Know When and How to Stop Ransomware Attacks

Ransomware attacks are on the rise and small businesses are on the menu.  The 2023 State of Ransomware report from Malwarebytes Labs finds that the United States saw 1,462 attacks between July 1, 2022, and June 31, 2023. This accounted for 43% of all ransomware attacks around the world, with these attacks doubling in frequency between January and June 2023, compared with the previous 6-month period.

While the Vacant Land Scam and Business Email Compromise may be — and should be — top of mind for most small-business owners and employees, ransomware must also be on the threat radar. School districts were among the top ransomware targets in August 2023, in part because criminals have shifted their focus away from large corporations with strong protections and toward public and private organizations with heavy third-party dependencies and softer cyber security.

When Are You Most Vulnerable to Ransomware Attacks?

Note that the question is not, “Who is most vulnerable,” because criminals are actively looking for the softest targets available. It does not matter what you do or in what sector. If you have user data or online systems that are critical to the operation of your organization, ransomware hackers have their eyes on you. You are particularly vulnerable if criminals believe you will pay their ransom to get your systems back online quickly, or if they believe you will not contact law enforcement out of a fear of reputational harm. Couple one or both of those realities with a lot of external vendors, off-the-shelf software and poor password protections and you can expect hackers to come after you.

Ransomware attacks begin with a hacker gaining enough access to your systems to install software. There are a few methods criminals use to achieve this:

  1. Zero-Day Exploits: These attacks target vulnerabilities in software or communications between devices that allow criminals to install a ransomware package. Any time you change software vendors or hosting services, install new software or update software, you are potentially vulnerable to attack. Cheap thumb drives may also come with malware, making new drives a threat the first time you use them.
  2. Phishing: Criminals will use a variety of phishing techniques to attempt to steal login credentials. These can include emails directing employees to sites that download malware, phony client emails or pretexting attacks where criminals claim to be a coworker or supervisor. You are most vulnerable when new employees gain access to your systems, which makes it essential to include cyber security education during every employee’s first day on the job.
  3. Code Injections: Criminals may attempt to load malicious code via vulnerabilities on your website or during communications between your devices and a third party. You are most vulnerable if you do not keep up with security updates and patches, and if you do not employ encrypted communications with all third parties.

Determined hackers may also use less-sophisticated methods to gain access to your systems if they know where to look. Credential Stuffing, where hackers attempt to use passwords stolen in other online breaches; Credential Spray,  which involves matching known usernames with a variety of common passwords, and Brute Force, where criminals use automated systems to flood a site with username and password combinations, are among the techniques hackers may attempt.

Ransomware Attacks Are Rarely Immediate

One key aspect of ransomware attacks has changed: hackers seldom install their malware right away. Instead, hackers will loiter in your compromised systems for a period of time. They may attempt to gain access to other systems, or they may make small changes to see if you are paying attention. In some cases, hackers will wait until a period when you are particularly vulnerable, such as the start of a new school year or an active business cycle, so that their attack causes the greatest disruption possible.

The period between criminal access and ransomware deployment is your opportunity to stop the attack, but this will only happen if you are vigilant and have the right monitoring systems in place.

  • Review login data. Keep track of any new devices that log on to your network. If a login looks unusual, reach out directly to the user to see if they logged in from a new device or location.
  • Look for unusual data-transfer activity. Ransomware packages must be deployed and installed on at least one device in your organization. Hackers may also exfiltrate significant amounts of your data before they launch a ransomware attack if they plan to blackmail you by posting it on the Dark Web, or if they plan to sell it to other hackers. These data transfers leave a digital trail that you may be able to spot. Large volumes of data moving at an unusual time or to an unexpected location should be a red flag that triggers immediate response.
  • Scan for software installs or changes to critical system files. Hackers may upload a small, innocuous file or make a small update to a core system file before they deploy malware. This is a test designed to see if your systems can detect their activity.

You can stop ransomware attempts in their tracks if you have the right monitors in place, and if someone is watching them. Your systems should be set up to send automatic alerts when they detect anything unusual, and you should have protocols in place to follow up on these alerts.

