Blog by Taylor Hall, Steel Root
The Department of Homeland Security, via the National Cyber Awareness System (NACS), recently released a report on the extent that malicious actors are turning concern over the COVID-19 virus into opportunities to steal user data. The report details four classifications of attack that are most commonly seen:
- Malware distribution
- Registering COVID-related web sites
- Targeted attacks against newly deployed remote access machines
Businesses are doing everything they can to keep the walls shored up and the doors shut against digital threats, but so much of what can be done lays in the hands of you – the individual. Our access routes to company systems are what hackers are looking to co-opt, so we must be the champions of security for our organizations. Below are some tips that will help you carry the banner of digital security for your company.
1 – Verify the integrity of your security software
Windows Defender is not always enough, and unfortunately gone are the days that Apple devices are safe from digital threats. Forbes reported earlier this year that “Mac threats outpace Microsoft Windows by 2 to 1.” Check with your IT department to learn your current security policy, and then own the smooth operation of it by keeping both your computer and this software up to date.
2 – Reboot your computer often
Most software installs and updates require a reboot so they can write to system files without messing things up during active use. Downloading a security update for your devices or anti-virus software does not afford you the new protections until this reboot is complete.
3 – Lock down your workstation
Email, file shares, and communication platforms. Things you can’t do your job without, but also all the avenues that hackers can step in to impersonate you. A champion of security cannot allow themselves to be used as the in-route for their coworker’s data being phished or compromised.
Protecting yourself includes configuring screen saver timers, making sure your work computer requires a password on wake, and taking regular stock of the space around you when you are not actively accessing company resources.
A lot of us are working from home for the first time, as our roles have not necessitated it up till this year. Even allowing family or friends to view or access information on your work computer could be a breach of contract and NDA depending on your work environment and the nature of your work.
In the words of J.R.R. Tolkien, “Keep it Secret. Keep it Safe.”
4 – Two-Factor / Multi-Factor Authentication
Passwords are easier to crack than ever before, and with each advance in technology they become harder to obscure. Because of this, you should be aiming for a password with a length of at least 13 characters, peppered with symbols and letters which do not match dictionary words. Change the password of all your work accounts on the schedule set by your IT department, and if allowed utilize a password keeper to minimize the number of passwords you have to memorize.
Other keys can be added to protect your accounts, usually: something you know, something you have, or something you are. Multi-Factor Authentication (MFA), is the integration of these keys so that you must provide more than your work email address and password to access company resources.
The most common of these is a text or app-based code that is sent directly to you, one which expires soon after creation. This way, an actor would need both your account credentials and phone to impersonate you. Please speak to your IT department to learn which internal resources are eligible for MFA protection.
5 – Eyes up, guardian
If an email looks off, it probably is.
Phishing works best when you passively follow the instructions in the fraudulent request. Red flags should go up if you see broken image links, calls to action regarding financial information or password resets, or any generic request to click a link in an email.
Even if the sender claims to represent an account or service that you use frequently, you should still express caution. It is safer to google the website or service directly and log in with your account credentials there.
If you would like to learn more about cyber hygiene and the work we do to maintain it, please drop us a line!