Staying Safe Online in 2015

Kyle Greenup, NGU Risk Management

February, 2015

It’s an unfortunate, but true statement. Cybercrime is a trend that will not go away. It’s just far too lucrative and far too easy for tech savvy criminals. In 2014 alone, large companies such as The Home Depot, Apple, Sony, Neiman Marcus, and Target fell to highly publicized acts of cybercrime. It is estimated that cybercrime cost U.S. companies more than $520 Million in 2014 alone. Predictions indicate that this number will only increase.

If the big companies, with their millions to spend on tech security can fall victim to such attacks, what can we as regular ol’ internet users do? Following the guidelines below will help stem off would-be attacks.

1. Password Complexity & Variance.

By now, I hope you think this is a no-brainer. But many of us develop what we feel is a great password and use it across several online accounts. If a hacker gets a hold of your Facebook password, and you use that same password for your online banking, credit card accounts, mortgage, retirement account, etc., then that hacker pretty much owns you. We recommend that for each online account you have, use a different password and make it a complex one. By most definitions, password complexity follows these rules:

2. Keep your device and software up to date.

Whether you use an Apple product, a Microsoft product, an Android, or some flavor of Unix/Linux, keeping your device and the software on that device up to date is imperative. While some updates solely address product enhancements, many updates address previously discovered security flaws. When a hacker notices that a new security update is released, that hacker may reverse engineer that update, gaining knowledge on how to attack systems that did not apply the update. Knowing this, you must consider the details of a security flaw that a security update addresses common knowledge among hackers. Not applying the update is an open invitation for malice.

3. Be careful with your personal details on social media.

No matter how astute you are with your Facebook security settings, you must consider that ALL your social media posts are available for the world to see. It is very common that a change in privacy policy on a social media site nullifies your security minded approach to that site. Even if you have ‘done everything right’… can you say for certain that your friends did the same? Are your friend’s social media accounts hackable? Can your hacked friend’s account see that you are on vacation for 2 weeks on the beach? If you don’t want the world to see it, don’t post it, period.

4. Visit Trusted Sites, Order from Trusted Vendors.

Generally, this is a way to ensure that your data is being stored with your security in mind. Ordering products from sites that are well known implies that the vendor does not want negative publicity regarding the loss of customer information, and therefore will take certain steps to ensure your privacy. While these large vendors are a large target for cybercriminals and breaches do happen (as mentioned above), you are better off using well known vendors and sites. If a breach does occur and you are an affected customer, you can expect certain steps will be taken to mitigate losses. Smaller companies may not have protocols (or even the insurance) in place to deal with these breaches.

5. Use a Firewall, use Anti-Virus.

Again, this should be a no-brainer for all of us. Using a computer that lacks just one of the two opens the door for an attacker to gain access to the computer with all information stored on it. Even if you don’t store sensitive information on your computer, attackers can install a key-logger which will record your keystrokes (like your passwords). Attackers can also install monitoring software that can send the attacker a report of websites visited (like your financial institutions). A combination of the two is all that is needed to wreak financial havoc. Attackers can also use your computer to host inappropriate websites, which may cause the FBI to knock on your door.

6. Use a Scrutinous Eye when viewing Emails and Email Attachments.

Email phishing (pronounced “fishing”) is essentially a method used by attackers to entice an email receiver to follow the directions contained in the email. Generally, the email mimics one that you may see from a reputable company; one that you may do business with. The email may say something similar to the following:

Again, the goal of the email is to get the user to supply information. Phishing emails do not come from the company it claims, does not direct you to the company website (rather a website designed to look like the company), and does not really update information, just collects the information that you supply. If you do, then the attacker’s goals are met, and they have information about you they didn’t have before. These emails are generally easy to spot, but some look 100% authentic. In the case of attachments, those attachments usually install software designed for malice (financial, social, and/or legal) for the attacker’s gain.

7. Keep Tabs on Your Financial Institutions.

If you bank online (and most of us do to some extent), keep track of the activity in your account(s). Spotting strange activity early on will mitigate any damage. In addition, keep track of your financial institution(s) in the news. If a breach does occur (and they will), you will have early knowledge, and thus the opportunity to take action before a problem arises.