Top 10 Ways You Can Improve Your Security Posture Today

Malware, exploits, breaches, spear-phishing, viruses, and ransomware everywhere! Cyber-attacks are in the news every day, and it seems like everyone is a potential victim with no end in sight. The outlook is bleak, and many succumb to cyber fatigue and complacency.

Understanding threats and protecting yourself does not have to be overwhelming. There are some simple, common-sense steps that you can take, both in your business and personal lives, that will make you immeasurably safer in an insecure digital world. I’m going to lay out 10 strategies you can apply immediately to harden your cybersecurity posture.

1. Get Your Password Game on Point

When it comes to authentication, the password is king. From the Shibboleth incident and the Enigma machine to our modern-day network, email, banking and social media accounts, the password has been our primary means of allowing access for thousands of years. This string of words and random characters is the only thing that separates our data from the cyber barbarians at the gate. Unfortunately, the password is also the weakest form of authentication we have. Let me emphasize this point: your password is the worst! Just like how Ali Baba gained access to the thieves’ den with the leaked password “open sesame”, all our credentials have been compromised numerous times (check out www.haveibeenpwned.com). Furthermore, passwords that haven’t already been published on the dark web can be guessed, phished using basic social engineering, or cracked in a matter of hours by a 10-year-old with a gaming rig. Now, I understand that this may come as a surprise, but all is not lost. Here are three easy steps you can take to fortify your credentials and take your password game to the next level:

• Pick a long password. Is it more secure to have a long simple password or a short complex one with lots of symbols and random characters? This question fueled debate in the cybersecurity world for years. The debate is over, and it turns out that length is stronger than complexity. To understand why, you should know how easy it is to access a password cracker. This is an application or website that bombards a password with random characters or word combinations (called a dictionary attack). The National Institute of Standards and Technology, and most recently Microsoft, recommend you create passwords with a minimum of 8 characters. The problem is that a password cracker can decipher an 8-character password within 8 hours, or a 10-character password in 8 days. However, a 12-character password would take 61 years to crack, proving again that length trumps complexity. Also, somewhat counterintuitively, the longer passphrase is typically easier for you to remember! What’s more memorable: uVG7CEYa, or PersonWomanManCameraTV ? So ditch that short, uber-complex password of yours, and create a 16 plus character passphrase that you’ll actually remember!

· Stop reusing your passwords. Now you have this wonderful passphrase that is virtually uncrackable. You’re so pleased with it that you decide to use it for your work account. Also, your LinkedIn, Instagram, Netflix, and your Fidelity accounts. This is all working out splendidly, until you hear on the news that Netflix experienced a data breach three months back. It seems your password wasn’t being protected properly and is now being sold on the dark web for pennies. The script kiddie who bought your password starts trying popular services, hoping you used the same password for your other accounts. Which you did, and now all is lost. It’s called password reuse, and you know you do it. It’s okay, don’t beat yourself up about it, you’re in good company. 72% of people admitted to reusing their passwords, and the average reuser uses the same password for 14 different services! Password reuse is a major problem, with some studies showing compromised passwords being responsible for 81% all of breaches. So please, for your own safety, DON’T reuse your password. Like a snowflake, every password should be unique. Now the problem becomes, how are you supposed to maintain a stable of 30+ unique, lengthy passwords?

· Use a password manager. You know that coworker of yours who writes all his passwords on a series of yellow sticky notes prominently displayed around the bezel of his monitor? Well, a password manager is the secure, digital version of the infamous yellow sticky note. It stores your passwords and makes them accessible through one master password. This is a critical tool if you are going to create unique, lengthy passwords and don’t want to worry about memorizing them all. But today’s password managers go even further; they can create new passwords for you, then use browser plugins to enter them into logins without you even knowing what they are! Many password managers will even scan the dark web and alert you if your passwords have appeared on any breach lists. There are scores of quality password managers available (1Password, LastPass, DashLane, KeePass, NordPass, to name a few), and many are even free for personal use. So do yourself a favor, download a password manager and put an end to password reuse.

2. Enable Auto Update

Your software isn’t safe. Sure, it may have looked safe back when the developers created it and the quality assurance folks tested it, but over time unforeseen security holes begin cropping up. Every day, hackers and security experts are in a race to see who can uncover these new vulnerabilities first. If the hackers discover it, they weaponize it and it becomes known as a zero-day exploit. If the security researchers uncover the vulnerability first, they notify the software provider, who then rushes to create and push a patch. Now, the ball is in your court: YOU must check for the update, download, and install it. When you consider the amount of software users typically run on their computers and throughout their smart homes, and the amount of security vulnerabilities these devices generate, you can see how patching everything can become overwhelming. Luckily, most operating systems, applications, browsers, and IoT devices provide for automatic updates IF you enable them. Make sure to set everything you can to auto update! Microsoft Windows, Apple iOS, your wireless router, as well as less obvious targets like IoT devices. Your Wi-Fi enabled doorbell, thermostat, and refrigerator are super cool, but who’s making sure they have the most up-to-date protection against security holes? Set them to auto update and you can rest easy.

