Loading...
Loading

Protecting Yourself After A Massive Data Breach

2015-06-10by Max Nomad

Hackers and cybercriminals are coming up with more and more devious ways to steal every day. Some of the data breaches are huge, like the attacks on Target and Anthem, allowing hackers to get access to millions of social security numbers, email address, credit card numbers and other personal information. Some are state-sponsored cyberattacks, like the recent massive data breach that affected virtually every U.S. government agency. All the above increases the risks for identify theft on a global scale.

Victims of identity fraud can take steps to notify the authorities and credit bureaus. Massive data breaches are different. Being part of a data breach is like losing your wallet at the mall -- no way to tell who has it, how they will use it, when they will use it, or if they will use it at all. Only one thing is certain: you must take precautions. 

Max Nomad, IT computer consultant and author of the book Surviving The Zombie Apocalypse: Safer Computing Tips for Small Business Managers and Everyday People offers up specific advice:

1) Perform a deep scan of your home computer(s) using multiple antivirus and malware removal programs. Massive data breaches mean that numerous computers were affected, including privately-owned machines. Take steps to make sure yours is clean before proceeding with step #2.

2) Change the password(s) to every account on your home computer.

3) Get a Password Locker app and use it to generate and store all your new passwords.

4) Go through and change the passwords to every online account. Online banking, online payment sites, etc. I would also recommend changing all work passwords but their IT departments are going to make that happen anyway.

 5) Enable two-factor authentication everywhere possible, starting with anything related to banking and credit cards.

6) Make sure your emails are not being tracked. Tracking uses one or more images in an email to geo-locate where the message is being viewed. Disabling images in your message previews prevents this kind of tracking. Any messages you don't trust, delete them instead of allowing them to download and display images that are part of the message.

7) If you don't have a public key, go to https://gnupg.org , download the software and create one now. Aside from being able to send and receive securely encrypted emails, these can be used to digitally sign your public messages to verify that these posts came from you.

8) Be vigilant, both with your online communications as well as phones.

Protecting Businesses from the Top Cybersecurity Concerns

Times have changed. Today, information is a currency unto itself. And using stolen access to small office networks can often be just as valuable as the data that might be stored there.

Unlike larger corporate networks, many small businesses don’t have the budget to afford full-time IT person to keep a network secure. Many IT security concerns get overlooked. Mix all the above and it becomes easy to see why small offices with 20 employees or less are among the top soft targets that are ripe for hackers and cybercriminals.

 

Here’s Max Nomad’s advice on how businesses can deal with the top 10 cybersecurity concerns: 

Beware of Insider Threats. Close to 50% of all corporate cybercrimes are facilitated by insiders.

  • Teach employees to click cautiously when opening unfamiliar emails. Small businesses are a huge target for email phishing scams. Fake emails from Amazon, photocopiers, fax machines and Administrators bombard office networks all the time. One click can unleash a beast that bypasses security and causes all kinds of damage. In early 2015, Russian hackers used this tactic to compromise the official Whitehouse email servers – proof that anyone can fall for this trick.
  • Keep an eye on employees who seem bitter or dissatisfied. When people feel underpaid, slighted out of a raise, or otherwise desperate for money their loyalties can change. They may be prone to do something detrimental to the company or assist an outside adversary. Revenge comes in many forms -- and most insider-driven cybercrimes start this way.
  • All non-business online activities should go through the guest network. This applies to visitors and staff.
  • Ban the use of unauthorized USB devices on the network. This is often easier said than done. Typically this requires an IT person to set up controls to manage (or block) their usage. USB storage devices (flash drives, external drives, SD cards) can easily get infected on outside computers and then introduce viruses onto your network, allowing hackers to bypass many security safeguards.
  • If you can’t stop ‘em, use ’em. Without a firewall that blocks content, keeping employees from sneaking onto Social Media websites during office hours is like trying to prevent hay fever in spring. Find ways to reward them for using that Facebook and Twitter time to help promote your business. Be sure the staff knows what should and shouldn't be discussed on social media websites.     
  • Make employees aware of social engineering techniques. Hackers know that the right phone call to an unsuspecting employee can bypass more security than months of skillful hacking. Employees should be trained to recognize these con games. Think of this like teaching street smarts and “Stranger Danger” for the office.
  • Make sure your customers know that your company will never request personal information by email. Although this isn’t an inside job, cybercriminals have been known to spoof emails from a company to contact their customers and ask for account information, social security numbers, passwords and etc. 
  • Avoid browsing websites and processing online orders using the same computer. This includes clicking on unfamiliar links in orders received by email. All it takes is clicking on a bad link and an infected computer instantly becomes a compromised computer. That's why a click inside the wrong email can open a customer database up to hackers.

