The More You Make and Keep, the Stronger Your Cyber Security in 2023
Resolution season is upon us as we take our annual stock of who we would like to be. Fitter, kinder, more charitable, as always, but why not safer?
These cyber security New Year’s resolutions vary from simple things you can do in a few seconds to things that might require some outside help. They all have one thing in common: Individually, they will make you safer in 2023, so following just one will give you greater protection against cyber criminals. Each resolution that you add will boost security for you and your business.
I will secure my phone. Around 1 in 4 people fail to use a screen lock on their smart phones. That’s an improvement from 2013,when around 1 in 3 people failed to secure their phones. Use of lock screens must be mandatory for all work-related devices. It is also the first step for stronger cyber security in 2023.
I will use two-factor authentication. Apart from securing your phone, this is the most critical thing you can do to boost security. Every email account, every account that processes payments and all online accounts relating to finances must have two-factor authentication, along with every account that allows admin-level access to business systems or customer data. Two-factor authentication takes a few minutes to set up and adds seconds to the login process. The strongest method sends a text message to your phone (already secured with a lock screen) link to click. Without access to your phone, criminals cannot use stolen passwords to log in. Links are better than plain-text codes, which may be visible on Android devices even while the screen is locked.
I will update my passwords every 3 months. The start of each new business quarter should bring new passwords. Google can be configured to require this on a schedule that you set. This is a best practice for email and all business systems. The advantage is obvious: Stolen passwords become useless once you change them. The more often you change them, the greater your cyber security. If keeping track of business and personal passwords is a challenge, consider using a password manager that centralizes all of your credentials. Good password managers require your main login to be updated regularly.
I will not write passwords down. There is no safe place to store passwords on scraps of paper. Someone determined to find them will, whether they’re on a note in a drawer, tucked in your wallet or written backwards on a receipt hidden in a piece of ice in the freezer. If you must write passwords down to remember them, the safe way to store them is in a password-protected Excel spreadsheet. You will need to change that password a few times a year, and avoid writing it down anywhere.
I will limit what I share online. Some companies make it far too simple for social engineers to get the information they need to launch attacks by publishing executive information online. Far too many individuals overshare on personal social media accounts. Social engineers data mine public information for the names, emails and password hints they use to launch intrusions and phishing attacks. There is a delicate balance between what needs to be shared to promote a business and what creates cyber risks. Sharing less is always better. When personal information must be shared, it should be with safeguards in place to help employees spot possible attacks using that information.
I will close all my unused accounts. This is a more time-consuming resolution, but it only needs to be done once a year. Take an inventory of all the logins you have that you no longer use. Do you still have a MySpace account from your college days? Has your business changed software vendors but left the old logins active? Did you once buy something from an online store and then never visit again? Did you try a social media site for a day or two and then stop using it? Take the time to identify, disable and delete these outdated accounts for two reasons. First, criminals may try to access them through old logins, creating a base that can be used to compromise your identity. Second, if you do not actively use those accounts, particularly if you changed emails after you opened them, you may not be receiving security alerts or breach notifications. Anything you have not used in the past 14 months should be deactivated.
I will review financial statements. Criminals probe bank accounts by initiating a very small transaction, such as $1, then reversing it with a credit. Legitimate businesses also do this to verify bank accounts, credit cards and debit cards. Businesses must mandate a specific review of financial statements for these types of transactions; any debit that is subsequently credited should be scrutinized, along with any small transaction. Anything suspicious should be reported to your financial provider immediately. Do the same for your personal accounts. Financial providers are good at challenging large, unusual purchases, but they often fail to notice the tiny debit/credit transactions that precede an attempt at a big-ticket purchase. Some of the most determined cyber criminals siphon off a small amount each month from a company’s finances, knowing the theft is unlikely to be detected. Bookkeepers and accountants should pay close attention to any new vendors who invoice an organization and raise the alarm if those vendors have the same address, email or phone number as employees.
I will train myself and my employees to prevent phishing attacks. Phishing attacks rose by 61% in 2022, with more than 255,000,000 incidents. For cyber criminals, this is a numbers game. The more attacks they launch, the more likely they are to find a victim. It is no longer just big companies with volumes of personal data at risk, it’s every business in every sector and nearly every individual who has a smart phone or an email address. Annual phishing awareness training should be mandatory at all companies. Twice-annual training is better. Programs that include simulated attacks with a summary of how employees responded provide the best results. You will need professional support for this, but there are a number of affordable solutions available. Weigh that cost against the potential expense of a phishing attack: Someone sending a $500 gift card to a cyber criminal may not seem like a big deal, but once any criminal successfully attacks your organization, more criminals with more sophisticated attacks often follow.
I will hire or contract a Chief Information Security Officer (CISO). All large businesses and most mid-sized businesses have a CISO on staff or on retainer. This executive-level information-security professional handles all cyber security needs, from evaluating and setting up security measures to documenting compliance to ensuring that employees receive appropriate cyber security training. Small businesses and startups, outside of the tech sector, have a far lower level of CISO protection. A full-time security specialist may be beyond the needs or budget of many small companies. In these cases, a part-time, affordable Virtual CISO can significantly improve cyber security. For companies that fall under the FTC Safeguard Rule in 2023, professional support is almost mandatory.
You must change habits to improve cyber security. These New Year’s resolutions can help you do that, and most of them are very easy to keep, with no additional cost for you or your business beyond a bit of time. If you feel that you are not doing enough to improve your business’ security, or if you are unsure where to begin, contact us online or call us at 1-800-658-8311 to speak to a cyber security professional. We build custom security awareness solutions for our clients, based on their needs and what they can afford.
Good luck with all your New Year’s resolutions.