3. Software Controls

There are several software applications and services that you can utilize at home that will strengthen your security posture in a big way. The most obvious of these is an antivirus, and there are hundreds of products out there. Today’s antivirus programs use a combination of signature and behavioral based detection. Think of a signature as the digital fingerprint of a particular virus that has been detected and dissected. This signature is sent out to all the other antivirus clients to be on the lookout, which works great unless you’re the unlucky person who gets hit first. Unfortunately, hackers will therefore customize their malware packages just enough to create new signatures, which can then slip by undetected. Therefore, modern antivirus programs also employ behavioral-based detection. Your antivirus program will first attempt to run programs in an isolated environment, called a sandbox, looking for any suspicious activity. Antivirus can also detect abnormal events such as excessive encryption of files, which would be an indicator of a ransomware attack. Antivirus is one of the oldest security layers, and to this day still serves as a critical necessity that should be installed on all your devices.

Another valuable software tool is the firewall. In the corporate world, a firewall is a physical appliance that protects the internal network from the wild world of the Internet. It allows certain traffic in and out, while blocking malicious traffic as well as hackers probing for entry points. But firewalls aren’t solely in the corporate domain; you can have this same protection at home using firewall software. Microsoft Windows has a built-in firewall that is very effective, assuming you don’t disable it, but some other excellent options are GlassWire, ZoneAlarm, and Comodo.

So, you’ve installed an antivirus program, and you’ve made sure your firewall is up and running, but you suspect malware has somehow slipped through the cracks. Maybe you’re receiving pop-ups to optimize your computer, or your browser has been hijacked by a dating app advertisement. Before you take your computer in to the Geek Squad to have it wiped, download Malwarebytes. This is a fantastic, free virus scrubber that will clean your machine in minutes. You’re welcome.

4. Don’t Feed the Phish

Phishing attacks have been a major problem for the past 30 years, but just recently they’ve become much more sophisticated and effective. Last year alone, 65% of US companies reported a successful phishing attack. These attacks can lead to compromised passwords, personal and medical data, and leaked financial information, costing a combined total of 12 billion dollars over the last 5 years alone! So, how are these phishing attacks delivered? Only 1% is by mobile phone, a paltry 3% by website, and 96% come in through email! This is why I recommend approaching any email containing a link or attachment like a live bomb! Think I’m being dramatic? Maybe a little, but chances are you’ve already received several phishing emails this week alone, and you only have to fall for one. Here are some tips to make sure you don’t:

· Hover your mouse before clicking. If you adopt only one new email practice today, let it be this one. Hovering your mouse on an email link BEFORE you click on it will result in a pop-up from your email client showing you exactly where the link will take you. If the email says Click Here To Access Your Dropbox Documents, but hovering your mouse shows you the link really goes to www.HackingYou.ru, you know something’s phishy.

· Be paranoid if you don’t know the sender. Remember the adage “Don’t take candy from a stranger”? Well, don’t open links or attachments from a stranger either. If you don’t know them and you weren’t expecting that email, chances are its spam at best, or a phishing attempt or malware at worst. Either way, just delete it.

· Be paranoid if you DO know the sender. Email addresses can be faked (spoofed) very easily. Or perhaps the sender’s email account was compromised, so the address is legit but the contents are not. Your best defense here is to look critically at these emails. Are they written in the sender’s “voice”? Are there excessive spelling or grammatical errors? What are they attempting to get you to do? Do they want you to click on a link? Maybe provide your email address and password? Once you’ve examined everything, if your Spidey-sense is still tingling, listen to that voice inside you and give the sender a call. Confirm that it came from them before you click on anything. Remember, just because you’re paranoid doesn’t mean they’re not after you.

5. Information is power; don’t give yours away.

A targeted hack isn’t like what you’ve seen in the movies. If a hacker has their sights set on you or your company, they’re going to do their research first. They’ll start by looking for any information that can be used to either crack your credentials, or socially engineer you and those around you into divulging personal details to help them. Where is the ultimate source of easily accessible information about you? Facebook, Linkedin, Instagram, Twitter, Snapchat and the rest of the interwebs.

In the information age, data is currency. As a rule, the less publicly available information out there about you, the better. Known as personally identifiable information (PII), this could include your name, home address, telephone number, email address, marital status, and social security number. All this information can be used to phish you, compromise your online accounts, or even commit identity theft. But understanding that some of us have to publish some level of PII on the web as part of our professions, here are some precautions you can take to bolster your online privacy:

· Don’t use knowledge-based authentication (KBA’s). KBA’s are those silly attempts at security where you are asked to verify your mother’s maiden name, or your former high school. They aren’t secure because that information is probably worth a half-hour of google searches. If you must use KBA’s, feed them incorrect and hilarious information.

· Review the privacy and security settings on all your online services. You may be shocked to learn which vendors you may have inadvertently given permission to your private data. Limit these settings as much as possible.

· Cancel any services you no longer use. Let’s face it, you’re probably not going to be doing anything with that old MySpace account, so cancel it before whatever data they have on you is leaked.

