, it’s time to click it. As the California SBDC mentions in the quote above, newly identified flaws, potential security loop-holes and other at risk features of a company’s software are ‘patched’ with updates that are released by the software’s publisher.
This is why it’s an essential part of keeping yourself safe online that you keep both your private and your company’s devices, routers, software, applications and operating systems up to date with the latest versions, which will include the latest security patches. Consultants frequently level the complaint to businesses that have been compromised that they were using an outdated version of a piece of software, and the security flaw that ultimately compromised their data was patched by software engineers with the latest update.
As Norton publishes on their website, “It’s a common pitfall for many small business to delay software updates but outdated software, operating systems and applications can have security vulnerabilities that can be exploited, leaving many small businesses open to cyber attacks.”
Backup your files
This is something that you’ll want to take heed of now, before it’s too late. And for those of you reading that may have underestimated the importance of backing up your files, we’re sorry for your loss. Wide scale data corruption, theft or a ransomware attack – where the files stored on your system are inaccessible – are becoming more prevalent. In 2017, we saw the largest ransomeware attack in history, with the ‘WannaCry’ ransomware attack hitting more than 200,000 victims using Microsoft Windows OS.
Of that 200,000, essential services like hospitals in the UK were severely compromised, and lost access to their data. The best and most effective way to protect yourself from a ransomware attack is to have all your files backed up and encrypted.
If you’re housing personally sensitive information of your clients, like dates of birth, addresses, phone numbers, even email addresses, you’ll need to assure your customers that their data is in the safest hands possible. In order to make that promise, you’ll need to frequently back up that data, and encrypt it to a system that even if it were to be compromised, that data would be inaccessible to a hacker. Scott Hanselman has written a great blog post on this, and introduces his “backup rule of three” early on in the piece. Depending on your industry, there's more than likely some legal obligations for you to encrypt sensitive data... So do your due diligence, for the sake of yourself, your customers and your business.
Get your Employees Involved
“Small businesses should invest in educating employees so they become your best line of defence against cyber attacks, not your weakest link.”
The lessons and tips we’ve listed above are all but useless if you’re part of a team that isn’t working together with a common goal. Putting aside your company’s mission statement for a moment, it needs to be made clear that if the leadership team is making cyber security a top priority, the rest of the team needs to follow their lead and improve their level of understanding security risks online, update their software, refresh their passwords, be wary of email attachments, plus a million more things; such is the potential danger of operating online.
Ultimately, their livelihood is at risk if there were to be a data breach. Aside from the immediate risk posed to their data if their account is compromised, if the company as a whole is hit, that wide scale loss of customer trust could ultimately prove the end for that business. As Norton experts have written, “Since small businesses have few resources, all employees should be vigilant and know how to spot phishing scams, ransomware attacks and be aware of which sites they can visit on their work devices.”
That’s where we step in. Implementing a quality management system like ISO 27001: Information Security management could be one of the most fruitful investments you can make in your business. We’ll spare you the sales pitch for now, but everything we’re trying to drive home in our final point here - getting your staff involved and thinking in terms of security – is essentially the aim, indeed requirement of ISO 27001. It’s a very fine tight-rope to navigate, but the implementation of a system like ISO 27001 could give you that sense of balance you need to navigate the dangerous, frequently changing digital landscape that you’re doing business in. To take a closer look at ISO 27001 you can complete a checklist here.