By Jonathan Couch, SVP of Strategy at ThreatQuotient.
This month marks the 17th year of Cyber Security Awareness Month, which focuses on helping provide individuals with resources they need to stay safer and more secure online. The COVID crisis brings added cybersecurity challenges, particularly on the “home front,” but also more opportunities for those of us who are security professionals to help raise awareness and share our expertise.
With more people working and learning online, the attack surface for threat actors has grown significantly. Not only can they compromise systems at home, but they can use these devices to infiltrate the networks of organisations and school districts to commit cybercrime and wreak havoc. What’s more, everyone is using new applications on their laptops and phones – many of which haven’t been vetted and sanctioned by IT departments.
Organisations can’t protect individuals working “off platform” (i.e., using personal systems not provided by work). And although some students are working on laptops provided by school districts, others access school tools using family members’ devices. Because everything is virtual, they’re using learning and collaboration tools, like Canvas and Zoom, for the first time and engaging with teachers in new ways – over email and text. Clearly, the opportunities for threat actors to cause disruptions and profit have never been greater.
Most of you reading this blog are cybersecurity practitioners. Over the last few months, you’ve quickly pivoted to support your organisation’s move to a distributed work environment, and you’ve gained even more valuable knowledge in the process. You can help bridge the security gap we’re facing between professional and personal since public resources are stretched thin to focus on productivity and learning. Let’s extend the knowledge we take for granted to family and friends and help empower them to do their part to stay more secure in this unprecedented time.
I’ve been doing this at home and with others close to me, and here are five “back to basics” security tips I’ve found especially useful to share.
1. Strengthen passwords.Simple passwords are easy for hackers to crack, and password reuse opens the door for them to compromise additional accounts and access your confidential information. Create long and unique passphrases for each account and use multifactor authentication (MFA) wherever possible. If this starts to get cumbersome and hard to keep track of, use password managers to generate and remember different, complex passwords for each of your accounts.
2. Update applications and systems.Technology vendors are doing their best to keep users safe, issuing patches and updates regularly. Stay current with these security settings by turning on automatic application updates when available. For example, with Apple, Microsoft, and Google Chrome, shutdown systems every night and enable updates when prompted. For other applications, like Zoom, which identified security problems early on and issued fixes quickly, be sure to update the client version to take advantage of the latest security updates.
3. Update phones and download apps from official stores. Accept the automatic system updates when prompted and keep phones plugged in and turned on at night to process updates during less busy times. Be savvy about sources that provide apps for download. Google and Apple vet applications and ensure they meet privacy and security requirements, so stick to apps and games available in these stores instead of downloading them from sites you don’t know, trust or haven’t interacted with before.
4. Use hotspots with caution. Be wary of and ask questions about hot spots, even on school property. Most attacks that use hot spots take advantage of their misconfigurations. How well are these hot spots configured and managed? Are they monitored? Are they tied into the backend school network, making them even more attractive targets for hackers? To reduce your exposure, limit the activities you engage in while using a hotspot, and completely log out when you’re done.
5. Be alert to phishing and ransomware. Adversaries have not shown any kind of sympathy to school districts or kids. In fact, the FBI released a security alertwarning K-12 schools about the increased risk of ransomware attacks during the COVID crisis. Remind family and friends to think before they click. Hover over links to see if they resemble legitimate addresses and watch for spelling and grammatical errors and generic greetings, indicating the email is malicious. If in doubt as to the legitimacy of an email, delete it.
A final word of advice as you help to raise awareness. Although these tips are simple and second nature to cybersecurity practitioners, trying to explain them all at once and get a family member or friend to absorb and adopt them is far from simple. I’ve found it can be more effective to share one tip at a time, keep communication lines open, and have constant conversations. And if you have kids, check in with them frequently, monitor any changes to their systems and train them to protect themselves better – don’t just do it for them.
Take this opportunity to help family and friends become more security savvy. Believe me, you’ll be glad you did.