A strong security culture is both a mindset and mode of operation. One that’s integrated into day-to-day thinking and decision-making can make for a near-impenetrable operation. Conversely, a security culture that’s absent will facilitate uncertainty and, ultimately, lead to security incidents that we likely can’t afford to take on.
This often happens because everyone is literally working in silos. Rather than being helpful and doing what they can to truly improve security, these people are often doing what’s in their own best interests, sometimes even to sabotage each other or the overall business.
We all know that cyber threats are only increasing in quantity and sophistication as time goes on. And hopefully at this point we have also accepted that no business is too big or too small to be the target of these attacks.
We have spent considerable time planning and implementing proper technical controls to secure the Medaille network and devices that “live” on our network but any company’s greatest vulnerability will always be our people.
While regular, professional training is ideal, the IT Department must at minimum make sure our users know to:
1. Use strong, unique passwords
In 2015, despite all of the headlines and hubbub about data breaches, the 5 most popular passwords were “123456,” “password,” “12345678,” “qwerty,” and “12345.” We can’t let these be the only thing between hackers and our institutional data.
2. Lock their computers when they step away
How easy would it be for someone today to walk into your office, go up to a computer, and access sensitive, proprietary information from the Medaille network? To make changes? To send bogus emails?
According to the International Facility Management Association, around 70 percent of offices today have open floor plans. So, chances are it wouldn’t be all that difficult. We need to train faculty and staff to lock their machines every time they leave their space — even if it’s only for a moment — and we set a central information technology (IT) policy to automatically lock machines after inactivity as backup.
3. Call to verify suspicious emails
Email spoofing has cost businesses nearly $750 million between October 2013 and August 2015. Just this April, many users received a message from a Medaille email address requesting they wire nearly $20,000 to a bank account in Missouri.
We can no longer take for granted that an email is truly coming from its apparent source, and we must approach any email that feels even the littlest bit “off” with serious caution. In this example — besides the fact that no one from Medaille would ever request a wire transfer — the very formal, very uncharacteristic “kind regards” in the email signature was a dead giveaway that the message was forged.
Before clicking attachments, links, or sending any money or sensitive information, we should know to call the supposed sender to verify that the original message is legitimate or call the Medaille Helpdesk to trace out the sender’s real address.
4. Turn their machine off immediately if they’ve been compromised
If you aren’t able to prevent an attack in the first place, the next best thing is to stop it from spreading to the rest of the Medaille network.
If you ever suspect that your machine is infected with any kind of malware or virus, be sure to (1) shut your machine off, and (2) call the Medaille IT Helpdesk. The more time you lose to panic or confusion, the more time that malware has to infect the rest of your environment.
5. Save your files where they’ll be backed up!
The Medaille College backup system only does daily backups of data stored on NETWORK DRIVES! Backups of a user’s C: drive is not part of our backup scheme at this time.
All users should be saving all Medaille data to their network drives. Please see the following policy: http://it.medaille.edu/file-server-policy
Above all, don’t let the fate of Medaille College’s data rest on assumptions and good intentions. The risk is far, far too high.
Passwords. They're something that pretty much everyone has to deal with. We need them for credit card accounts, social media accounts, work, and any number of other things. Despite how prevalent they are, and despite how important they are, a lot of us still have trouble creating good passwords. If you follow the tips in this article, you'll be able to create good passwords that will help keep you safe.
1. Don't make short passwords.
A lot of people believe passwords need to look something like k5wT!1*a to be secure. So we make them as short as possible, hoping we'll be able to remember six or eight characters. There are two problems with this. A random jumble of characters will rarely be easy to remember, and there just aren't enough characters in a short password to make it difficult for a password cracking program to figure out. To be safe from password cracking programs, the minimum recommended password length is 14 characters. How long are your passwords?
2. Don't store your password where it can be easily found.
If you've written your passwords down and left them where you can easily get to them, chances are good someone else can easily get to them, too. That sticky note under your mousepad or keyboard, the file called "password," the list in your desk drawer — these (and many others) are easy to find. If your passwords are easy to find, whatever they're protecting is easy to compromise.
