The FTC has resources to help you think through how those principles apply to your business. There’s an online tutorial to help train your employees;

The US Small Business Administration has created a helpful training to help Small Businesses with Cyber Security training. Access the training at https://www.sba.gov/media/training/SBA_Cybersec/new/story_html5.html

Google's Jigsaw Division created an online quiz to help you better catch Phishing emails. Access the quiz.

 

The key points mentioned, if implemented throughout the organization can dramatically reduce risk of compromise. There are key takeaways stated at the end of the video, but there are some more subtle points as well: 

• Use a password manager. They are many to choose from and some are free. A password manager can assist in automating the fixes to the below mentioned threats.  
• Don’t write or print passwords on paper or in unsecured digital files. For example, a sticky note with the password on the backside of a laptop or a list of passwords in an unprotected excel sheet.  
• Use long, random, but memorable passwords – also known as passphrases. For example, “Cherry Wire Sparking!” 
• Don’t use the same password everywhere. Try to use unique passwords everywhere you login. If one website or company gets hacked, and the passwords are leaked, then all accounts using that same password are at risk.  
• Where possible, use multi-factor authentication (MFA). If a password is known, then the second (or third) “factor” of authentication is an additional layer of protection. A good resource for checking if MFA is available on different services is https://twofactorauth.org/ 
• Finally, properly destroy your sensitive data properly.  

These videos are provided by the National Cyber Security Alliance in partnership with Adobe and Speechless Inc.  

 

As users of technology we need to take responsibility in helping secure our personal data, because if we don’t those assets could be accessed without our knowledge/permission and even worse our identity could be stolen. On a personal level, I have a family member whose data was leaked through an unknown source and used to extort and threaten them. They were forced to purchase new phones, new phone plans, delete social media accounts, and change email addresses in order to help stop the threats.

The use of data helps make our lives more convenient and streamlined which likely means the proliferation of online data and devices are here to stay. There is one best practice that each of us can apply that will help personal data stay more secure – only share on a need-to-know basis.

For example, let’s say a friend receives an email asking them to complete a short survey for a chance to win a gift card. Excited for the opportunity to win, they click the link and begin to fill out the survey. The first question asks for their first and last name. Not so bad, they think, they tell their name to people all the time. The next question asks for an email address — easy enough. The question after that asks for their full date-of-birth so they can receive a coupon on their special day. The intentions are good, so what harm will there be? Next, they ask for their home address, so they receive mail coupons. And finally, they are asked to create a free account. And now the true scam begins. Unfortunately, this friend didn’t watch the password security video so, they reuse the same password on every account. Just a day later one of their other personal accounts is compromised as a result of the password gathered through the scam website and more personal data is now leaked online.

Information beyond name and email such as birthdate and address should not be provided freely as a best practice – you should only provide this information to trusted companies with which you have an established relationship. Surveys should not need that level of personal data. And if you are asked for that level of personal data via a survey, you should be extremely cautious.

These videos are provided by the National Cyber Security Alliance in partnership with Adobe and Speechless Inc.  

 

Having something stolen from you tends to leave an indelible feeling of violation and injustice. If what is stolen is an electronic device (e.g. laptop, phone, flashdrive), not only is the property gone but so is your data. Stolen data can be a more damaging long term than the loss of the physical device itself. The data could be personal or company data. If device is able to be used by the thief, there are many ways the device can become of value (see how here).  

However, there are countermeasures you can take to help protect your data. These include:

• Use strong authentication to access your computer or mobile device. No matter how inconvenient it is to authenticate each time you need access, do not turn it off!
• Where possible, use technologies to encrypt the data.
• Where possible, install tools for and enable remote wiping.
• Back up your data.

The most important best practice is to not leave devices unattended in public places. This includes a locked car. In many cities, car break-ins are extremely common. Even if you think your risk might be lower, don’t take a chance. Take your devices with you!

These videos are provided by the National Cyber Security Alliance in partnership with Adobe and Speechless Inc.  

 

Phishing, we’ve heard of it, but what does it mean? In summary, it is a tool and method attackers use to try and coerce people into clicking on a malicious site or download, potentially leading to a security issue. 

On the dark web, phishing is a very popular and effective way to try to steal data, lock data, delete data, gain access, or take over a computer. Phishing usually comes through email but can come via text message or other collaboration apps like Slack, Skype, or GroupMe.

