No doubt there are nefarious actors who might try to breach your network by launching external attacks. However, I would argue that the greatest enemy of your IT security is most likely you or your employees. From not practicing good technology hygiene to lazy password management, for most people the enemy truly lies within your organization or home.
Practicing good technology hygiene begins with being careful where you click in the web browser certainly, but you should pay special attention to email. A staggering 91% of cyber attacks begin with a phishing email. As that statistic reveals, people are already falling for pretty obvious phishing emails but as people become more informed, these criminals are becoming even more crafty to appear legitimate. An angry email appearing to come from someone’s boss is very likely to get their attention and worse, their click!
What you can do:
- Use unique passwords. In other words, do not reuse passwords! We are all guilty of this poor decision, but it cannot be stressed enough. Once an account is compromised, criminals can access your other accounts if you reuse the same password. Come up with unique passwords that have a combination of upper and lower case letters, special characters, and numbers. The longer, the better. A lengthy, nonsense phrase of some kind with a special character at the end is a good option.
- Password management is a must. If you follow number 1, then you will have to have a reliable way of knowing what your passwords are for each account. A card file box or Roladex with a card for each account’s information works well if kept in a secure place in an office. At a residence that is not as much of an issue. For business environments, a highly-rated password manager application such as LastPass is a great option. LastPass is also an excellent option for home use. My clients have access to other options in their managed services.
- Think, think, think before you click on links or attachments in emails. Phishing emails are the number one mechanism for cyber attacks, and email is the number one business communication method, so it creates a perfect storm for rogue actors. Remember, the attackers are becoming more crafty, and phishing emails may contain personalized information to seem legitimate. They may seem urgent to get you to respond quickly without thinking.
- Find out if your organization’s credentials are for sale. The “Dark Web” refers to websites that intentionally keep their location information anonymous so that they are not searchable through the standard search engines and often can only be accessed through special software. Why the anonymity? These sites are generally engaged in less than savory, and often illegal activities. There are “stores” on the dark web that look like any other online store except that the products offered are user credentials and credit card information. Your login and password credentials are valuable on the dark web, and since most people reuse passwords, one that works for one website will very likely work on another! A security analysis can reveal which of your or your organization’s credentials are currently being offered on the dark web (scans available for individuals as well). Contact me to get a security analysis, and if breaches are found, you have the option to subscribe to monitoring so that you can be notified when information from your organization has been compromised.
- Implement a Phishing Training and Testing program in your organization. My clients have the option to add this service. These programs provide the critical training needed to prevent users from falling for phishing scams and then randomly send out fake phishing emails to test users and given them either encouragement or more training depending upon their response. This type of training can be a fun and effective way to keep users’ credentials safe, not only in the workplace but at home as well. Organizations can offer prizes and incentives to make it even more enjoyable.