3. Don't keep a password for too long.
There is disagreement about how long to go before changing your password, and many sites have their own requirements. What all the experts can agree on, though, is that if anyone else knows your password and you don't want them to use it, change it.
4. Don't make a password that's easy to guess.
Some passwords are super easy to guess because they get used all the time (password, 123456, baseball). Others are easy to guess because the characters are related, follow patterns, or are single words you'd find in a dictionary (asdfgh, xoxoxoxo, initiative). Personal information is another category that's easy to guess, since so much of it is easy to find out (your sister's name, your dad's birthday, your phone number). A lot of folks use variations of the same password across multiple sites, but this can be easy to guess, too, especially if the person trying to figure it out has seen any of your other passwords (Xgoogle1!, Xfacebook1!; password01, password02, etc.). If your password is easy to guess, whatever it's protecting is easy to get to.
5. Do make passwords easy to remember.
A couple of years ago, someone’s e-mail password was R2D2-NotrecommendedforDagobah. Even though it has 29 characters, it's easier to remember than the 8-character example in number 1 above (k5wT!1*a). It's also harder for a computer to crack. It was used without spaces, because their e-mail provider didn't allow for them, but, if you can use spaces, do; they count as special characters and some password cracking programs still have problems with them.
8. Do play with your security question answers.
Phishing attempts can get pretty sophisticated. We have seen online quizzes written in such a way that they manage to gather the information that security questions often ask for (for example, "Enter your pet's name and the street you grew up on to learn your fantasy novel character's name"). But by playing with your answers to the questions, you won't have to worry that your information could be used to get into your accounts.
How do you do this? It's pretty easy. Decide what you want to answer them with, instead of what they really are. For example answer all "people" questions with movie characters — your childhood best friend becomes a character that resonated with you when she were young, your mother's maiden name is the last name of a character who you think is an awesome mom. When some unscrupulous person has your real personal details, they can't use them to break into your accounts.
How To Detect Phishing Emails
- I don’t recognize the sender’s email address as someone I ordinarily communicate with.
- This email is from someone outside my organization and it’s not related to my job responsibilities.
- This email was sent from someone inside the organization or from a customer, vendor, or partner and is very unusual or out of character.
- Is the sender’s email address from a suspicious domain? (like micorsoft-support.com)
- I don’t know the sender personally and they were not vouched for by someone I trust.
- I don’t have a business relationship nor any past communications with the sender.
- This is an unexpected or unusual email with an embedded hyperlink or an attachment from someone I hadn’t communicated with recently.
- Did I get an email with a subject line that is irrelevant or does not match the message content?
- Is the email message a reply to something I never sent or requested?
- Is the sender asking me to click on a link or open an attachment to avoid a negative consequence, or to gain something of value?
- Is the email out of the ordinary, or does it have bad grammar or spelling errors?
- Is the sender asking me to click a link or open up an attachment that seems odd or illogical?
- Do I have an uncomfortable gut feeling about the sender’s request to open an attachment or click a link?
- Is the email asking me to look at a compromising or embarrassing picture of myself or someone I know?
- I was cc’d on an email sent to one or more people, but I don’t personally know the other people it was sent to.
- I received an email that was also sent to an unusual mix of people. For instance, a seemingly random group of people at my organization whose last names start with the same letter, or a whole list of unrelated addresses.
- Did I receive an email that I normally would get during regular business hours, but it was sent at an unusual time like 3 a.m.?
- The sender included an email attachment that I was not expecting or that makes no sense in relation to the email message. (This sender doesn’t ordinarily send me these types of attachment(s).)
- I see an attachment with a possibly dangerous file type. The only file type that is always safe to click on is a .TXT file.
- I hover my mouse over a hyperlink that's displayed in the email message, but the link to address is for a different website. (This is a big red flag.)
- I received an email that only has long hyperlinks with no further information and the rest of the email is completely blank.
- I received an email with a hyperlink that is a misspelling of a known web site. For instance, www.bankofarnerica.com - the “m” is really two characters – “r” & “n”.