6. MFA The World!

Authentication factors come in three forms: something you know, something you are, and something you have. Something you KNOW is a password or PIN code, and we’ve covered the inherent weaknesses of this factor. Something you ARE (called biometrics) can be a fingerprint, your face, your iris, even your voice. Historically, biometrics aren’t the most reliable, and people generally distrust them. Now, something you HAVE can be a physical token, or a phone call, SMS text, or app. This type of authentication factor has become extremely popular, and, when combined with your existing password, is known as multifactor authentication (MFA). I cannot overstate how much safer you will be if you adopt MFA in your life. Whether you’re logging into your banking account, your company’s network, or your personal email account, adding a second layer of protection is a no-brainer. In fact, studies have shown that you are 99.9% less likely to be compromised if you used MFA. You should apply MFA to every service that allows for it, and you might be surprised to find that most of your services do offer this feature.

One last thing: many people use some form of MFA but set time limits. For example, they only require the second factor once every 24 hours, or even once a month. I recommend that you adopt a zero-trust policy where EVERY login is assumed untrustworthy, and that you use multifactor authentication for every service, every login. No exceptions.

7. Nothing Good in Life is Free.

Websites offering pirated content on the internet are nothing new. People have been downloading free movies, television shows, music, and software for decades. In fact, a recent study found that 24% of all internet bandwidth in North America, Europe, and the Asia-Pacific is used for piracy. Pirating copyrighted material is hugely damaging to the economy, with $40 — $97 billion in losses in the movie industry alone. But here’s another sobering statistic: people who download pirated content are 28 times more likely to get infected with malware! Hackers often use pirated content sites and “free” sports streaming services to deliver viruses directly to your devices. You may have saved $4.99 by streaming John Wick 3 from that sketchy movie-streaming website, but after your computer is turned into an unwitting Dogecoin miner, you’re going to have some regrets. In the end, downloading illegal content isn’t just morally wrong, it’s bad for your cyberhealth!

8. Public WIFI: Don’t Trust It

Chances are that most public places you visit will have free WIFI offerings. Malls, coffee shops, hotels, airports; they all offer WIFI hotspots, which is super convenient when you’re on the go. The problem is, there’s another user sitting at the other end of the coffee shop, joined to the same WIFI network, capturing all your online activity. This is called a Man-in-the-Middle attack, and it allows a bad actor to eavesdrop or even alter your network traffic en route. That latte-sipping hacker can also deliver malware directly to your laptop, or even fool you into joining his copycat network. After all, did you really join the StarbucksWIFI network, or the fake StarbuckWIFI hotspot the hacker is running from his table? Public WIFI is dangerous territory, but there’s a simple fix: a personal VPN. VPN stands for Virtual Private Network, and it allows you to do all your online business through a secure, encrypted tunnel. So even if you are on a compromised network, the hacker can’t decipher your internet traffic. There are many excellent VPN providers out there. NordVPN is a good example, with a wealth of privacy features for all your online devices.

9. Back Me Up Here

One morning you turn on your computer to find a popup with a menacing skull and bones graphic informing you that all your files have been encrypted. You now have 48 hours to pay $1,000 in bitcoin or your files will be lost forever. This is ransomware, and it’s a $21 billion a year business. Now, many of the security controls we’ve discussed would have helped to prevent this ransomware attack, but here we are, so what do you do? Pay the hackers? 58% of ransomware victims do just that. However, if you have good backups, you could simply restore your data and be back in business in a couple hours. There are many options for backups, ranging from a basic portable hard drive to more advanced cloud hosted services. Backups are not foolproof; the ransomware will attempt to encrypt them as well. That’s why it is better to connect your external hard drive only when backing up your data, and then disconnect the drive. Many cloud backup solutions offer advanced threat protection and encryption as another layer of defense. Best practices dictate that you diversify your backups: two different backups on two different storage media. For example, one backup to a physical hard drive, while a separate backup to goes to an encrypted cloud provider. Whatever your backup strategy is, make sure to kick it off regularly and sleep securely, knowing your data is safe(r).

10. Stay vigilant

Hardening your cybersecurity posture is an ongoing process, and I have some sobering news: the war will never be won. As hackers get smarter and find even more devious ways of getting to you and your data, you will have to stay one step ahead. The strategy we employ is called defense in depth, also known as the castle approach. Imagine a medieval castle with layers of protection, starting with the curtain wall, then the moat. Then there are more walls, with turrets and towers. The Queen knows that no one barrier is impervious to attack. However, these multiple layers of protection will slow down the attackers long enough to get archers in place, or cause the invaders to give up and seek easier targets. The castle approach is what we model our defensive strategy on, with all the security controls we have gone over; however, you must assume that any one security control can and will fail. Hubris has no place in the cybersecurity space because none of us are ever truly 100% safe. That’s why, even after hardening your cybersecurity stance, you must remain vigilant. Always look for opportunities to improve your security posture. Continue to cancel unused online accounts. Even though your passwords are strong and unique, change them every year. Make sure your backups and antivirus are running and your software is up-to-date. Keep examining incoming email like you’re Sherlock Holmes. Stay alert, stay vigilant, stay paranoid, and you’ll stay safe(r).