CYBER SECURITY THE 12 TOP TIPS
T H E T O P 1 2 C Y B E R S E C U R I T Y T I P S T O K E E P Y O U R B U S I N E S S S A F E
+08 7325 5000 www.calvert.net.au [email protected]
514 Lower North East Road
Campbelltown, SA 5074
CONTENTS
Introduction 1
Password Based Tips 2
Email Safety Tips 5
Web Safety 8
Miscellaneous Tips 10
Conclusion 16 INTRODUCTION
In the technology driven world we in live today, securing your network and protecting your business from cyber-attacks is a vital process that everyone should undertake. It is common practice for a business to protect themselves from physical dangers by installing alarm systems, CCTV and to a lesser extent, employing security guards. When it comes to cyber-security, businesses tend to leave themselves shorthanded and vulnerable to malicious attacks. A well-executed cyber-attack on your businesses data can be damaging to both your financial standing and reputation in the eyes of your customers.
A study in 2017 called “Cost of a Data Breach” found that the average cost that a business incurred due to a data breach was a staggering $790,000 AUD. This is significantly more money lost than if a thief were to smash a window and steal the TV from your meeting room, so it makes no sense for a business to focus much more of their resources on stopping physical risks when cyber-risks have the potential to be so much more devastating. Recent legislation in Australia requires businesses to report any data breaches to the Office of the Australian Information Commissioner which can lead to fines of up to $2.1 Million AUD. This enforces the need for stringent data protection policies and network security.
Due to the nature of the Internet and cyber-attacks, there is no sure-fire way to protect your business from every type of threat, however there are a range of methods you can employ to drastically reduce the chances of your business suffering from a cyber-attack. The following tips and techniques can be used to reduce the chances of a cyber-attack affecting your business.
1
PASSWORD BASED TIPS
1. Thi nk "Pass-Phrase, " not "Password"
The need for a strong password has been ingrained into our minds for the last couple of decades, but it is time to engrain a new term into your brain: The Pass-Phrase.
A Pass-Phrase is similar to a password but is longer and should incorporate the use of numbers, letters and symbols. For example, a typical password might be Admin123 (please change this immediately if you are using this and think it is secure), whereas a pass-phrase is something much more complex, such as “I t00k the dog 4a_Walk”. It is relatively easy to recall, as you can simply remember “I took the dog for a walk” and add the symbols and numbers, however it is much harder to hack. Take a look below at how long it would take to crack each of these example passwords and you will see why a pass-phrase reigns supreme when it comes to security. You can check how strong your password is by using https://howsecureismypassword.net/.
Admin123
I t00k the dog 4a_Walk
2 1. Think "Pass-Phrase" not "Password"
Using a pass-phrase can also stop people d from looking over your shoulder to read your password as you type. It is much harder to decipher “I t00k the dog 4a_Walk” r whilst shoulder surfing as opposed to looking at someone type Admin123. Note that some environments may have o restrictions in terms of the use of special characters and passphrase length – for example you may only be able to use a maximum of 16 characters and no spaces. You can often substitute an underscore or hyphen for a space. Bear this in mind when w creating your new passphrase. s
s
a P
3 2. Di f f erent passphrase per l ogi n - use a credenti al s manager
Using the same password (which should now be a pass-phrase) across multiple online identities is a BIG mistake. Once a hacker gains access to one of your accounts, they will be able to access the rest too. This is how the infamous celebrity iCloud leaks occurred a few years ago. It can be difficult to remember a range of different pass-phrases which is why making use of a password manager can be so valuable. A password manager will store all of your passwords so that you can copy and paste them when needed. All you need to remember is a single Pass-Phrase to gain access to the manager and you can then see all your different passwords for all of your online presences. A good password manager will even be able to generate random, extremely strong passwords and store them for you.
It may sound like keeping all your passwords in one place is a hacker’s delight. This is not the case as all the data stored in password managers in encrypted and much more secure than using easy to guess passwords. The best password managers even require two-factor authentication to open them, which means to gain access to the manager you must confirm your login through an SMS code, fingerprint scan or an authentication code generator, making it almost impossible for a hacker to gain access to your password manager – even if they have your password.
Check out the list below for a non-comprehensive list of password managers.
Dashlane - www.dashlane.com Roboform - www.roboform.com Lastpass - www.lastpass.com Enpass - www.enpass.io Keypass - www.keypass.com
4 EMAIL SAFETY TIPS
3. Don't Open Attachments You Are Not Expecting
One of the oldest methods of implanting malware into your computer and networks is through email attachments. Despite this, people still open obviously suspicious email attachments (how often are you tempted to touch something labelled “wet paint”?). Not only can this lead to data being stolen and your L network being held ransom, it can lead to you
being embarrassed. Spam emails can then be I sent from your email address, so every security conscious contact you have will see you’ve fallen for a scam as they delete the mass of spam emails you have sent them.
