10 Ways to Protect Yourself From Cybercrime

Bill Kloster

CIO at Short Elliott Hendrickson Incorporated

Learning Objectives

Protecting yourself from cybercrime while at home or in the office.

Key Takeaways:

  • Understanding of the risks associated with cybercrime
  • Understanding that you need to consider yourself a target
  • Understanding that there are simple things you can do to protect yourself against cybercrime
"The last bit of advice is you really have to assume that, at some point, you're going to get breached."

Bill Kloster

CIO at Short Elliott Hendrickson Incorporated

Transcript

Hello, my name is Bill Kloster. I’m the Chief Information Officer for Short Elliott Hendrickson. We’re an Architecture and Engineering firm, based in St. Paul, Minnesota. We have 800 employees across 30 different offices in 7, 8 different states. I’m here today to talk to you about cybercrime, and more importantly, give you 10 tips on how to keep yourself safe from cybercrime whether you’re at home or in the office.


Today, I’m actually in my home office due to COVID-19. We’ve been working remotely now for almost 9 weeks. We plan on having this continued for the majority of our employees for for quite some time. I hope you’re safe while you’re watching us, but also, hopefully get some information out of this to keep you safe while you’re on the internet.


First, I’m going to start by just setting some context. Some of this information is just important to kind of understand that cybercrime is literally at our doorstep. A couple of different incidents over the years, and you see how they sort of increased in 2011. 77 million network accounts were hacked into Sony. Lost millions while the site was down, so it’s very transactional business. While that site was down, they weren’t able to sell their services. In 2013, very close to where I live, Target, a store in Minneapolis, reported expenses of $191 million related to a data breach that was initiated through a subcontractors network. In our industry, my architecture and engineering industry in July 2016, EUCOM payroll system was breached, resulting in exposure personal information for employees. Then, 2018, Under Armour had 150 million of their users that were on the My Fitness Pal app lost their names, email addresses, and passwords. They were basically compromised as part of that data breach.


Cyber criminals use the front door. 90% of all security incidents are initiated unintentionally by an individual within the organization. They usually come through some sort of spear phishing email, some social engineering. The reason that they do this as an authorized user, once they’re connected to the network, is actually the easiest way for them to gain network access. So, via an email, click on a link, all of a sudden, the hacker has access to everything you would have access to inside your computer network. Once they’re in the network, they exploit everything that user has approved access to steal and install necessarily. Malicious software causes all kinds of problems across the network, or in any connected device.


What do you need to know to stay safe? What information you need to protect? The risks associated with cybercrime. Some of the hard controls you can put in place to reduce cyber risk. Then, 10 ways to protect yourself.


The information that you need to protect is obviously your personal information, employee information that you’d have, and client information from a company perspective. Also, company confidential information, project information, financial data, and then intellectual property information. For us, that’s designs, things that we create as part of our deliverables to clients. The risks kind of breaks down different ways that you should think about cybersecurity risks. The one risk is stolen credentials through giving up your user ID and password is common stolen credentials. Once they have that, they can access other accounts if you use the same user ID and password.


This is malicious software, that’s all it stands for. It nstalls viruses, ransomware, and computers, and they can spread typically pretty fast across the network. They typically are targeting outdated software. So, suffered security updates, usually on a quarterly basis, sometimes more frequently. Any company or any person who doesn’t keep their software updated is more susceptible to malware. Phishing. Talked about this a little bit. It’s an email that comes across, tries to get you to do something, take some action, whether to give up personal information, or have you go out to a website, it’s probably already been compromised. Again, they use that as a way to get into your system or into your company’s network.


The directed [inaudible] of service attacks. This is when there’s a bunch of different network requests overwhelming a network, basically making the network unusable. This is done a lot for high service retail sites. People who are having a lot of quick transactions, they tend to attack those types of businesses, taking something from a USB drive or other removable media, and installing that on a computer. Once that computer’s been infected, if it’s connected to the network, the virus can spread pretty easily.


There’s interesting stories and case studies about one way to get someone to take that USB drive and put it into their computers. He put the word “payroll” on it, dropping in a parking lot, and more often than not, I think it was like 9 out of 10, people actually picked that thing up and install it on their computer.


Cyber controls. These are hard controls their policies, procedures, your organ systems, physical systems designed to prevent data breaches and cybersecurity incidents. I’m not going to talk about any vendors in this space, but there are quite a few as the sector of information technology. The number of cybersecurity service providers and solutions has definitely grown over the years. Information security policies. It really does start by having documented policies. Those can also be put into employee handbooks, things like that, for a company. Two factor authentication. When you’re logging into a system, have a second way to identify a person, whether it’s a ping going to a mobile phone that you know that person owns, and then they have to take another action sometimes even have to put in another code. So you’re also Kevin, again, two different passwords, or they’re confirming that this something that the person has, which is a phone, and something that they know, which is a password. So, that’s the two factors,


Network intrusion detection and prevention solutions. These are usually put in place around the perimeter of a network to try and prevent information from getting in. There’s detection services, and then sometimes, even goes a little bit further, where they actually have ways to prevent based on certain behaviors, or a certain indication of the type of traffic that’s trying to access the network, number of different rules can be put in place to whether you want to just be warned about it. So it detected or whether you want to actually prevent that traffic.


Point Protection. This is really about the endpoint the device itself. Any connected device should be installed on anti virus software to prevent that. Then, there are also some new technology around unexpected behavior. Getting to know the system, getting to know your network and the users, and you start seeing some unexpected behavior, different things can be done there, whether it’s some sort of an alert or warning, more on the detection side, or actually, as far as even shutting down a network connection at the device itself if the behavior meets a certain criteria, and you’ve applied a certain rule to to take that action.