How to Mitigate and Respond to Ransomware Attacks

Sophos reports the average ransomware payment in 2023 as $1.54 million. The mean recovery cost was $1.6 million if the ransom was not paid. Every employee and organizational leader should be aware of these numbers. The days of swatting away hackers with a few thousand dollars in Bitcoin are over. Ransomware is a big-money business for criminals, which is why attacks continue to rise.

There are a few things you can do before and during a ransomware attack to protect your data, your systems and your business:

  1. Make two-factor authentication mandatory. This stops all but the most determined ransomware hackers.
  2. Train employees to never share login codes. Under no circumstances should a two-factor code be shared with anyone. From their first moments at work, employees need to understand that cyber security is part of their job and failure to follow protocols comes with consequences.
  3. Create backups of your data and your systems on a regular basis. These should be stored on devices that are not connected to your networks, and you should plan to keep backups for 120 days. In the event of a ransomware attack, you can use these backups to restore a clean version of your systems and lock the criminals out.
  4. Contact law enforcement. Criminals rely on compliant victims. You may believe that paying the ransom and moving on is the best course of action, but this is precisely what hackers want. By reporting the attack, you achieve two goals: First, you may be able to recover some or all of the stolen funds in the event that you must pay a ransom. Second, you raise awareness of criminal activity that law enforcement can use to stop future attacks and identify criminals. Be aware that ransomware attacks remain a very high priority for state and Federal law-enforcement agencies. If you have been discouraged from reporting cyber crimes by lax response in the past, you will be pleasantly surprised by the support you receive following a ransomware attack.

As always, the best protection is prevention, and the key to prevention is cyber security employee training alongside strong cyber security practices and protocols. Protect Now can help your small business prevent and mitigate attacks. To learn more, contact us online or call us at 1-800-658-8311.

Credential Stuffing: What It Is and Why You Should Be Concerned

A recent credential stuffing attack on 23andme.com left most people bemused, if they noticed it at all. A similarly muted response followed the leak of millions of user records on known hacker forums. What is a hacker going to do with your ancestral history? The answer may surprise you and should concern you if you are lax about password security.

Anatomy of a Credential Stuffing Attack

A credential stuffing attack occurs when a hacker takes stolen login data from the Dark Web, such as a username and password stolen from a previous attack, and uses it to try and gain access to other online accounts. In the simplest terms, it works like this:

  1. A criminal steals, buys or finds usernames and passwords online.
  2. The criminal attempts to access an account on a popular site using the stolen usernames and passwords. This can be done slowly, one set of credentials at a time. The attack on 23andMe.com, which led to the compromise of millions of credentials, may have been automated.
  3. Credentials that work, that is, username and password combinations that give the criminal access to the account, get marked as “working” or valid.
  4. The criminal creates a new database of working credentials and offers it for sale via the Dark Web or hacker forums.

If you are the target of a credential stuffing attack, a hacker now knows two things about you: You use the same credentials on multiple sites and you do not update your passwords frequently. The next criminal in line, who buys the stolen, working logins, may attempt to access shopping sites, your email accounts or your bank accounts.

Why Was 23andMe Targeted?

Criminals target sites like 23andMe because they are popular. In its second-quarter financial report, 23andMe.com reported more than 14 million users. For criminals hoping to validate stolen logins, a popular site is a good place to start. Criminals are not necessarily interested in hijacking someone’s 23andMe account, but they are interested in finding out if username and password combinations work. Hackers can then prove that they gained access to the accounts by posting some data that would only be available to the account holder; in the case of 23andMe, this was information about clients’ genetic history, which is only shared on an individual basis with registered users.

That proof increases the value of the records. Criminals assume that people who use the same username and password on more than one site likely use it on additional sites, which may include Amazon, eBay, Facebook or banking sites. Armed with working passwords, criminals can then attempt to hijack the accounts that they truly want. For the hacker who carries out a credential stuffing attack, the reward comes from selling data.

Most of the top websites in the United States have protections in place to prevent large-scale credential stuffing attacks, which makes the 23andMe.com attack unusual. It is possible that the site was targeted because it offered a combination of a large user base and vulnerability to automated attacks, allowing hackers to test millions of potential username and password combinations. The most-visited websites, and nearly all financial services sites, have safeguards in place to prevent hackers from testing more than a few credentials at a time.