Here are some signs of a phishing attempt. While the diagram below is email based, the same principles can be applied to the other communication methods mentioned above: 

Phishing is usually obvious, and the above signs show prominently. However, some phishing attempts are tricky and it’s hard to spot a legitimate message from an illegitimate one. For example, amid the current crisis, many phishing attempts are using COVID-19 as their hook. Also, we’ll all recall, shortly after GDPR was passed there was a flurry of companies sending out updates to their privacy policy and emailing people about it. Well, attackers took advantage of this world-wide explosion of privacy policy updates and tricked many into clicking the links to “view or accept the new privacy policy” . 

One of the best methods for protecting organizations and individuals against phishing is to report phishing attempts (Outlook > Report Phishing, Gmail > Report Spam). This helps the tool get smarter so that others don’t potentially get the same or similar emails.  

As you’ll see on display in this newest security awareness video, ransomware is an especially dangerous consequence of falling for a phishing attempt. Ransomware is software that locks down data by encrypting it and won’t be unlocked through decryption until a ransom is paid. To protect yourself from ransomware:

• First, be wary of suspicious emails and look for the signs. 
• Second, make sure your antivirus software is up to date and running. It’ll help stop the ransomware in its tracks.
• Third, if ransomware is installed, then if you’ve backed up your data, you can ignore the threat and restore the data. Unfortunately, in many cases and especially for large enterprises, the cost of the ransom is significantly less than the cost to restore the data, even if it’s backed up. Therefore, the first and second layers of protection are critical. 

These videos are provided by the National Cyber Security Alliance in partnership with Adobe and Speechless Inc.  

 

For those of us who have an altruistic desire to be good global citizens, when we find something that doesn’t belong to us our first inclination is to try and identify who it belongs to. Others, could have “selfish” intentions, and say “finders-keepers!”. In either of the above scenarios, the negative impact could be the same if the item that is found is removable media or a removable device that has malicious software embedded within – so finder beware.

Removable media and devices are portable hardware. The most common is a USB flash drive but other forms could be an external hard drive or SD card.

When it comes to cyber security best practices, removable media and devices must only be plugged or inserted into your computer if you trust/know the source. For example, if you found a USB flash drive in the grass near your office, there’s a chance it wasn’t dropped there by accident but planted there. A cyber attacker would try to social engineer someone into plugging the device into a computer. Whether the intention is to find out who it belongs to or keep it, the attacker wins and could successfully execute whatever malicious software might be pre-installed on the removable media or device.

Plugging or inserting only trusted removable media or devices into your computer is the best protection against this type of attack. Other preventive and detective measures would be:

• Install, run, and update anti-malware/anti-virus software on your computer.
• Do not enable auto-run features. These features automatically run whatever programs are installed on the media or device.
• Delete data on your computer, media, or device once its usefulness has expired. Redundancy of data results in more potential risks.
• Use a data blocker.
• Use strong passwords and rotate them if you suspect they’ve been compromised.

These videos are provided by the National Cyber Security Alliance in partnership with Adobe and Speechless Inc.  

This security awareness video covers “vishing” which is defined as the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to trick individuals to reveal personal information, such as bank details and credit card numbers.

Recently I listed an item for sale on my local classifieds. Within seconds, I received several text messages and calls from seemingly interested buyers. I quickly noticed some of the messages had egregious misspellings and were from obscure, non-local numbers. I work in the cyber security industry and am aware that spam can occur when posting a phone number publicly.  I disregarded the odd messages and odd phone numbers as scams – except for one. 

One of the calls was from a local number. It was a legitimate buyer – or so I thought. After a few reasonable questions, they asked me to verify I was a legitimate seller. I wasn’t sure how I would prove that, but they made a suggestion I could verify I was legitimate by sending them the six-digit code just sent to me. Immediately my internal alarms triggered. I knew it was another scam attempt because a six-digit code wouldn’t prove anything. Nevertheless, sure enough, I received a text with a six-digit code to my cell. The message was from Google Voice with a warning to not provide the code to anyone. 

As stated earlier, I work full-time in the cyber-security industry. I read about and teach others on how to recognize the signs. I knew this was a scam and blocked the number right away. But there are those who don’t know the signs and that’s who the scammers prey on. 

Who are these scammers? Typically they are individuals looking for a pay-day or full-fledged hacking companies who even have an HR department. In the above example, if I had provided the six-digit code the individual could have been able to use my phone number to carry out illegal activities, and if they found enough information, could have the ability to compromise my Google account. 

Think you can spot a vishing scam? Scammers get better every day and have more resources than ever before. Be vigilant, cautious, and skeptical. Even security professionals can fall for a scam if care isn’t taken. Check out the latest free security awareness episode on vishing as Sid – the ever-vigilant cybersecurity professional – let’s recognition go to his head and gets scammed. These videos are provided by the National Cyber Security Alliance in partnership with Adobe and Speechless Inc.