From time to time, I give seminars called Cybersecurity in the Real World that provide attendees with steps to improve their personal cybersecurity. But the tactics I teach apply to businesses as well, and are a great starter set for businesses trying to improve their cyber security management.
Step 1: Stay Up to Date
Keep your computer and operating system software up-to-date. Do the same with your phone and anything else that connects to the internet. If you are an Intrust client, we do it for you.
For your home computer, consider software like SUMo. It’s free and it will keep all your apps updated. It will tell you what is out of date, etc.
Updating is essential because those updates are often plugging known security gaps.
Step 2: Use Endpoint Security Software
An endpoint is any device used to access your network, including phones, tablets, desktop computers, laptops, Internet of Things devices (“smart” TVs, locks, doorbells, thermostats, etc.) and even servers. Endpoint security software, also known as antivirus or anti-malware software, monitors each endpoint for malware and unusual behavior, allows updates to be pushed to them remotely and more.
If you are an Intrust client, this is one issue that you can take off your worry list. Intrust uses Sentinel One Singularity Platform for endpoint security, which as of last 2019, is one of Gartner’s Visionaries for Endpoint protection . Unfortunately it’s not available for home computers at this time. Gartner has identified Microsoft Defender, the free endpoint protection software that comes with Windows as a Leader in this space and other good alternatives for home computers are SOPHOS, Webroot and TrendMicro. Ensure that you have endpoint protection and that it is receiving updates from the vendor regularly.
Step 3: Screen for Phishing Emails
Criminals are innovative and sneaky. They constantly find new ways to compromise your data. One of those ways is for them to go phishing.
Phishing emails are targeting small businesses. The old saying “Do not judge a book by its cover” applies to emails… but is more like “Do not click on a link that looks like it’s a company you do business with without checking it out.”
Email links and phone numbers
The simplest way to check out if the email is legitimate is to type in the URL of the company that sent it (NOT by clicking on the link in the email or typing in the URL sent in the email). Once logged in to the site, go to your notifications. You will have a message if the email is legit with the same offer or information in the email.
You can also hover over the link and read the URL. You might see words that look suspicious like “.ru” for Russia in the link URL. Or, you can rollover the FROM field to see that the email it was sent from has an unexpected address—such as a personal name in it (e.g., email@example.com) or a misspelling in the domain name (firstname.lastname@example.org). If anything looks odd, it is NOT from Amazon or PayPal or one of the other websites you traditionally use.
The best option with a suspicious email is to simply pick up the phone and call the company using a phone number you’ve used before (NOT one that’s in the email).
Money transfers/gift cards
Use common sense. If you get an email from someone in your company that tells you your boss wants to give out gift cards at an event, verify it in person or by phone with your boss. It is very likely a hoax.
Same thing if you get an email on your home account that makes you think there is some sort of breach to your email account and that asks you to help them corral the theft ring by buying gift cards and then giving them the pin. If it sounds fishy it is phishy!
Word document phishing
Sometimes you’ll get an email from what looks like one of the companies you do business with, or even from a friend that will have an attachment such as a Word, Excel or PDf file in it. Attachments can contain macros (think programs that run when the document is opened) that can infect your device with any number of nefarious things such as viruses, ransomware or keystroke loggers. DO NOT EVER ALLOW A FILE TO RUN A MACRO! By allowing a macro to run, you may be allowing an attacker to encrypt your data and hold it for ransom.
Be suspicious of every email, texts too. Before you share sensitive personal information or financial information, verify the authenticity and legitimacy of the request by a secondary means such as calling the sender by phone or talking in person.
Step 4: Be Suspicious of Hacker Emails
You get an email that says you’ve been hacked and the writer is blackmailing you by saying if you don’t pay, they will send embarrassing emails to your entire address book. You know those embarrassing emails are fake but maybe not everyone in your address book will.
Also make sure that your email address is not located anywhere on the internet. If it is, change your email address and don’t publish it again. Also don’t use your business email on LinkedIn. Hackers will not only be able to get info on you, they will be able to use it to send phishing emails to you that you think are coming from your boss or best friend or someone else in your circle.
You can check to see if your email has been hacked by going to https://haveibeenpwned.com. Type in your email address to see if it has been part of a publicized hack. If the attack was never publicized, it won’t be on this site, but it’s at least a partial check.
Step 5: Practice Password Protection
The tendency with passwords is to make them easy for you to remember and even reuse them on multiple sites. That’s what criminals count on. If they find any of your passwords, it will allow them to access one or multiple accounts. Make it hard for hackers and easy for you with a password protection manager.
There are very reliable password managers that we recommend. They will work on all your devices and will synchronize across them while encrypting and protecting your passwords. Most offer free and business or enterprise versions. The top few are:
With or without a password manager, it is important to USE A DIFFERENT PASSWORD FOR EVERY ACCOUNT YOU HAVE and change them frequently. LastPass and others can create strong, unique passwords automatically for you and prompt you to change them.
Once you get a password manager (or use your existing one), make sure you can sign into any of your sites using multi-factor authentication (MFA) or two-factor authentication (2FA). This is the tool that requires you to provide an additional code when you sign in from a new device or after a long time away. For more information, check out our Multi-Factor Authentication Guide.
Step 6: Keep Personal Information Personal
Lastly but definitely not leastly, keep your personal identification information (PII) and your personal health information (PHI) safe.
If you have any PII on your computer (either for yourself or others) and you need to send an email to someone with that information, ENCRYPT IT! Do not ever send any ID info over the internet without encryption. Also, look for the https:/ in urls. Don’t fill out any forms that don’t have this securing layer on their site.
Have you already mastered these cyber security management tips? Looking for a few more challenges? Check out our free e-book: 14 Non-Technical Things You Can Do Today to Protect Your Business from Cyber Crime.
Watch each video and make simple, everyday changes that will help reduce your risks of hacks, breaches and cyber attacks.