If you are a high-value target, such as someone with a large bank balance, access to large volumes of personal data, access to corporate or public-sector infrastructure or the ability to authorize wire transfers, you are particularly vulnerable to a targeted credential stuffing attack. Criminals will mine databases of validated credentials looking for a few people, identified by their usernames or email addresses, that are high-reward targets. They will then attempt to use stolen credentials across several popular sites to find shared passwords. Because they only try a few credentials at a time, systems that block mass attacks fail.

Should I Be Concerned, and What Should I Do?

Anyone who used 23andMe for a DNA test or opened an account on the site should change that password immediately. If you used the same password on other sites, it should also be changed immediately. The nature and extent of the 23andMe attack, including the number of logins compromised, remain unknown, which makes the potential threat to individuals unknown.

There are a number of additional steps you should take, whether impacted by 23andMe or not, to protect your online accounts from hijacking.

  1. Enable two-factor authentication. This is the strongest measure you can take against account hijacking. Even if criminals get your username and password, they will not be able to access the one-time code needed to complete a login. Two-factor authentication is a must for your email and financial logins, and you may want to avoid websites that do not provide it as an option.
  2. Sign up for account access notifications. Many of the web’s most popular sites, including Microsoft, Gmail and Disney properties, will send you an alert if your account is accessed from a new device. Always enable this notification when it is offered, as it will alert you if criminals attempt to access your accounts. If you receive an alert about activity that you do not recognize, immediately change that password and enable two-factor authentication.
  3. Close and delete accounts for services you no longer use. Some sites and service providers will offer to keep your account in a suspended state, hoping that you will return in the future. Reject this convenience and insist that all of your account data, including login information, be removed when you close your account. To ensure that this has been done, attempt to log in to the account with your canceled username and password. If the system does not recognize it, you can consider the account fully closed. Old accounts are a significant vulnerability, because you may not be aware that your credentials were stolen during a cyber attack.
  4. Never use the same password or username across multiple accounts. Avoid small variations as well, as a determined hacker could crack your code with a set of your usernames and passwords. As a hard rule, it should take a hacker more than 5 tries to guess your password, as many sites will suspend access to your account after 3 or 4 failed login attempts. Assume that criminals have stolen your credentials from multiple sites and avoid passwords with patterns; for example, if you use passwords such as Magnolia1, Magnolia 2 and Magnolia 3 on different sites, a criminal can very easily figure out that pattern and make an accurate guess about other passwords.
  5. Consider a password manager. Next to two-factor authentication, password managers are the best way to keep your logins safe, but the most robust options come with monthly fees. If you are a high-value target, the extra expense may be necessary. Businesses that use password managers should consider offering them for employees’ personal devices as a perk. While there may be a small amount of additional overhead, this will cost far less than the work hours lost by an employee who has to recover from a cyber attack. This also plugs a potential path for phishing and pretexting attacks.

The more difficult you make life for criminals, the more likely they are to leave you alone. Password protection should be your highest priority, as poor password hygiene opens the door to attacks that could devastate your finances or your business. If you need some practical advice for protecting your email, check out our free E-mail Safety Crash Course Elearning video. If you have larger cyber security needs, please contact us online or call us at 1-800-658-8311.

Are Backup Files the Missing Link in Your Cyber Security?

Do you have backup files for your critical business data and software? Where are they stored? How often are they updated?

Are Backup Files the Missing Link in Your Cyber Security?During Cyber Security Awareness Month, you should be asking these three critical questions. Too often, business leaders and employees see cyber security as an ongoing battle against phishing, business email compromise and other direct scams. While these are core concerns in cyber security, data safety is also essential. You can train your people to stop pretexting attacks, but that training is of no value when a hacker encrypts or steals all of your business data, shutting down your operations. Even the most experienced IT professionals can have a blind spot when it comes to data backups.

Cloud Backup Files Are Not Enough

The default choice for many businesses is cloud backup, which is simple to implement and easy to access. The convenience of cloud backup files can obscure a significant risk: Cloud services can be hacked. If your only backups exist on a server, and that server is compromised, your backup data are gone. You may have done enough to qualify for a cyber liability insurance or business interruption insurance claim, but you still lack the data you need to run your business.