Data Loss Prevention. These are things where you’ll change a computer settings, or you will not be able to connect a USB drive, or even apply some sort of network filter. If someone’s sending something out via email and detects that there’s a social security number, that email could be blocked. Things like that. A lot of different rules and configurations can be applied to those solutions, but those are examples of cybersecurity controls that can be put in place. Again, more often than not, these applies to companies, not necessarily personal devices or working from home. But important to understand, especially in a corporate environment.


Now, these are the 10 ways to protect yourself and your company. Call this kind of the cybersecurity self defense portion of the webinar. There’s really five areas of response. This is something that you want to protect yourself. You want to be able to detect that something’s happened, and you want to be able to respond to whatever you’re detecting, could be based on certain rules. If there was a breach of some kind, you really want to be able to recover. You want to have recovery plan. It sort of starts all over again with identifying. Rules in place to protect yourself.


First rule is consider yourself a target. Some people really don’t think they are a target. Not really that important when it comes to cybercrime. They maybe don’t have a lot of money or they’re too small of a business. The reality is everyone’s a target. You just need to acknowledge that fact that you do have something of value to other people. Whether it’s your bank account, or other information that they may want from you or your company.


Think twice before you click. As you’re in an email, think about the source, who sent it to you. Be very leery of any email that’s really asking you to take an action and take an action at a very short period of time. Be even more cautious about any email that has some sort of an attachment asking you to open a attachment in a short period of time or clicking on a link via email. Just be very, very careful about those things. Great example right now, I think it’s something like 60 to 70% of all phishing campaigns have some sort of COVID-19 comment in them. Again, 50 or 60% of some of the most popular bad websites to go to right now basically are kind of operating under the guise of COVID-19, trying to get you to click on that link to learn more about COVID-19, and in fact, you’re going to already compromised website. Be very careful about about things that are kind of timely or are newsworthy.


Use strong passwords. A lot of different theories about password, and how often you should change your password is even being challenged a little bit. Now, the concept of long password or even pass phrase is really gaining a lot of steam. If you can confirm that you’re using long passwords or passphrases, including uppercase, lowercase numbers, special characters, the longer it is, the more you use those special characters, the harder it is for a hacker to run some sort of a bit locker program and learn your password. Some examples of weak passwords, they can typically crack that code in a matter of minutes, whereas if you go to the stronger examples, it could be years. Obviously, they’re gonna move on at that point. Just some strong examples there, [inaudible]. I’m gonna put something like that in there, but it’d be pretty hard for for them to guess that with the commas and spaces, the special characters, and numbers and get something simple for Happy Thanksgiving. The concept of a longer passphrase using spaces, uppercase, lowercase, numbers, and special characters.


Number 4, be careful when downloading files. You’re probably out on a website, make sure that that’s a trusted website, make sure that you’re downloading something that you really want. More importantly, you can trust the source of that information that you’re downloading.


Number five, kind of referenced this before about the vulnerabilities of older and un-updated software. This is kind of the opposite of that, make sure you’re keeping all your systems up to date, security patches, so that you are less susceptible to being exploited by malicious software.


Install and run anti virus. A lot of these really good anti virus programs are keep up to date constantly. As they learn about a new vulnerability in the environment, they update the rules associated with that anti-virus software and they’ll catch things quickly. Make sure you’re keeping that antivirus software up to date as well. Only use one and use a trusted one. I know there’s a lot of scams out there kind of pretending to be an anti-virus software. Go with a brand name that you recognize, and it’s well respected in the industry. Try and stay away from for mentioning any specific vendors or solutions in this.


Number 7, beware of freeware side applications, definitely more on the the phone space lately. What sometimes happens is you’ll be out on on a application store and you’ll download an application. A lot of gaming apps are kind of known for this sort of browser extensions, are known for this on PC World, but you’ll get some potentially unwanted applications that are installed on the side. Adwear is a big one on PCs, less on on mobile devices, but then again, the software on mobile devices, sometimes linked with with other gaming applications. Just be very, very careful. Make sure you maybe do some reviews on the source, the developer of the application, or developer of any sort of a browser extension you’re putting on your PC.


Definitely look at the permissions of mobile apps. Now, a lot of people notice when you go into your settings, and you can look at all the applications individually, and then you can look at the permissions. Some of those applications are set to always grant access to your phone, your location settings, things like that. My typical advice is make sure that the application permission is set only to be used when you’re using that application, and not not always on. In some cases, you don’t need to give it permissions, the application will still operate just fine.


Like your smartphone, facial recognition has become a really nice and very secure feature for smartphones. It gets passed using like a four digit passcode—I can get up to six, but the more you can use that facial recognition, make sure you’re liking it. Use the facial recognition, or I think, some thumb prints in some cases to unlock the device. Basically, it confirms you are who you say you are, not just you know something like a passcode.


The last bit of advice is you really have to assume that, at some point, you’re going to get breached. Your system may become unusable. The best way to recover from that would be to backup your systems and all your important data and try to keep those backups off the network possible, or at least not on the same network. A lot of backup goes to a cloud storage, which is fine. It’s off the device, you can always restore the device based off of a cloud version. Some people keep physical backups at home on hard drives, things like that. Just make sure you’re backing up frequently. That allows you to then restore from that backup. Then, you don’t have to do things like pay for ransomware to get your files back around encrypted.


That is it for this webinar. Hopefully, you feel like you are ready. You’re prepared. You have a plan. One last thing is make sure you stay informed. This stuff changes constantly. It’s a landscape that just is ever changing. With that, thank you very much for listening. If you have any questions, you can look me up on LinkedIn. Again, Bill Kloster@SEHInc. Thank you. Goodbye.


Get full Q/N Access

Sign up to Q/N with a few details to watch this presentation.

  • Hidden
  • Hidden