A It is important that you remain vigilant and do not open attachments that you are not expecting or from someone that you do not know. Another indicator of a malicious email attachment is the file type. Most email clients such as Outlook will block attachments that
come in the form of typically malicious file M types such as .trojan or .avi, however occasionally they may sneak through, so it is important you remain vigilant.
E
5 4. Review email links before clicking
Phishing emails have become the new norm for hackers to try and access your data over email. According to Scam Watch, Phishing emails are attempts by scammers to trick you into giving out personal information such as your bank account numbers, passwords and credit card numbers.
When Phishing occurs over email, it will often look as though a company is contacting you with a link through to a landing page requiring you to enter your details. This page will look almost identical to the company they are trying to impersonate, using their branding and emulating their website, however the attackers will gain your details.
Phishing emails can be relatively easy to spot. Often, they will not look quite right or will ask for information that you know a company will not ask for over email. One easy way to tell whether an email is legit or attempted phishing is to hover your mouse over any links in the email. This will show you a preview of the link, enabling you to determine if it looks right.
6 4. Review email links before clicking
As an example, if you receive an email from someone claiming they are the Australian Tax Office but you hover over the link and it comes from Italy, then it is a scam. Do not click on these links on your computer to test them as they could harm your computer. If you need to test these links, try them on an iPhone as they are secure and will not result in your computer and network being compromised.
Below is a real example of a phishing email. Is it obvious to you that it is a scam? L
I
A
M E
7 Web Safety
5. Use a more secure browser
Most people choose a web browser based on speed and convenience, however security is the critical factor that should decide which browser you use. Google Chrome is a hugely popular web browser due to its unrivalled speed and ease of linking all your Google accounts, however it is one of the least secure Internet browsers on the market.
Mozilla Firefox and Microsoft Edge are two other popular Internet browsers with much more security, however they do not always show the speed that Google Chrome can (although recent independent tests have indicated Edge to now be faster). Think of these two browsers as a tank, where as Google Chrome is a regular car. A tank is heavy, robust and can withstand a barrage of attacks due to its thick armour whereas a car is lighter and faster but would not stand a chance at protecting a user from any attack. Google Chrome is fast; however, it contains very little when it comes to defence against cyber-attacks. It is beneficial to you and your company to lose a little speed and use a more protected browser such as Firefox or Edge.
8 6. Ensure a website is secure with HTTPS
Websites can come in two forms, HTTP or HTTPS. The “S” in the latter stands for “Secure” and will protect you and the information you share from being intercepted by a malicious intruder.
Personal details such as login information and certainly credit card details should never be shared with a site that does not show HTTPS. It is quick and easy to tell whether a site is HTTP or HTTPS from within your browser. The very beginning of the URL of any site you visit will show one of the two forms. For example, the Calvert S URL is: https://www.calvert.net.au/ The HTTPS at the beginning shows that you have a secure connection.
P
Also make sure the security certificate is valid for the site you are visiting – you can typically view the certificate details by clicking on the padlock icon in your browser. Ensure the names and dates are valid before trusting the site (trust but verify). T
T H 9 Miscellaneous Tips
7. Use a proper perimeter firewall
A router is definitely NOT a firewall despite many people assuming that they do the same thing. A router is a required piece of network equipment as it connects you to your Internet Service Provider and the Internet and will blindly manage the traffic coming in and out of your network. On the other hand, a proper firewall will actively monitor traffic and block anyone trying to gain unauthorised access. Some firewalls even have anti-virus and anti-spam filters which stop you from receiving unwanted viruses and spam emails.
Think of it like this: A router is a building security guard who is sleeping on the job. Anyone can get through and gain access to the building as there is no security. A firewall is like the American Transport Security Administration (TSA) who have some of the strictest and most complete security checks in the world before you can gain access to the airport terminal. Anyone that poses a threat to safety will be blocked and not allowed through to the gate. This is how a firewall filters what is coming in and out of your network and has the chance to even catch ransomware and malware. Many firewalls can perform the job of the router as well however this will also be dependent on the type of Internet connection you have. 10 8. Avoid free Wi-Fi hotspots
Free, public Wi-Fi is incredibly convenient when you need to quickly do some work on the go, however it also makes it incredibly convenient for hackers to gain access to your information. In fact, using a public Wi-Fi network is actually one of the least secure things you can do when it comes to
network security. I
Anyone can become a “hacker” on public networks as there are thousands of YouTube videos F showing you exactly how you can steal personal data over a public network. All this takes is a - device called a “Wi-Fi Pineapple” which can be I bought for as little as $99 but can cause a lot more damage to you and your business. Essentially, this device takes advantage of flaws in Wi-Fi protocols and allows a device, such as a router, to be impersonated. The hacker can then see everything W you are doing on the Internet including all of your
passwords and even your Internet banking and credit card details. Free public Wi-Fi is a goldmine for stealing this data from unsuspecting users.
