October was Cybersecurity Awareness Month, but company-wide Source: Pixabay[/caption]
Mobile Security Best Practices
In a recent article for Forbes, Gil Shwed points out the importance of understanding where the cyberspace and security threat trajectory is heading: toward a future controlled by bots, cloud computing, personal data, and the need to realize that cybersecurity defense strategies need to be multi-pronged.
Shwed goes on to point out the expanding role of government and the need for mobile security:
Countries and states will have a bigger role in protecting large scale environments like their own infrastructure (power grids, water supply, traffic control and frankly—everything around us), and maybe even to provide some of their intelligence to the public. We can have the most secure data center, but if our data leaks through a cloud provider or a mobile device, we are just as vulnerable.
In other words, we should be concerned with introducing mobile devices into our daily workflow if we’re not implementing the same kind of security precautions to ensure that remote workers install the same kind of VPN security software and take the same basic precautions at home and in the office.
For example, we all can make it a point to require strong passwords and change our passwords on a regular basis, make them difficult to guess, variable, and resist using the same password for all our accounts. We should also avoid utilizing free and public Wi-Fi unless absolutely necessary, and if we do access public Wi-Fi we should install high-security firewalls and other software updates on a regular basis. Ideally, it’s best to avoid conducting work-related business in public places unless we have our own mobile Wi-Fi access.
Privileged Users & Password Security
White collar crime has made it necessary to be aware of all users at all times, regardless of their role with the company. Privileged users can often serve as the weak link or gateway for hackers to access other company data.
One basic minimum security protection you can take is to require your employees and department heads to use strong passwords everywhere — meaning passwords that are complex, difficult to guess, and not the same as passwords used for other personal accounts. For example, if John Smith uses a password for his Google account at home that reads 123456, he should change his personal password to something much more hack-proof, and utilize separate, more complex, and randomly-generated passwords for any work-related accounts.
Many sites that confer automatic passwords have a better grasp on best practices; it’s better to utilize a password like M4T#ly&4hb, for example, than a password made up of, say, your birthdate or the numbers of your mailing address. The general rule is, if it’s easy to remember, it’s probably not a strong password. Rather than emailing all your passwords to yourself or storing your passwords in a Google doc, store this information in a safe place like a locked desk drawer or at home.
Information Security Protocol & Legislation
Strategic cybersecurity and intelligence hubs like Washington D.C. have proliferated in nearby areas of the globe, including other and international commerce and cyber-technology hubs like London, Silicon Valley, Tel Aviv, and Boston. The sooner large conglomerates and big business gets this concept wrapped around their heads, the safer we’ll all be. Until our government treats this as seriously as human threats on the ground with weapons and automatic rifles—not to trivialize that very real threat — we will continue to face large-scale security breaches targeting as many people as possible.
Since the federal government continues to distance itself from any involvement in the private business sector, this means it will likely continue to be extremely difficult for CIOs to mandate the implementation of basic information security protocol at the structural level. The responsibility should fall not only on the shoulders of CIOs, but upon everyone throughout the chain of command in workplace management, to communicate the very real security risks that are ever-present but also maddeningly nebulous.
Educational Deficiencies in Cybersecurity
The recent Equifax data breach that leaked out into the Dark Web makes it depressingly clear that much information security is out of our hands. In order for companies to ensure data will remain uncompromised, they must stop doing things like storing weak username and password combos like “admin/admin,” in the case of an Argentinian Equifax service, as well as exposing the lifetime data of more than half of the adults in the United States. Lifetime data refers information like Social Security numbers, dates of birth, full legal names, family surnames, and so on. These used to be the go-to answers to what used to be considered high-security questions.
The University of Alabama at Birmingham notes ten prominent security risks in 2017: the internet of things, passwords, mobile devices, privileged users, dwell time, social engineering, malware and ransomware, algorithms, educational deficiencies, and changing corporate focus. The remedy, according to UAB, lies in “employee training and restructured security departments. IT professionals need to occupy a more central role in business. Security should become inseparable from the service a company provides.”
In the future, AI cybersecurity bots will do much of this work for us. Until that time, we need to remain aware, nimble, and vigilant—constantly learning and seeking to understand the best information security practices for our places of work, whatever our individual role.
Or, in the famous words of Agents Mulder and Scully, “Trust no one.”