The Simple Things Everyone Ignores About Cyber Security
Keep yourself and your business safer with just a few basic strategies
While it’s impossible to be 100% secure online, the reality of cybercrime is much like physical crime: Most thieves are opportunists, and you can avoid a huge amount of vulnerability with very little effort. This article will cover several simple and easy actions you can take to protect yourself and/or your business.
“Skeleton Keys”
The analogy of account passwords to physical keys isn’t exactly a stretch. Common password managers call themselves “keychains,” and we often see key or lock related graphics associated with digital authentication. But nearly everyone misses some of the most important insights from this comparison, with devastating results for security.
A hundred years ago, physical lock and key mechanisms were simpler than the ones we use today. The term ‘skeleton key’ referred to a key design that could open entire classes of lock mechanisms, so with just a couple keys you could access all kinds of secured doors, desks, and drawers. Unfortunately, the same problem now exists for passwords. Even though we’re all beautiful and unique individuals, the data doesn’t lie: we all use the same passwords. Over and over. For nearly all accounts. Over the years of data breaches, hackers have compiled lists that comprise just about every common password there is. Each of these common passwords is like a skeleton key- and thanks to advanced processing power, hackers can try thousands every second to attempt to access your account. This happens all the time. Maybe it’s comparatively harmless, like someone watching your Netflix account without your knowledge, but often bad actors use these techniques to steal cryptocurrency, financial information, or introduce malware and ransomware onto a network.
Luckily, the fix is simple and easy: use randomly-generated passwords and use a service that notifies you if your password is found in data breach (no, not credit monitoring or an email-notification service like Have I Been Pwned- a real password monitoring service that monitors credentials).
Most people will probably never do this- and while this creates job security for those of us in cybersec, it also sadly means that criminal activity large and small will remain pretty rampant. It’s not ‘if’, it’s ‘when’ you will be impacted by this problem..but you can vastly, vastly reduce the risk right now: change all your passwords to unique, randomly generated ones. Yes, it’s less convenient. But we don’t seem to mind having individual keys for our physical property- you don’t use the same key for your house, car, and bike lock. And no one else uses the same keys you have for their locks. Get used to good password habits, and soon you won’t even notice.
“Safety Deposit Boxes”
With everything moving online, bank-based safety deposit boxes are starting to sound like something from a previous generation. But if you have one, or remember seeing a parent or relative use one, you’ll know that each has two keys. One that the customer retains, and one that the bank teller has. When you wish to access your property, the bank teller verifies your ID, and accompanies you to open the box, each with your own key. So even if your key is stolen, the thief cannot simply walk in and access your property — they would be foiled when they could not present matching ID to the teller. This is a physical example of Multi-Factor Authentication (MFA). The online version typically involves sending a single-use code to your cell phone or email account at the time of login that you must verify as well. (Text-based and email-based methods can be compromised as well- there are popular tools sold to hackers and scammers for just this purpose. Using an app-based method is more secure). This extra step is, of course, slightly less convenient. But it also stops any hacker with your password in their tracks. Even if you use strong, unique passwords, they can still be stolen if you, say, download an attachment from a phishing email and get infected with certain kinds of malware. These ‘stealers’ are becoming more and more common, with some degenerate spacewasters even using COVID as a pretense to get you to install the malware. If this happened to you, MFA would likely keep you secure and at least provide enough time to change your password without your account becoming compromised.
“Hello, Please Come In”
Of course, you don’t need a key at all if someone opens the door for you (or breaks a window while you’re gone). Another major source of cybercrime opportunities comes from “phishing”, where a hacker contacts you pretending to be a legitimate company or contact, often leveraging publicly available information about you to seem believable. These can be a bit tougher to recognize and avoid. The hard truth is that the internet is a dangerous place these days, and we have to be more alert than we wish. Walking the line between vigilance and paranoia is an imperfect science though, and even the best of us can fall victim to dedicated enough hackers. There’s a few things you can do to mitigate the risk here though. First, keep all your software up to date (and use an advanced, modern email service like Gmail that provides good spam filtering). Outdated software is like valuables left in a car downtown — temptation for criminals. If someone’s internet scan picks up that you’re running an outdated version of Windows, it makes you a more likely target, not to mention more vulnerable.
Second, use an antivirus service. I like Avast, but there’s plenty of options out there. Antivirus software can often prevent infections from happening by blocking some kinds of nefarious code from being executed in your browser if you land on an infected site, and by scanning downloaded files. Despite what we see on TV shows, malware doesn’t typically draw attention to itself- it just steals data or uses your computer for its own purpose. Scanning your files can help you prevent an infection, and diagnose one if it occurs.
Third, make frequent backups. Ransomware is getting more and more popular- and this one is like you see on TV. Ransomware locks your computer with a melodramatic ransom screen and demands cryptocurrency if you want to regain access to your files. Some just delete everything regardless of whether payment is made, so it’s much better to just make daily backups, and you can simply wipe your drive and restore from the previous day if you get attacked with ransomware. It’s also a good idea in order to guard against the less-sensational-but-still-debilitating drive failure.
The Game Plan
To recap, here’s the list of basic things you can do to improve your security posture.
1. Use strong (long, randomly generated, unique) passwords.
2. Enable Multi-factor authentication on every service/website that offers it.
3. Use antivirus software.
4. Back up your data (on cloud or physical drives).
If everybody did these little things, I’d probably be out of a job. But so would a lot of cybercriminals. Don’t end up wishing you had done these as you try to salvage a credit rating destroyed by identity theft, or wrestle with the IRS about fraudulent tax returns, or sit around bored because someone took over your Netflix account.