E Imagine you need to have a secure conversation with somebody about sensitive information – E would you hold this discussion on a public bus or in a private car? Public Wi-Fi is the bus where just about anyone can eavesdrop whereas the car is 4G or secure corporate wireless connectivity. R
F 11 9. Train yourself and fellow staff members
It is possible to put in place all the network security measures under the sun and still have your security compromised. Yes, these measures are necessary and do stop many attacks, however it comes down to your staff being adequately trained in network security. In fact, human error is one of the leading causes in data breaches and malicious attacks. Most of these attacks come through the form of Phishing emails, which were covered earlier.
Security Awareness Training is available for you to test employees with fake Phishing emails and to monitor who falls for them. Staff can then be directed to the relevant training material that informs them of where they went wrong and the correct procedures for next time. These fake phishing emails can be customised to suit your industry or time of the year to really test your employees.
The cost of Security Awareness Training is small too. At around $3 per user per month, the cost of training is significantly less than the potential losses you can face due to your data being breached.
You can have all of the best security measures in place, but it just takes someone to open or click on the wrong thing to introduce chaos. Consider you are driving the safest car in the world with all of the modern protection measures – if you drive into a tree at 120km/hr you’re still going to get hurt!
12 10. Don't assume it won't happen to you - it's a matter
of when, not if. T
Cyber-attacks can come in any form and at any time. In fact, the FBI reports that there are N more than 4,000 ransomware attacks every
day (1). Being ignorant to the fact that these E attacks do occur and will eventually target your business is a great way to fall victim.
C Employing a full network security strategy including the use of hardware and employee
training will help you ensure that you have the A best protection possible for your organisation.
L It is also important to be prepared for the
worst. You should know exactly how you will handle any data breaches and cyber attacks P before they occur, so that when the inevitable does occur, you are suitably prepared.
M O C
(1) https://www.fbi.gov/file-repository/ransomware-prevention- and-response-for-cisos.pdf/view 13 11. Don’t use old unsupported operating systems or applications
Most people are resistant to change. Unfortunately, this just human nature, however it can actually lead to your systems being less secure. Many people will not update the software on their computer, instead choosing to use the old systems that they are familiar with. The problem with this is that these old systems are not up to date with the latest advances in security and are often unsupported, which enables easier cyber-attacks.
Let’s liken this to cars. If you have a “classic” car from the 1960s which you enjoy driving, when it was first designed and built it was relatively safe on the road. If you had an accident in it you stood a reasonable chance of walking away as there were fewer cars on the road, less trucks and people tended to drive a bit more sedately. Take this same car and put it on today’s roads – it’s a completely different story. If you were to have an accident in that car today you stand a much greater chance of being seriously injured (or worse). Why? Because there are more cars on the road, bigger trucks, traffic moves more quickly and the other cars likely have crumple zones on them to protect their occupants, but your “classic” doesn’t have these protection measures (nor would it have anti-lock brakes, pretensioning seatbelts, airbags, collapsible steering column etc).
The car itself hasn’t changed but the world in which it’s operating has and driving around in your classic has raised the risk for you being injured. Put yourself into a modern vehicle with advanced safety technology built for today’s roads and you are much safer. The same can be said about operating systems and applications. It is important to use the latest versions as they are safer and relevant to the hacking trends in the present day. If you are still using old versions of Windows, please update now!
14 12. Use proper backup systems
Backing up your data is vital to limiting the effects of a cyber-attack. A back-up is not a preventative measure like the rest of these network security tips, however a well- P established back-up can lead to less damaging costs when a data breach does actually occur. In the rare case that a hacker holds your data U at ransom, it means you will not have to pay them to retrieve your data, or if your data is deleted, you have it backed up and recoverable. This can lead to the costs of a data breach being significantly reduced.
Considering the costs of a data breach can be K immense, having a proper back-up to reduce the impact can prove to be invaluable. C
A B
15 CONCLUSION
Cyber-attacks can occur at anytime and have a massive impact on your business. A large attack could even dissolve your business as the average cost of a data breach in 2017 was $790,000 AUD. It is important that you put in place a network security strategy, which includes appropriate hardware, software and staff training procedures. Human error is one of the leading causes of data breaches and therefore training is an important aspect of your data and network security strategy.
Speak to Calvert Technologies who are your local experts in business technology to help secure your network from cyber-attacks. Not only will Calvert Technologies protect you from malicious attacks, they will also enable your workplace to become more productive through the strategic use of technology.
+08 7325 5000 514 Lower North East Road Campbelltown, SA 5074 www.calvert.net.au i [email protected] 16