Cloud backup files should be part of your cyber security protocols, but they should not be your only path to data recovery. Backups on a solid-state device, such as a USB drive or an external hard drive, are also necessary for the following reasons:

  1. Your cloud backups can be compromised. Hackers may encrypt or steal your data from your cloud backup provider, or compromise your cloud provider’s operations, preventing you from accessing data.
  2.  Backup files may contain malware. Cyber criminals are more patient than most people realize. It is rare for them to gain access and immediately deploy malware or ransomware. Instead, they will lurk for weeks, sometimes months, waiting to deploy an attack. If criminals launch a ransomware attack that encrypts all your files and you attempt to restore a recent backup, there is a good chance it will fail to solve the problem.
  3. Cloud backup files may be incomplete. Creating a daily cloud backup is a good practice, but daily backups typically get purged after a few weeks to make room for newer backups. If you need data that is more than a month old, it may not be available. Your cloud backups may also be limited in scope; they may save daily data, but not the software you need to access that data.

Best Practices for Backup Files

Backup files are a crucial part of your overall cyber resilience. In the event of a ransomware attack, backup files may allow you to restore systems and avoid paying a ransom. In the event of data loss or exfiltration, backups may allow you to determine exactly what data were stolen, which can help you comply with new SEC Disclosure Requirements. Backups may also help cyber security professionals identify the timeline and methods used in a cyber attack.

Here are five things every organization should do to incorporate backup files in a cyber resilience plan:

  1. Employ cloud backups wherever they are offered. Even with their limitations, cloud backups offer the simplest option for daily data and system protection. Set up daily backups for your website, business data and cloud-based services that you use. Be sure that data are encrypted and take note of what is and is not backed up; for example, a website backup may include the core elements of the site and exclude add-ons, plugins and custom code. Cloud services may back up your business data but not any customizations you have made to your cloud environment. When in doubt, ask your service provider for a full list of what is and is not backed up. Ask how long data are retained as well, and make a note of that timeline. If you have to pay a little extra for daily backups or longer data storage, it may be a worthwhile investment.
  2. Create solid-state backups of business data. At least once a week, essential business data should be downloaded to spreadsheets and stored on a USB device or external drive. Once the storage device is full, label it with a date and keep it in a secure area in your office under lock and key. Restrict access to these backups to IT staff and senior leadership, and allow access only if critical systems are compromised and data become unrecoverable. Note that backups containing personal information may need to be erased or destroyed to maintain compliance with the FTC Safeguards Rule.
  3. Maintain a physical file of critical business data. This should include information that you need to keep your business running, including client names, phone numbers, addresses and order or delivery information. To determine what to include, imagine a situation where your  business is without power for several weeks, or where you lack access to your office due to a fire or disaster. What would you need to continue to service your clients, and what functions can you track and complete offline? The physical file can be created in a spreadsheet and printed weekly, or as you add new clients. Like data backups on external drives, information in these files are subject to the FTC Safeguards Rule, so you will need to store the physical files in a secure place, limit access to them and destroy old copies periodically.
  4. Create a System Recovery Image or Recovery Drive. An IOS Recovery Drive will allow you to repair a failing Mac or reinstall your MacOS software. A Windows System Recovery Image is a complete snapshot of your current Windows installation, settings and applications. These recovery images should be created quarterly and stored on a USB or external drive. Use a separate drive for each backup to reduce the risk of malware. These backup files have a practical purpose beyond cyber security: In the event that your primary computer is lost or damaged, you can use them to rebuild your systems on a new device. They can also help you restore systems if your hard drive fails.
  5. Maintain access to your passwords. If you rely on your browser to fill in stored passwords, you could find yourself locked out of critical systems. A cloud-based password manager can provide access, as long as you have a copy of the keys and passwords needed to access it. Consider keeping critical passwords on a written list or in a text file on a USB drive that you store in a secure place, such as a safe or locked drawer. Never store sensitive passwords in emails or files on your hard drive, as cyber criminals will look for these if they gain access to your systems.

