advertisement
August 7, 2017
Focus: Corporate security

Cyber headaches: How to stay ahead of the hackers

Tips to protect yourself online

While many businesses are dramatically changing the way employees use passwords, most people are still not aware of just how unsecure their passwords are and what impact that can have both at home and at work.

Think you're all set because you cleverly use that "@" for an "a" or "5" for an "S"? How about the classic "0" for an "O"? Those guys trying to hack your email are way ahead of you, says Peter Fortunato, a manager in the risk and business advisory practice at accounting firm Baker Newman Noyes.

And by the way — those guys aren't what you see in the movies, someone sitting under a bare lightbulb in his T-shirt typing in password guesses. These days sophisticated algorithms can run through every word in the dictionary, then start trying variations, before you've even figured out what to use instead of "@."

There are some basic things you can do to protect your information, Fortunato says.

Do:

Enable more than one authentication method when it's offered

Give bogus answers to security questions (even Mom will understand if you don't use her real maiden name)

Use a bogus birthdate

Have a second email address that's only used for password recovery and nothing else.

Don't:

Reuse passwords

Use dictionary words

Use standard numeral substitutions for letters or have a password shorter than 10 characters.

Businesses have always had things of value: Money and information. Bad guys, since businesses began, have tried to figure out ways to steal those things. Those basics haven't changed.

The difference is, the bad guys aren't in the basement next door drilling through the walls into the vault. They're running algorithms that dig right into the heart of a business's most important currency: its information.

The people in Maine whose job it is to help banks, hospitals and other businesses protect that currency agree that staying ahead of the bad guys takes constant attention, and more businesses are getting on board with that.

As the bad guys' methods have gotten more sophisticated, businesses are getting more sophisticated at how they protect themselves. The biggest trend is simply more awareness, more realization that no one is safe and more preventive measures to keep the bad guys at bay.

Small businesses are growing more aware that they're among the most vulnerable — larger corporations have the resources to take action before a cyberattack. Small businesses that put off paying for prevention now are realizing it's worth the money.

'Not if, but when'

"We're past the 'if' question, it's a matter of when," says Peter Guffin, a partner at Pierce Atwood and chairman of its privacy and data security practice. Cyberattacks are not just a problem for Yahoo and Verizon, they're a headache for the little guy, too.

"More and more businesses recognize the truth" in the fact that they're going to have an incident, he says. And that doesn't just include data theft, but more serious threats, like ransomware that can take over a business and shut it down.

"There's an increasing investment by companies in tools to detect bad stuff," Guffin says, and that includes increasing the budgets for those tools.

Guffin says businesses are also making the effort to build robust response plans.

"It's a playbook you pull out," he says, to determine the nature of an attack and whether law enforcement or attorneys should be called in.

"It's a recognition that 'this can shut us done,'" Guffin says.

It also means staying on top of what's going on in the company's data system, say both Guffin and Peter Fortunato, a manager in the risk and business advisory practice at accounting firm Baker Newman Noyes.

Fortunato says that it may not seem much to a business if there are log-ins from a place there shouldn't be if it's only a small amount. But those "breadcrumbs" can end up bringing down a business.

Say goodbye to 'Password1!'

Usernames and passwords are major breadcrumbs, Fortunato says.

The good old days of simple passwords that you change every 90 days by changing a number are long gone. So are the more recent almost-as-simple days of eight-digit passwords, or cleverly using @ instead of "a."

The bad guys are way ahead of us.

All they need is a username and password, and they have access to your world. And if you use similar passwords at work, they have access to your work world, too. And your employer's world. You get the picture.

A password that's easy to figure out "is like locking your car, but leaving the window down," says Fortunato. He says employer user names that are easy to figure out, like a first initial and last name, compound the issue.

Once someone reaches in that window — and we make it so easy — everything is up for grabs. Fortunato says most people are not aware of the sophisticated methods the bad guys use to easily solve our password tricks. And once they have, how much of our information we hand over.

The National Institute of Standards and Technology, which sets security guidelines, is advising passwords be 16 to 20 characters. The good news is, you don't have to change them every 90 days. Fortunato says that when passwords have to be changed, people tend to do obvious things. Like change a "1" to a "2."

The longer passwords are effective because most words in the dictionary are shorter. That's another thing. That password should also have random letters that make sense to you, but wouldn't to anyone else — no dictionary words.

Businesses are also tackling the issue of convincing employees that password security is important.

"People want to be creative and get their job done," Fortunato says. "They don't want to bother with this."

But when employers demonstrate to employees that a breach can have a huge impact on the company, then employees are more apt to get on board.

More employers are holding information security training sessions to keep employees up to date on practices. Fortunato recommends holding them once a year, and at even shorter intervals at the beginning.

'It's a safety issue'

Businesses are also rethinking whose job it is to pay attention to cyber security.

"It's not just an IT issue," says Christine Worthen, a partner at Pierce Atwood, and chairwoman of the firm's health care practice.

That means it's everyone's issue and crosses platforms. It's particularly an issue in health care, because of patient records, shared medical information, and complex HIPPA and FDA regulations.

Data security breaches in health care can be more critical than other areas because of the nature of the information. "It's a safety issue," she says. "It can really harm patients."

As awareness grows about how wide-ranging security measures have to be, smaller health care providers wonder how they're going to pay for them.

"Ignoring it is not an option," Worthen says.

The issue alone isn't the reason there have been so many health care mergers recently, but the cost factors of protecting information are one of the many burdens providers going it alone bear.

'An arms race'

Guffin, Worthen and Fortunato all say education and awareness are the keys. Businesses are getting on board with that, putting the effort into prevention, rather than waiting for something to happen.

Fortunato says thefts skyrocketed to billions of dollars a year once organized crime became involved in data theft.

"These folks are smart," he says. "They're nefarious entities doing some research and targeting their attacks."

Guffin doesn't think we'll ever get to a place where there is complete cyber security, but more businesses are recognizing that they're at risk.

"It's an arms race," he says. "You have to stay one step ahead of the bad guys."

Comments

Type your comment here:

ADVERTISEMENTS
Most Popular on Facebook