Cybersecurity: Basic Steps to Help Protect Your Business
Did you see in the news today?
It happened again.
There was another cybersecurity breach.
It seems like almost every day, you pick up the paper or you turn on the TV or you look on social media and there is another breach being reported.
I'm Todd Colvin. I'm the director of Enterprise Data Security for Paychex, Inc.
I'm here today to talk to you about what cybersecurity is, how you can protect yourself, and what to do in the event that you become a victim.
Business email compromise accounts for over $3.1 billion in lost dollars, with over 22,000 victims. That number is up in 2016 1,200%, and continues to grow.
The technique is simple.
It's an email. They send an email to you and they either pretend to be somebody that you know or trust to get you to take an action that will result in losing access to your user accounts. And it’s usually through a link embedded within the body of the message or it's an attachment.
In either case, you're still going to wind up with your system being compromised and your credentials being harvested. And then, the attackers will take those credentials and they will attempt to use those on every possible website. It will try to log into all the common social media sites. It will try to log into all the basic financial banking sites. It will try to log into all the retirement sites. And then they'll use those credentials to log in and siphon money out of your account. And if it's a crime that's up 1,200%, it reflects how simple it is and how successful they are. And so, therefore, you need to take some basic measures. And so what you can do from a preventative perspective, when we're talking about cybersecurity, is you can do some basic hygiene.
One of the things that's available from a basic hygiene perspective is actually using two computers. And I know that might seem a little bit complicated or it might seem like something costly. Although, when you think about the numbers that I shared with you earlier in terms of the number of victims and the amount of money that's been stolen to date, another $500 is really a nominal fee to pay to help you protect yourself. And with a second computer, you could purposefully use that just for financial transactions. So whenever you want to log in and check your bank account records, whenever you want to log in and check retirement services, whenever you want to actually perform a purchase—if you keep all your financial credentials and information on that separate computer, you will limit your exposure. Your separate computer—the one that you use today—use that to surf the internet, use that for answering basic email. Don't use that for storing any kind of password information.
But let's say that you're unable to have two separate computers. Well, what you can do is harden that device. And the way that you can do that is, remove any software, any applications that you just don't use. Delete them all. Because every piece of software that sits on there is one more avenue that the attackers can use to come into your system.
Another real basic technique that you can take is to apply patches that are available from vendors. Those patches help to close vulnerabilities—the same vulnerabilities that the attackers are using to get into your system. So simply making sure that your operating system and your applications are up to date with patches is a great way to help to protect yourself.
Additionally, you can make sure that you're running anti-virus software or any type of what we call an internet security suite. And an internet security suite has anti-virus or anti-malware, it usually has some kind of a firewall—a software firewall. And what a software firewall does is limits the profile—the attack—what we call an attack vector—on the system. By default, the computer has a number of connections open. Even though there's only one cable or one wireless connection coming out of the back of the device, there's multiple ports that are open. And so, by using an internet firewall, you can limit just how many of those ports are accessible when you're doing activity on the internet.
Another technique that you can use is complex passwords. Security professionals define complex passwords as being eight or more characters in length, using upper and lowercase alpha, as well as numeric and special characters. The reason why you want to use a complex password is because the attackers have built tools that can guess at passwords. So the longer the length of the password and the more complex it is, the more difficult it is for those tools to determine what your password is. The attackers are going to go to where there's the least amount of resistance.
They're going to look for systems that aren't patched, they're going to look for outdated applications running on systems that they can gain a foothold on, they're going to look for individuals that use relatively easy to guess passwords like dictionary passwords. They're going to move on to the next.
So what happens if you do become a victim?
You want to work with law enforcement and you also want to work with your financial institutions. The Internet Crimes Complaint Center is an avenue for you to be able to reach out and report a crime if it has taken place. They gather the information and they can help to direct your response. And today's financial institutions will help to work with you to lock down your account and make sure that no further loss of funds occurs. And they're very prepared for this, unfortunately, because the amount of business email compromise that takes place nowadays, they are prepared to be able to respond to this and to help to stem the loss.
So take a little time on the internet to do the research with how the attackers are gaining access to systems. Look up cybersecurity and help yourself to understand what you can do in addition to these basic measures to prevent becoming a victim. And if you do become a victim, don't try and go it alone.
There are plenty of resources out there that can help you. So thank you for taking the time today and I hope you learned something.