Phishing, hacking and cracking, oh my! Security threats to our computing devices, networks, web sites and accounts seem overwhelming in their frequency and complexity. There are though, some simple protective practices everyone can adopt to diffuse some of the most common cyber security threats.
One of the most important steps is to keep the threat of a security breach in perspective.
“There is no doubt that cyber security is an issue that is increasing in importance, but it’s important to remember there are many reasons why people are attacking and some of those reasons are just innocuous,” says Sean Stephens, the CEO of Treefrog, a Canadian digital transformation agency. “One day last winter I forgot to lock my car door and, when I went out, there was a homeless person sitting in there trying to keep warm. I could have, and should have, protected myself, but it is also important to remember no harm was done. Someone just found an opportunity to get what they needed.”
Most individuals and small businesses do need to take extra care over their security precautions, and they need to do it all the time.
That was the message Stephens gave the MBEC community during his webinar Hackers Beware in April.
“There are some basic things everyone has to learn in order to deal with most security issues,” Stephens said in a telephone interview. “More importantly, everyone in the whole company needs to be aware of these basics and commit to applying them consistently and constantly.”
The first basic to cyber security is showing adequate password care.
“It’s amazing how many people are still using the same PIN from when they first got a bank card in the 80s,” says Stephens. “There are lots of ways to steal a PIN. An infrared camera, which costs about $30, can reveal a PIN within 30 seconds of when the last customer punched in their numbers just from the heat left on the keys from their fingers.”
The fix? Change passwords regularly, make sure they are strong and use a different one for each account. A word, or a word with a character exchanged with a number or symbol create passwords that are easily crackable and, especially if you use duplicate passwords, can be easily pwned as a result of earlier data beaches.
To check if your commonly used passwords have been pwned, Stephens recommends checking the web site haveIbeenpwned.com.
“It is essential to use different passwords for different things,” Stephens warns. “That used to be easy to remember when we only had 20 accounts per person, but now we’re up to 900 and it’s impossible for anyone to remember all their passwords. The simplest thing is to use a password vault manager to remember your passwords for you, then you only need to remember that one master password.”
File and data care
These three parts of data maintenance and file care work together to keep your IT systems safe.
Make backups of your data and documentation, keep it clean of viruses and don’t keep data you don’t need.
“Making backups is the common sense advice that most people ignore even though this is stuff that is not wrong!” Stephens said. “I recommend having three backups stored in different places that are accessible to different people in the organization. You need a central back up on your server, a backup stored on a cloud and a backup on a local device. If you have those three backups, then you are pretty well set up.”
While you are securing your back up system, organizations also need to ensure they have a modern virus tool that is always up to date.
“Part of having a file back up and data maintenance routine is ensuring your systems are safe from viruses and not introducing anything that could cause harm,” says Stephens. “One easy hacker trick is to buy cheap USB drives and put them at bus stops where people will find them, get curious and plug them into their device where they will introduce a hack while bypassing all physical security.”
The final part of data maintenance and file care is preventative. The easiest way to protect your customers’ privacy and data integrity is not to keep data you don’t need to keep.
“Bank, for example, have to check their customers’ drivers’ licenses or passports in order to verify their identities,” Stephens said. “It’s become routine for them to make a photocopy of that ID and keep it in a filing cabinet. And yet, once identity has been verified, there is no reason for the bank to keep that information. It becomes data they need to protect from possible security breaches. The easiest way to protect that data is not to keep it.”
Transaction validation care
Financial transactions are the one area every employee needs to be trained to deal with according to company-wide practices. Two step verification has to be the order of the day. Never send money in response to a request, even from a known source, until you have validated it by voice or by another agreed upon method.
“It needs to be made clear to everyone that leaders in the organization will never reveal or request anything to do with money without personality validating it by voice,” said Stephens. “Teach your people that they are never going to get an email that comes from a sense of urgency that is asking for something from them that involves money. Transferring information, bank account information or payments should never be done using one method or using one tech. You should always get sensitive information in two ways, or via two-step verification.”
The necessity of creating a transaction validation system is not limited to businesses. We’ve all heard of people being duped by CRA scams that demand payment of back taxes by telephone or email with threats of imminent arrest.
“We live in a time when even smart people can be duped,” Stephens said. “But taking that extra care to validate information you get, even if it appears to be from a known source, can save everyone a lot of problems down the road.”
That extra care, whether it is care for password strength, care for data and files, or care for validation systems, is the basis of protection from threats to cyber security. Hackers beware, of care.
The Mississauga Business Enterprise Centre (MBEC) is your central source for small business information, resources and guidance. If you have a small business related question, please review our frequently asked questions, steps to starting a small business, or ask a question. Our team of small business experts are available to assist.
To learn more and register for our upcoming webinars and events, please visit mississauga.ca/smallbusinesstraining