AREA OF SERVICE
Syracuse &
Central New York
Get in touch
555-555-5555
mymail@mailservice.com
PHONE
315-484-4500
5 Easy Habits for Increased Cybersecurity
srost • May 31, 2022
1. Lock Your Computer
This is by far the easiest habit to build, and no, we don’t mean physically locking your computer. No matter what size organization you work with or if you work from home, locking your computer screen every time you walk away from it is a layer of protection.
Let’s say someone social engineers their way in to your office and has physical access to computers. You walk away to attend a meeting or use the restroom without locking your screen. They now have free reign to do whatever they want while you’re away.
It’s just not worth the risk. Lock it down! Here’s a handy keyboard shortcut for locking Windows PCs:
2. Don’t Use the Same Password for More Than One Login
The desire to reuse usernames and logins is understandable; it makes things easier to remember, and it’s faster to log in to wherever you need to go. However, once one of those websites or services are breached and unencrypted credentials are stolen, every other website you’ve used that username/password combination on is at risk. Your banking website, social media accounts, Amazon login, credit card portals, and so on can be easily identified and accessed with limited information outside of the stolen credentials.
How do you get yourself organized, then? Use a password manager such as LastPass to keep everything in one place. Don’t write down your credentials and leave the paper hanging on the wall next to your computer, and don’t keep them in a spreadsheet.
3. Verify Email Requests for Money Transfers via a Phone Call or Face-to-Face Conversation
Do you handle the books or AR/AP for your organization? You’ve probably received bogus requests for payments or money transfers from email addresses you don’t recognize.
It’s likely that you have or will come across someone who spoofs your supervisor’s or an upper management’s email address—someone who’s likely to ask you to transfer money for real. The email will look legitimate. It’s a clever tactic that can be highly successful. They’ll include a link in an email to make the whole process super easy.
But when you call or physically walk over to the person who supposedly asked for this transfer/payment, they have no idea what you’re talking about. Always verify with a phone call or, preferably, a face-to-face conversation. Additionally, a policy should be in place for formal written requests to be submitted.
4. Never Give Your Login to Someone Else
Even if you’ve been married to that person for 23 years, don’t do it. That might sound overly paranoid, but the other person has their own habits of handling logins and cybersecurity in general, and it puts your login at risk.
If someone else should have access to an account, see if there’s a way to grant them access via their own login, and make a thoughtful decision on what level of access they should have.
5. Check All Accounts for Multi-Factor Authentication Options
If they aren’t enabled, add them! In the event that your login credentials are compromised, this additional layer of security can block the threat actor from gaining access.
Even the level of security of multi-factor authentication options is evolving. SMS verification, where you get a code sent via text message to your phone to enter on the website, isn’t as secure as it once was. However, if that’s the only available option, it’s better than nothing.
Security questions are another method that are losing security clout. Answers to security questions, like “What is your mother’s maiden name?” can be found via a Google search or through your social media profiles. Try substituting your answer with something else you’ll easily remember, if security questions are your only option.
As of this writing, we recommend an authenticator app such as Google Authenticator or Duo, if the website offers it. Each of those has a handy mobile app, and Duo can push a notification to your phone to be approved in one tap.
If multi-factor authentication isn’t offered by the service, reconsider whether you really want to use a service that doesn’t take security seriously.
Security isn’t difficult, but it requires more of our time. If something does go awry, it can have devastating and costly consequences, so some preventative measures go a long way. Plus, the peace of mind is worth it.
Your partner in personalized IT solutions for 30+ years.
In 2019, New York State Governor Andrew Cuomo, signed the Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD Act. The Act went into effect on March 21, 2020. The SHIELD Act is a required guideline set by NYS to further protect the identity and security of NYS individuals’ private information, whether your company resides in NYS or does any business with New York residents. “Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data." Private information includes social security numbers, driver's license numbers, account numbers, credit/debit card numbers, fingerprints, retina images (ex: face ID for smartphones), usernames/emails/passwords, and more. The goal of this act is to help further protect against identity theft. To reach guidelines stated in the SHIELD Act, NYS requires every business to have reasonable security measures in place. Businesses will be in compliance with the SHIELD Act if the proper security measures are set in place. Security measures as defined by this new law are: Designates one or more employees to coordinate the security program Identifies reasonably foreseeable internal and external risks Assesses the sufficiency of safeguards in place to control the identified risks Trains and manages employees in the security program practices and procedures Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and Adjusts the security program in light of business changes or new circumstances Your business will also be in compliance if you currently meet the requirements of: Title V of the Federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 to 6809) Regulations implementing the health insurance portability and accountability act of 1996 (45 C.F.R. Parts 160 and 164) Part Five Hundred of Title Twenty-Three of the official compilation of codes, rules and regulations of the state of New York (Cybersecurity Requirements for Financial Services Companies) Any other data security rules and regulations of, and the statutes administered by, any official department, division, commission or agency of the federal or New York state government as such rules, regulations or statutes are interpreted by such department, division, commission or agency or by the Federal or New York state courts. Any breach in security is now required to be reported directly to the New York State resident whose information allegedly was stolen. Failure to comply with the SHIELD Act will result in a fine from the New York State attorney general. Read the official SHIELD Act text here . ACC is dedicated to assisting our clients with their compliance requirements, including initial steps as well as ongoing efforts while needs change. Contact us here to start a discussion and request a compliance audit.
In the growing list of ways threat actors are trying to access and steal data and information, we want to take a minute to talk about attacks that happen on a device most of us carry around all day. Cell phones are increasingly targeted for phishing attacks via SMS (text messaging), also known as "smishing." Why? First of all, we’ve come to trust our smartphones as the device that solves a lot of our problems, like googling an actor we can’t remember the name of, or like replying to an email while on the go. By targeting a device we trust (whether subconsciously or not), the attacks are often more successful because we let our guard down. Secondly, because they’ve become almost as unique and valuable as social security numbers, cell phone numbers are highly sought after info in a data breach. The attacks happen for different reasons and use different techniques. The following is a list of just a few examples methods and contexts they come in: Unsolicited text messages from banks, service providers, and superiors. Most play upon some sense of fear, such as account cancellation, someone stealing money from your bank, being accused of a crime or wrongdoing, or harm to your family. Often, they will impose a sense of urgency to illicit a response. They will request that you text back or go to a link to fix or activate something. Anyone with an email address can send you a text message. All mobile providers have an email-to-text conversion address. There are many web/app-based free text messaging services that require no verification of identity to use. SMS is a major form of 2-factor authentication for applications; therefore, it’s a target. So, how do they obtain your mobile number? There are quite a few ways that you might not even think of because they’re so engrained in our everyday lives. 1. Many rewards programs utilize your cell phone number as your identity. Retailers with brick-and-mortar stores will ask for your phone number when you check out, and anyone nearby can hear it. 2. Most businesspeople list their cell phone number on their business cards, email signatures, and presentations they give. 3. We use our cell phone number at many publicly accessible locations, such as pizza shops, restaurants, doctors’ offices, hairdressers, and grocery stores. What can you do to protect yourself? Generally, you should avoid interacting with the message’s content or sender, but here are some specific actions. Do not rush to action; take your time evaluating a text. Do not reply to any texts that are unsolicited. Do not click on links from unsolicited texts. Report the suspicious number to your cell phone provider. Delete the message to avoid inadvertent responses. It's important to make sure your colleagues are educated about these risks and the protective measures they can take. We suggest sending this post to them or setting up a seminar in your office with ACC's cybersecurity experts.
Contact Us:
315.484.4500
Our Location
Mailing Address
PO Box 2787
Syracuse, NY 13220-2787