This blog is the first in a series of cyber security insights for National Cyber Security Awareness Month, recognized each October. In this first blog, MediSked Cyber Security Network Engineer Luke Franzelas provides a few tips for staying Cyber Smart – both at work and in your personal life.
During my Army stint in the 1990s, I supported some important military communications. As a result, I became familiar with security in its many forms. There were security guards that checked your access to the building. Access badges ensured you only got into the rooms that were needed to do your job. Too many technical manuals talked about the maintenance of door seals that helped prevent radio frequency from leaking from the building. There were rules about how far cabling for classified circuits needed to be away from unclassified circuits, and hours spent changing encryption keys daily. Background checks happened regularly to ensure that individual soldiers hadn’t been compromised. The site sergeants would do practice runs to see if we were allowing tailgaters or being savvy about shoulder surfing. “Cyber Smartness” was drilled into all the soldiers by actual Drill Sergeants.
Those same Drill Sergeants, however, made all the soldiers stencil their full name and Social Security Number on their army-issued duffle bags, then expected us to walk through airports with the bag. It was like a billboard advertisement for identity theft. So even in an environment full of rules that came from the top down, there were still security issues. Ultimately, none of the security worked without every team and individual being vigilant and providing feedback about any observed concerns.
At first, being cyber smart off the clock was relatively easy. The only electronic devices I owned besides a computer were a microwave oven, a CRT television, and a landline phone. Fast forward to 2021 and everyone has multiple computers – from laptops to tablets – in addition to smartphones, watches, and TVs. Likewise, today’s attacks can seem so much more complex than a little shoulder surfing or a ping-based denial of service. Today, everyone also has valuable information accessible on the Internet. All the same security controls still apply three decades later and it’s not just the cloud company and its employees that need to be on top of them. You, the end-user, still need to take your own precautions any time you store or access information digitally, both for work AND personal use.
Being Cyber Smart may seem like a whole bunch of effort. However, it is far easier than finding a new job because the last company’s reputation was crushed by a lack of security smartness on the part of a handful of employees, or even just one. It also requires less effort than cleaning up fraudulent credit card charges or rebuilding a machine that has been infected with ransomware.
Here are a few Cyber Smart things you can do to keep yourself and your company safe:
1. Use Strong Passwords, Limit Reuse, and Never Share Them
As long as passwords are required, what you make them, how you use them, and where you store them matters. Password strength and safety are the lowest hanging fruit for both someone being Cyber Smart and someone trying to take advantage of someone who isn’t making that effort.
- Create the longest passwords a system supports (at least 15 characters is best) – long passwords are harder to break than short, complex ones.
- Use unique passwords everywhere – reusing passwords dramatically increases the probability that your password will be compromised.
- Use a password vault to store passwords instead of a sticky note or a text file on your desktop – these tools make it much easier to manage unique passwords for all your accounts.
The information security-based comic strip XKCD has the best example for making strong passwords that are easy to remember so you don’t have to write it down on a sticky note or put it in a text file on your desktop. XKCD also has a funny but pertinent explanation as to why passwords shouldn’t be reused.
2. Enable Multi-Factor Authentication (MFA) Everywhere
Typically, strong authentication requires something you know (typically a password), plus something you have (authenticator app) or something you are (biometrics such as fingerprint or face ID). Get an app on your smartphone like Google’s Authenticator or Microsoft Authenticator and enable Multi-Factor Authentication (MFA) with every Internet service you use. Bank accounts are the most critical, but you should also do this with other accounts (e.g., social media). If there are cloud/software services you are using in your job that don’t require MFA, ask your corporate Security Team if it can be enabled.
3. Patch, Patch, Patch!
This is probably the biggest drag. Automatic Operating System checks and corporate policies always seem to hit five minutes before a big meeting or just as you’re about to log into a first-person shooter tournament with friends. It’s so easy to get the device to ask again later and then forget until the next day. It’s very easy to rinse and repeat that daily and become several patches behind. Make the effort to log in early and run checks or perform the corporate policy-required restart of OS, web browsers, etc.
Also, the Operating System and web browser aren’t the only attack vectors that require patching. Any piece of software you install on your device can become a weak link. Any supporting libraries, frameworks, etc. could also become vulnerable. Take an inventory of your software and schedule time to check that all updates are installed and required reboots are completed. Subscribe to security alerts and advisories for that software.
4. Stay Informed
Read security announcements at work. Consider subscribing to newsletters or visiting websites frequently that tailor news to cyber security events and concerns. Most antivirus companies will have helpful websites (i.e. Sophos) but there are some other locations (i.e. The Hacker News or Bleeping Computer) that can be both helpful and informative. Additionally, law enforcement sites like the FBI’s What We Investigate can give you an idea of cybercrimes that are being prosecuted.
5. Ask Questions
If you are unsure about something, reach out to your Cyber Security team at work and ask—they will happily point you in the right direction. If you think you have identified a security concern, report it to your Cyber Security team. Those responsible for corporate security would rather do the preventative work of answering questions and risk assessments than tackle incident responses. Don’t have a cyber security team at home? Newsletters, software alerts, and search engines are your friend!
Even high-security environments have security concerns that need addressing. Security requires everyone from the top-down and from the bottom-up to actively participate to achieve security goals. We should all work at making a habit of being cyber smart at all times. Just remember the important things you can do to be cyber smart in the workplace and are the same things that will protect you, your data, and your family at home.