Backup files, printouts and drives should be treated with the same care as digital data. They must be kept in a secure place and should be used only when necessary. These additional security measures should not deter you from creating backups. In the event of a ransomware attack, natural disaster or catastrophic damage to a computer, backup files can get you up and running in less than two hours, or provide the information you need to run your business offline until online problems can be addressed.

Large organizations should have protocols in place to create and maintain backups as part of an overall cyber resilience plan. Small businesses and sole proprietors will need to manage backups by themselves, but it is not a complex or overly time-consuming process. If you need guidance on creating system recovery files, or help creating and protecting backup files, please contact us online or call us at 1-800-658-8311.

Real Estate Fraud Is Booming: How Are You Protecting Your Clients?

Data from the Federal Bureau of Investigation (FBI) point to boom times for real estate fraud. In 2022, real estate fraud cost victims $396.9 million, a 13.30% rise from 2021 and an 86.18% rise from 2020. More than $132 million more was lost to real estate fraud in 2022 than to check and credit card fraud, which get the majority of the headlines.

Real Estate Fraud Is Booming: How Are You Protecting Your Clients?As the FBI notes, these crimes can be devastating for individuals, who could lose their life savings or the opportunity to use money from a home sale to purchase another property. Loss of a commission or fee is the least of the worries here. Imagine how you would feel if your actions caused someone to lose everything they had. Imagine what that client will say about you, and the damage this could cause to your business and professional reputation.

Why Is Real Estate Fraud Rising?

Real estate is a preferred target for criminals for one reason: wire fraud. Few other industries move money from individual clients at the level of real estate professionals. A single transaction can be worth $250,000, $500,000 or over $1,000,000. All a criminal has to do is grab one of those transactions for a massive payday.

Sophisticated criminals know that real estate wire transfers are low-risk, high-yield opportunities. Why settle for a few hundred dollars from a stolen credit card when a single wire transfer could be worth hundreds of thousands?

How Real Estate Wire Fraud Works

The majority of real estate wire fraud cases stem from business email compromise (BEC) attacks. You may currently be in the crosshairs of a fraudster and not know it.

These attacks follow a predictable pattern:

  1. A criminal gains access to email accounts for individuals involved in a real estate transaction. This could be an agent, a broker, a banker or an individual buyer or seller.
  2. The criminal waits until the wire transfer is about to take place. They then send an email, either spoofing a real email account or directly from a compromised email, directing the wire transfer to a bank account that they control.
  3. The unwitting real estate professional sends the transfer to the bogus account.
  4. The criminal empties the account as soon as the transfer is complete. They may withdraw cash, transfer the funds to new accounts, convert the money to cryptocurrency or make deposits via large checks.

Around half of the money stolen in wire fraud scams remains in the United States, while the other half routes to offshore banks, with China and Hong Kong as top destinations. Once the money has been moved, there is little that law enforcement can do to recover it, though the recovery rate is higher for money that stays in the United States.

Steps to Take to Prevent Wire Fraud

To protect your clients and your business, you must first acknowledge that you are a target. You transfer life-changing amounts of money using methods that criminals understand and know how to exploit. In the 1800s, criminals went after stagecoaches loaded with cash and valuables, as well as trains. In the 1900s, criminals infiltrated airports and robbed couriers and armored vehicles. In the current era, a single criminal can get a larger payday by intercepting a single wire transfer.

Today’s criminal may have an edge, because the people who moved cash and valuables in the past knew that they were targets and took steps to defend themselves, while the targets of wire fraud may be completely unaware of their vulnerability. Know that criminals are watching you, that they want to steal from you and that it is a matter of when, not if, they will attack.

Understanding this threat will help you recognize risks. Vigilance is the most important tool in cyber security. With that in mind, here are some techniques you can use to prevent wire fraud.

Preventing Real Estate Fraud in Your Business

Be aware that criminals will attempt to gain access to your email, business emails, client emails and the systems you use to transfer funds, such as online banking apps. You may not know that an account has been compromised, and criminals may wait to launch an attack until they see a high-dollar transaction.

1. Enable two-factor authentication. Anyone who has the authority to issue a wire transfer must use some form of two-factor authentication to protect their email and banking logins. This is required for all users of GMail, and should be an option for any software you use. The best form of two-factor authentication sends a code via text message to your phone. Never share these codes with anyone under any circumstances.

