National Cybersecurity Awareness Month: Staying On Guard While Off the Clock
Keeping your professional and home life separate is essential to maintaining a quality work/life balance. So, once the laptop is put away and the office door closes behind you, it’s time to kick over to the “home” life spending time with family or friends, running errands, or relaxing after a busy day. Work should be the last thing on your mind at this point, right?
Unfortunately, cyber criminals wait to strike until you are off your guard which, for many, is when you’re clocked out. But this doesn’t mean you have to stay on guard 24/7 watching out for potential threats and cyber attacks. October is National Cybersecurity Awareness Month, and we’re helping to drive awareness by highlighting various ways to protect yourself and your company while still taking time for yourself at the end of the day. Here are a few tips to keep you safe and worry-free.
Keep your devices updated with the latest software. Updating your devices – both stationary and mobile – does take time; and from a consumer side, it can seem both tedious and annoying. But, the more you keep your system updated, the more secure your information will be. For example, a computer with the most recent version of a specific security program will be armed with the latest patches and fixes to any bugs and vulnerabilities that might have been manipulated by hackers in earlier versions. If time is a major concern, schedule the update outside of operating hours, or at a time when you are completing less time-sensitive tasks. Keeping your system updated can mean strengthened protection of valuable information; so be sure to update as much as possible. Most modern systems will inform you of such updates and offer to perform the update when you are not using the system; you will just have to leave it turned on for this to happen.
Use a single strong password or passphrase per site, a password manager, and multi-factor authentication when available. Using strong passwords means more than using a specific amount of characters. It is also about variety. A long password with ten or more letters may be considered “strong” when signing up for a new account on a website. But, it can become even stronger if its length and entropy is extended by adding characters such that some of those letters are switched out with numbers, spaces, or punctuation. Furthermore, each of these complex passwords can become even more secure when you only use it for one individual account. Password reuse is not a recommended practice; the more accounts in which you utilize said password, the less secure your information becomes. Supposing a hacker did manage to obtain your password, they would potentially try said credential on other sites, gain access to multiple accounts and compile a plethora of information about you, or act as you on said site. And yet one more way of ensuring a strong, uncrackable password is making sure the keyphrase is not a piece of information in itself. If a security question for your bank is the name of your first pet, you probably don’t want your password to be “Whiskers57”. The best security practice recommends the use of a unique, randomly generated complex password (at minimum 16 characters) per site. Because of the difficulty of remembering so many random passwords, password managers (or vaults) are encouraged. Because those then become the single point of failure, the use of a high-entropy passphrase and multiple factors of authentications grants best protection. Such vaults should use cryptographically strong algorithms on the originating device to ensure the data does not exist unencrypted at any point: data is always stored encrypted, data stays encrypted during upload/download, and encryption/decryption is only done on the end device. These vaults should provide strong password (or passphrase) authentication with support for multi-factor authentication. Classically, authentication is the process of proving you are who you say you are by sharing a secret (your vault’s password); using multi-factor requires you to prove you are in possession of a trusted device (your phone for example) to confirm you are the person that is known to have the said trusted device. Randomly-generated complex passwords are one mean of creating entropy, but as this xkcd strip (https://xkcd.com/936/) popularized, sometimes a passphrase is also useful for a human to remember, and as such can be used to produce high-entropy datum for use with a password manager.
Use data encryption. Your information will be a lot harder to collect if your adversary is unable to read it. Data encryption translates your data into a language that only you and authorized personnel can interpret. This is done by safeguarding the coded information with a secure key. If your data is encrypted and the hacker does not have the key, they cannot access your personal information. Some data encryption sources are free and open source, meaning that you can secure your data without paying outrageous fees, and be reassured that it will be protected on a constantly-updated, bug-and-backdoor-free server (such is the case with Cryptomator.org). With millions of users creating their own patches and fixes to these sources on a daily basis, your information can only become more unreachable.
Be careful what you post online. Posting about your personal work on a social network is the equivalent of creating a “Kick Me” sign and putting it on your own back - you are asking to be targeted by third-party adversaries. Never discuss any work-related accomplishments, failures, or even anecdotes on a public forum. On a related note, be cautious about what personal information you share online. While it may be perfectly normal to share favorite moments with friends and loved ones, adversaries could use this information as leverage against you. Always use social networks with privacy settings, and only share information about your personal life with trusted friends and family. By doing so, you will protect yourself, your company, and your loved ones from being targeted.
Beware of unknown emails. Personal Internet hygiene includes remaining wary of emails and attachments from unknown subjects. Many of these attachments or links can be used to phish important information such as credit card numbers, passwords, and other credentials. Unfortunately, adversaries can also use this to phish for your more important, work-related credentials. If you do not recognize the address emailing you, do not click on any content in the email. In addition, pay close attention to the addresses that email you. If it looks to be from a friend or colleague but includes content they would not normally send, contact them in person or over the phone to confirm they actually sent it. It is still possible for peers, friends, and loved ones to be hacked; so you should always be wary of what you receive in an email.
Use private networks. Even if you are off the clock, work emergencies can happen. Unfortunately, you are not always physically in a place where you can securely resolve them. Before addressing a work-related crisis, make sure that there is a trusted private network you may work from. You are most likely to unconsciously leak information when working on a public network. If you are unable to find a secure network in your immediate area, go somewhere you know you can address the problem safely. In particular, many public or private places will offer password-free access to their internet to gain your business. This was used years ago as an attack vector into social media accounts (search “Firesheep” for example), and this pushed sites to adopt secure http (https) as the default practice. Using a “Free Wifi access” sometimes does not provide you encryption from eavesdropping by other people on the same wireless router. The use of a Virtual Private Network adds a layer of protection for such data in such settings by carrying your data over an encrypted tunnel to a communication point, preventing potential eavesdroppers from collecting your information.
Following these tips will help ensure that you remain protected even after you leave the office. In today’s connected world, cyber criminals are continuing to find new, creative ways to steal information or coerce someone into doing their bidding. And while you shouldn’t spend inordinate amounts of time worrying about potential threats, taking a few extra precautions every day can help curb these attacks.