Physical security is just as important as network security. Even the best computer security becomes useless if a bad actor gets physical access to the machine. Most small offices are reasonably secure with decent locks and an alarm system. The problem is that the keys and codes never change, regardless of employee turnover. 

  • If possible, use an alarm code that is at least 6-digits long.
  • Change your alarm security codes every 12 to 24 months. Most small offices never change their alarm codes until they get ripped off – without any sign of forced entry.
  • Rekey your office locks every three to five years, sooner if you have high employee turnover.
  • Any mission-critical computers with sensitive data (e.g. - customer information, inventory, production files, financials, websites, etc) should be kept in a closet or office space with a lockable door. This includes network equipment such as cable/DSL modems, routers and firewalls. All it takes is five minutes and an ounce of moxie to remove a piece of equipment that can shut an office down indefinitely – sometimes permanently.

Enforce stronger passwords. Without a well-defined IT policy, most small offices allow staff to choose passwords that are easy to remember – and hackers can crack them in minutes. Staff should choose passwords that fit the following criteria:

  • at least 12 characters long,
  • uses upper and lowercase with one or more numbers and special characters,
  • does not use proper names or words from the dictionary,
  • unique (as in not used for anything else), and
  • stored only in a Password Manager app (e.g. – KeePass, 1Password, LastPass, etc).

Never write down passwords on Post-It notes; for hackers this is like putting your house key under a fake rock on your front porch. A good rule of thumb to follow: any password that is written down or in print should be considered as good as hacked.

Set up a guest WiFi network. Most wireless routers have an optional guest wireless network feature. This should always be enabled for the following reasons:

  • The guest WiFi provides visitors access to the Internet without giving them access to other computers on your main network.
  • Any infected laptops or devices on the guest network cannot infect computers on your main network.
  • Under optimal conditions, anyone with your wireless password can sit up to 1000 feet outside your office and use a laptop or smart device to access your network. Visitors with guest access cannot come back to snoop around on your main network.

Some guest WiFi access can be set to automatically turn off after business hours. Make sure the guest SSID name and password are different than your main wireless network. 

Let staff check their personal business on their own devices. BYOD (Bring Your Own Device) policies allow employees to connect their smartphones, tablets and laptops to the office guest WiFi network. By letting them handle personal affairs on their own devices this greatly reduces the chances of accidentally infecting company computers. The BYOD policy provides a clearly-defined set of rules, standards and penalties for this privilege. These rules should be easy straight forward and easy to follow.

Subscribe to an endpoint security protection provider. A basic antivirus is not enough. Seek out an endpoint solution that can handle PC, Mac, and smart devices. Along with scanning files and emails, this should also scan any USB flash drives or SD cards that get inserted into any office computer.

Subscribe to a third-party spam filtering service. Although most Internet Service Providers have some form of spam filtering in place, they can’t keep up with the tsunami of junk email. By subscribing to a third-party spam filter, incoming email gets checked through their service first then forwarded to your company inboxes. This greatly reduces the amount of phishing emails that employees may get fooled into clicking on.

Accessing the business network from outside the office should always be done over a VPN connection. Short for Virtual Private Network, a VPN creates a secure Internet tunnel from your computer or device to the office network. This prevents hackers from stealing passwords from employees connecting in over public WiFi networks.

Check your backups by testing them regularly. Data breaches, disasters and virus outbreaks on the office network should be treated like catching the common cold – sooner or later itwill happen to you. Solid backups are your only true protection against potentially losing everything.

Don’t use vector-based company logos in PDFs available on your website. Vector-based logos are made of paths, allowing them to be scaled to any size without a loss of quality. Raster-based logos are made up of dots and quickly lose image quality if the size is manipulated. A savvy adversary can lift a vector company logo out of a PDF and use it to forge exact copies of your print letterhead, company emails and even company ID badges – anything with your logo on it. By using raster logos (high compression JPEGs, PNGs, etc) this makes forging your company materials more difficult.

Finally, Treat all your data as valuable. To a seasoned hacker on the hunt, data comes in two types: data to exploit and data to steal (and sell). Even the most innocent information can be parlayed into playing a role in cracking into your network. Take nothing for granted… and shred everything once it has outlived its usefulness.

news Buffer
Author

Max Nomad

Max Nomad is an IT Consultant, Graphic Designer, creative entrepreneur and computer security researcher with over 20 years of experience using Internet technology to assist (and protect) small businesses. Having worked with everything from stock brokerage firms to car dealership chains to ostrich farmers, his diverse client history has given him experience with a variety of large and small business needs. He also writes candid and informative essays focusing on publishing, graphic design, social commentary and offbeat life experiences. He lives in Virginia Beach, VA.

View Max Nomad`s profile for more
line

Leave a Comment