2. Monitor network activity. Your in-house or third-party IT support professionals, or a Virtual CISO, should monitor online requests to and from the services you use. In some cases, service providers may do this automatically. Requests that come from unusual locations or at unusual hours, as well as any first-time request from a new location, should be flagged for review. Criminals need to communicate with your servers to send fake emails. Monitoring logins and access requests is one of the best ways to detect criminal intrusions. Monitor for unusual data exchanges as well, as these could signal a cyber attack.

3. Change passwords often, or use a password manager. Criminals like soft targets who do not appear to be aware of cyber security. Changing passwords sends a signal that you take security seriously. Using a password manager sends the same message. Do not expect to deter all criminals engaged in wire fraud with this method, as the lure of a big payout tends to make criminals more persistent and willing to take bigger risks, but do know that these methods will make it much harder for them.

4. Require additional authorization before sending a wire transfer. Set a company-wide protocol that requires a second person within your business to review wire transfers before they are sent. This person should receive a copy of any emails authorizing transfers, including the sender and reply-to lines. A second set of eyes may catch an irregularity that you miss.

Protecting Clients from Wire Fraud

1. Educate clients on wire fraud risks. You may worry that clients will choose someone else if you start talking about wire fraud. In reality, some clients will approach you fully aware of the risks, while others will find your focus on security valuable. As part of your initial meeting with a new client, ask them what they know about wire fraud. Position yourself as knowledgeable and committed to protection.

2. Collect two contact emails and phone numbers, if possible. Make a note of these in the client’s record. Inform the client that no transaction can be authorized without verification via a phone call. When criminals send phony transfer requests, they often include a phone number to call. Ignore this and use the number you have on file. If you cannot reach someone at the primary number, use the secondary number.

3. Establish a password with your clients. This should be communicated only by voice, never by email. It should be something difficult to guess, and potentially meaningful to the client, such as a favorite teacher’s or pet’s name. Tell the client that you will call to verify any transfer request and that you will ask for the password. If the client forgets the password, ask them to come to the office to verify a request in person, or offer to visit them to confirm.

4. Refuse to accept wire transfer instructions via email. If your company policy forbids emailed instructions, and you communicate this clearly to clients, you can ignore every criminal attempt to email transfer instructions. If you receive such an email, you will then know that someone involved in the transaction has had their cyber security compromised.

5. Have the client personally verify transfer receipt. If possible, this step ensures that funds go to the right place. Time is of the essence in stopping wire fraud, as criminals will begin moving the money the moment they have access to it.

Remember that criminals may target your client. Everyone involved in a high-dollar transaction should be on alert for unusual online activity. Warn clients that someone claiming to be you may try to contact them. Setting up client-specific passwords and requiring voice or in-person verification of transfers are two of the best ways to stop criminals from hijacking funds.

Be aware that criminals have access to a growing arsenal of sophisticated tools, including AI-powered deepfake technology that allows them to impersonate someone’s voice in real time from just a few seconds of online audio. While this may seem too sophisticated to affect you, remember that a single transfer worth hundreds of thousands of dollars is strong motivation for criminals.

Real estate fraud seldom makes headlines, but it happens every single day, and it can wipe out your clients finances. To serve your clients professionally, you must make cyber security awareness and training part of your practice. If you need help with training, or with securing your systems against criminals, please call us at 1-8oo-658-8311 or contact us online.

Cybersecurity Awareness Month: 5 Simple Ways to Boost Your Security

October 2023 marks the 20th annual observation of Cybersecurity Awareness Month, an annual declaration from the U.S. Congress and the White House intended to remind individuals and business owners of the importance of cyber security. The month exists to acknowledge that all of us can, and should, do more to stay safe online and to protect our businesses and communities from cyber attacks.

cyber securityThere are two sad but true realities about Cybersecurity Awareness Month. First, if you worry about cyber security, your are not alone. Second, if you take some time to protect yourself, you are in the minority. Norton reported in 2021 that 53% of the people it surveyed did not know how to protect themselves from cyber crime, even though 58% were worried about becoming a victim.

Thinking about cyber security is good, but doing something about it is even better. To help you get Cyber Security Awareness Month started in the right direction, here are 5 very simple things you can do right now, if you have not already, to improve your cyber security.

