Why You Should Care About Cybersecurity
The two most common misconceptions about cybersecurity are:
1. They are not targeting me and
2. I am well protected.
So now that we established this article is for you, let’s dive in. For the record, I will take some shortcuts and make some generalizations to make things simpler for everyone, sorry for the cybersecurity purist who this may offend!
First, let’s start with why criminals (the hackers, we refer to them in the industry as “bad actors”, but for today we will call them what they are, criminals) are trying to get to you. The vast majority of the time, the answer is simple: money (there is a thing called hacktivism, where hackers are using their “talent” for one social cause or another, but those will typically be more focused on attacking nations or large companies).
The main ways in which they make money are fairly simple:
1. They take your (from your bank account, credit cards…)
2. They take your data and sell it to someone else (your personal information, your logins, your credit card numbers…) and
3. They lock you out of your things and ask for a ransom for you get to use them again (clear in case of a computer, but in the industry, we are watching closely as most things are starting to look like computers, what happens when they take control of your door lock?).
How do they get to you?
For sake of simplicity, we will explore two main angles:
1. The obvious one - Technology. This is where they use malware (malicious software) or some form of attack to take possession of your device.
2. The Human. But, as technology gets better at defending against attacks, the second method is getting a lot of traction, attacking the weakest link: the human. This is what is often referred to as social engineering. News alert: this is you.
Let’s start talking about what you can do to protect yourselves, unfortunately, there is no easy button to make it all happen magically, but there are a lot of things you can do that will greatly increase your chance of not becoming a victim. The most important one is to be aware they are out to get you, I don’t know about you, but I get emails (phishing), texts (smishing) and calls (vishing) every day trying to get to my hard earn money, I just ignore them. Since the dawn of time, criminals have been experts at human psychology, they know what buttons to push to get the results they want, they exploit our doubts, our fear and often our kindness.
So how to recognize a phish? Most of them are built around the same script:
1. They are generic (they probably do not know you, so they go with big topics like there is a warrant out for you,
2. There is a sense of urgency (you have 24h) and
3. There are consequences to inaction (you will go to jail). So your first homework is to be suspicious. CRA, the bank, the court, and immigration, none of those organisms are in the business of threatening people by phone (or text or email). That script is getting old, so they come up with new ones (your package is stuck at customs and will be returned, we saw some strange transactions on your credit card and we will block it if you don’t talk to us). Take the time to pause and think if this makes sense.
So now that you are suspicious, push back! Real companies and governments understand the world, they will not be offended. If you (really) think it’s the CRA on the phone, ask them for proof, they are really good at this. They will give you some partial information only you should know (but not the whole thing since you may not be you) like the middle 3 digits of your social insurance number and they will ask you for something only you should know, but that there would be no risk of giving out (the total of cents on line 300 of your 2021 T1). If you are still not convinced, tell them you will call them back, ask which number on their website you can call back and whom you should ask for (and actually go to the website to find the number. For banks, you can usually just call the number on the card you already have in your hands). If they say it’s not possible, it’s a pretty bad sign (either they are a company that is not adapting to offer great service or it’s a scam (or both!)).
To recap: how to avoid a social engineering attack?
1. Pause, take a deep breath and shortcut your natural instincts (fear, kindness).
2. Be suspicious.
3. Push back, and if that fails, hang up. If they really want to find you, they will.
Now the technology, this is where some people start to get some cold sweats, so I will focus on two main things that will save you a lot of trouble. First, many attacks and malware rely on bugs (software errors) that have been discovered and corrected (patched), so the best thing you can do is to update all your devices all the time, the simplest way to do this? Turn on auto-update! The main pushbacks we hear all the time: I don’t like to do updates, it is working well now, and “if it ain’t broke don’t fix it!”, well I am sorry to tell you that if the vendor issues a patch, it is because it is broken and the patch will fix it. The other one is that the device is too old and cannot be updated anymore (Windows 7 anyone?), this is a more complicated case, the simplest answer: buy a new one. When that is not possible, just do not use that device to do things with sensitive data (watch the cat videos with your Windows 7 PC, but use your brand new up-to-date iPhone to do your banking).
And now the most important thing you must do is, you might have guessed, is not the simplest, but it is so effective you need to take the time to do it: activate Multi-Factor Authentication (MFA).
There are three main authentications:
1. Something you know (like a password),
2. Something you are (fingerprint, face ID (biometric)) and
3. Something you have (a token, a smartphone). Passwords are easy to get and copy, so they provide very little effective security, adding a second authentication factor makes it very hard to get into your account. Your bank probably already does it (by sending you a text message when you login (the cellphone is “something you have”). Now you need to do this for all your online accounts starting with the most important ones (Banks, AppleID, GoolgeID, email …). Using the Google Authenticator or Microsoft Authenticator on your smartphone is one of the simplest way to do this. SMS or call back are also options, but there are ways to go around them. Once you have done the important ones and you are becoming an expert, start doing the other ones (amazon, facebook….). They all have great instructions on how to do this and most have some form of support you can call that will help you. Take the time, this is your “get out of jail” free card, should someone learn your password, they still will not be able to get in. One last point, the whole goal of the second factor is to protect yourself from others, never ever give the sms or authenticator code to anyone. If they insist they need it, just hang up, if it’s important they’ll find another way.
Rapidfire last sprint: Microsoft or tech support will never call you to remove a virus out of the kindness of their heart (or even for money for that matter): never [ever] install a remote control software on your device for a support call you have not initiated. Not all anti-malware are created equal, beware of the “Free” ones, nothing is free, make sure you understand how they make money. Personal VPN are not always a good option (back to free is not free). Free WiFi is not always “free” (do you notice a trend?)
So now you have it, you know you are a target, how to recognize some of the signs and how to defend yourselves. If you have more questions, send them over and we will compile the best and reply to some of them.
About the author:
Loïc Calvez is Co-Founder and CEO of ALCiT. Over the last 25 years, he had the privilege to work with small and large organizations, as a client buying solutions and as a vendor selling them. Most of them were in highly compliant verticals such as finance, energy and pharma, covering multiple compliance bodies in North America and Western Europe (SOC, NERC, HIPAA, FDA, PCI, PIPEDA …) giving him great exposure to the nuances of the world. Today, via ALCiT, Loïc is focusing on building secure solutions that work in the real world as well as speaking at events to help raise awareness around Cybersecurity. ALCiT specializes in taking large enterprise tools, packaging them through standardized configuration, and making them available to Small and Medium Businesses helping them defend their data and become Cybersecure.
Comments
Login to post a comment.