You might think that good cybersecurity is expensive, and you would probably be correct – unless you can be smart about your efforts.
Some good news here is that you can slash your likelihood of being hacked by following some simple ideas that should be free in most situations. There may be some cost, in terms of time and effort, but there is a good chance that you can implement these suggestions without any monetary outlay.
Were you aware of the recent Equifax breach? Your private personal data might have been compromised, given that credit records for more than 140 million Americans were stolen. Had Equifax followed my suggestion #3 in this list, they probably would have prevented the breach. I’ll explain what happened in that breach, below.
An upcoming post will outline my six-step plan for improving your cybersecurity posture, and these five suggestions are a portion of steps one and two. But these are (nearly) free, so you can do these now, and then keep watching for my larger plan.
The five suggestions are:
(1) restrict administrator privileges by person and activity;
(2) restrict installation of executable programs (a.k.a. “apps”) to those from safe sources;
(3) force timely patches and updates of anti-virus, operating system (OS), and software applications;
(4) use strong password management; and
(5) do not allow access of personal webmail accounts from company computers.
Restrict administrator privileges
Specifically, stop surfing the internet with administrator account privileges!
Do you know what that means? If not, then you’re probably doing it. And you need to stop. Now.
This only applies to notebooks (laptops) and desktops. Unfortunately, smartphones do not seem to have fully caught up to this idea, yet.
When you log in to your computer, you should have one login that allows you to install software on your computer (don’t connect to the internet with that account!) and a different login account that you use for normal tasks, such as internet access, games, viewing photos, emails, word processing, etc. Most importantly, the second account should not have administrator privileges. The usernames will necessarily be different, but you should be smart, and use a different password, too.
If your computer is set up correctly, when you install software, your computer should prompt you for the administrator password, and possibly also the administrator account username, which are different than your normal login username. The process of adapting your computers at home to operate this way should not be too difficult; there are many sources of help. Simply search “set up admin account” for a long list of tutorials.
If you work for a company that has competent IT people, they will have already set your computer up this way, and only the IT people will know the administrator account login credentials.
Restrict software installation
Installing executable programs (“apps”) without having any way to ascertain the trustworthiness of either the software author or the distribution channel is a recipe for disaster. When you see advertisements about getting some app, do you just go download it right away, or only after investigating whether it is safe?
Asking your friends doesn’t count. Consider this story from my own household: When one of my daughters was still a teenager, I discovered that she had installed some file-sharing software on her new computer. I told her to delete it and never do that again, because she was exposing her computer to severe risk. She didn’t believe me, so I asked her a simple question.
“You say this software is free. But where do the people who write it and distribute it make their money? No one writes software and gives it away for free, simply because they have nothing better to do. They are going to get their money somehow. Where do you think that is?”
She looked at me with a blank stare. So I told her the answer. “They probably get their money either by spying on you, or by ransom. If you are lucky, they are just selling your private information to marketers, so you’ll get spammed for years. Or maybe they’re looking for online banking logins, so they can siphon off your money. The smart ones will take small amounts, slowly, hoping you never notice. And you won’t because you never balance your checkbook. But sometimes they’ll install software on your computer that will either encrypt your files, or pop up annoying ads non-stop so that your computer becomes effectively unusable. Then, they’ll demand money to get rid of it.”
She floored me with her response: “Well, all my friends installed it and they never have any problems.”
Wow! Who knew security could be so simple? Get a teenager, and find out what their friends do. That’s an infallible security plan, right?
Wrong. A few weeks later, she picked up a particularly nasty variant of the CoolWebSearch virus that rendered her computer entirely unusable. It was resistant to removal tools, so her computer sat idle for months before I finally found time to look for something that was effective.
Your best plan is to restrict installation of executable applications to those from reputable companies and that are also distributed from well-known websites that are run by the large companies you already know. If you have not heard of an app website previously, resist the urge to download apps from it.
Timely updates and patches
Ensure that you keep your anti-virus updated and also regularly check for OS updates. New viruses emerge regularly. Also, reputable software companies will rapidly issue software patches to fix security vulnerabilities they discover in apps that you have already installed. But these things can’t work if you don’t stay on top of them.
The Equifax breach that occurred over the summer (of 2017) was a result of a failure to patch a known vulnerability that had been discovered in Apache Struts, which is software that is used by Equifax’s website to permit consumers to dispute perceived errors on their credit reports. On October 3, 2017, Richard Smith, the recently departed CEO of Equifax, testified before members of Congress about the breach.
Here is a brief summary of the time line of events, according to current reports:
In March 2017, the Department of Homeland Security (DHS) notified Equifax of a vulnerability in the Apache Struts software. Apache, the software developer, made a patch available, but Equifax did not apply it. On May 13, 2017, a few months after Equifax should have applied the patch, hackers first accessed the data.
It was more than two months after that first breach, on July 29, before Equifax first became suspicious of hacker activity, but the extent of the breach was not identified until more than two weeks after that, on August 15. It took yet another week for the board of directors to be informed (August 22), and more than two weeks after that, on September 7, for Equifax to alert the public. Equifax’s position is that the vulnerability, which would have been repaired by the patch, is what enabled the hackers to be successful.
Use strong passwords
Strong passwords usually require long strings. One suggestion is to string a series of words together, intentionally misspelled, that you can remember – but is not a common or easily guessed phrase. Change them regularly, and do not use the same one for important accounts that you use for your other hundred-plus internet logins.
One possible system is to string together a descriptive word for a person, a person’s name, some activity, and the name of a city. Then close your eyes and visualize that scene – that person performing the activity in the backdrop of that city. If you can make it seem silly or evoke a strong emotion, you will be more likely to remember it without referencing a written list. Consider using some misspelling or character substitution that will be easy to remember.
No webmail from office computers
Read your personal webmail accounts at home. If you work for a company that provides you with a computer, do not expose them to the risk of webmail accounts (such as Gmail, Yahoo, etc.). Instead, access only the email account they provide you on the computer they provide you.
Don’t be worth the hassle
As the joke goes, you don’t need to outrun the bear, you just need to outrun one other person. Similarly, to reduce your chances of being hacked, you don’t have to be impenetrable; you just have to be harder to hack than other, less vigilant computer users. If you’re too much of a hassle, the bad guys are likely to move on to the next target.
Notice that I say to “reduce your chances of being hacked.” If you or your organization is specifically targeted by highly skilled hackers, you have to erect larger barriers to those who are hoping to breach your defenses. I’ll address those in a future blog post.
In the meantime, these steps should help you outrun most garden-variety bears.
This update is for informational purposes only and should not be considered legal advice. Each situation is different, could change any time, and should be analyzed by an attorney.