#1 Enable two-factor authentication on a single account. Despite its incredible effectiveness in blocking attacks and preventing phishing attacks, two-factor or multi-factor authentication use remains spotty, with only 13% of employees at small businesses required to use it, according to Zippia.

If you are among the 1.8 billion Gmail users, you know that two-factor authentication is mandatory, and that is generally unobtrusive and simple to use. Nearly every online service offers some form of two-factor authentication. Pledge to activate at least one of them before the end of October. If you have two-factor authentication on some logins, such as banking apps, but not others, pledge to turn on at least one more during the month. You will gain a very significant boost in your cyber security in exchange for a few seconds of your time. Ultimately, any time you spend responding to two-factor requests will be far less than the time you could spend worrying about your online safety.

#2 Cancel one service you no longer use. Did you sign up for a newsletter you no longer read, or subscribe to a game you no longer play? Most people have a few recurring subscriptions nibbling at their bank account balances each month, even though they never use the service. Is it really worth ending that $1 monthly charge that gives access to the gym?

The answer is yes. Not only do those charges siphon money you could put to better use, they also expose you  to cyber risks. Cyber security professionals often discuss the “threat surface,” which is the number of possible routes an attacker can take to gain access to data or passwords. Good cyber security practices limit the threat surface by eliminating any unnecessary logins or access points to accounts.

Older, forgotten subscriptions and logins are ripe for attack because you may not notice activity coming from them or perceive it as a threat. It only takes a few minutes to cancel a subscription and reduce the size of your threat surface.

#3 Change one password. Your password has been stolen. This is not a hypothetical statement. Nearly every password has been stolen and now circulates on the Dark Web. This is another reason to strongly consider two-factor authentication.

You might think that a criminal gets your password, tries to log in once with it, then throws it away if it does not work. In some cases this is true, but in others, that password gets attached to a profile of you that criminals build from information stolen or scraped from a variety of sources. This is the same kind of profile that companies like Alphabet and Meta build from the data you share with them, but without your authorization and with criminal activity in mind.

There are two types of people who tend to attract this kind of criminal attention. The first group knows that they are targets, because they have access to significant online systems or large amounts of money or data. The second group has no idea that they are vulnerable, because they are soft targets.

Soft targets never change passwords, use the same password in multiple places and rarely activate security features like two-factor authentication. It is very easy for criminals to find soft targets. When they harvest a database of new information, they compare logins and passwords to what they already have. If they see the same passwords again and again associated with the same email address, they know they have a soft target.

Changing a password makes you a harder target. For many people, that can be enough to reduce criminal interest and attention.

#4 Uninstall one app. Is your phone clogged with icons from apps you no longer use? Uninstall one and reduce a bit of digital clutter. For added security, delete your account from that unused app before you uninstall it, which will help to reduce your threat surface.

As a cyber security awareness bonus, think of this when you uninstall that app: Every time you open an account or download an app, you are trusting the cyber security of the company that provides that app or service. Ask yourself if they appear to take security seriously. Ask yourself what happens to your security, and your data, if that company stops supporting the app or goes out of business. If  you think about these things while you delete an unwanted app, there is a good chance you will think about them the next time you download an app.

#5 Update one piece of software. Whether its your browser, your smart phone’s operating system or a plugin on your website, make a point to check for updates and update one thing. If it’s been some time since you updated, you may notice two things: First, you have a lot of updates pending. Second, updates happen in seconds with almost no fuss.

A common theme runs across these five Cyber Security Awareness Month tips: Each is a simple step that will take no more than a few minutes of time and make you more secure online. The hope is that if you do this once, you will see how easy it is and repeat the process until everything is secured, updated or deleted. Remember that every small step you take contributes to stronger overall security.

If you think your personal cyber security awareness needs a boost, consider our Online CSI Protection Certification program. Through a series of videos presented by our Head Trainer Robert Siciliano, you will learn how to recognize and stop cyber attacks, as well as how to approach online interactions with security in mind. You can complete the course at your own pace, and you will retain access to the videos for review whenever you need it, and gain access to additional cyber security support resources. Try our free course on email safety to experience the program for yourself.