Five Ways to Protect Yourself Against Cyber Attacks
In the ever-expanding online world, cyberattacks are about as common as bank robberies in the Old West. While you can’t make your system foolproof, a few basic things can help deter would-be hackers, said Phil Richards, Chief Security Officer at LANDESK in a podcast interview this week.
“Any computer system that is available over the internet is vulnerable to something. Some systems are more vulnerable than others, but the only truly secure system is one that is not connected to the outside world,” Richards said. “Although usually, there’s someone who can get into any system, most of the time, most systems that have good basic security—the term from an IT perspective is ‘hardening’—are much, much more difficult to get into.”
Protecting your information is two-fold and looks at both what people share online—from social media posts to emails to shopping on retail sites to checking your bank information—and the devices they use to do it, such as phones, computers or tablets. The Center for Internet Security has a list of 20 controls based on industry best practices, Richards said, with the top five being the most vital and practical.
The first is getting an accurate inventory of devices and knowing what is on them from a data and software perspective. In an office, Richards said, this means knowing what devices are connected to the server or other company information, and what they have downloaded on them.
“You can’t protect devices unless you know that they’re there. That’s one of the more fundamental activities, just getting an inventory and knowing what’s on there,” he said.
Once an inventory is created, the second step is to ensure that those devices and that software get timely security patches as needed. Steps three, control what applications which users have use of, and four, carefully choose who has what degree of control and access in the system, are important from the standpoint of protecting the system as a whole—if a hacker were to access one device, such steps could prevent him or her from accessing vital company data, he said.
“You want to give users the access they need to do their jobs, but when fewer people can change things…you lower your risk and it makes it easier to defend,” Richards said, noting that the balance between security and allowing employees enough access to do their jobs can be a tricky one.
The fifth step is to exercise vulnerability management, Richards said, in which a system scan is performed to find weaknesses in the system’s security. Because of the way cyber security and hacking work, no one fix will completely protect a system, Richards said, so lots of smaller, overlapping security measures can cover the inevitable chinks in the armor.
“You can run [system scans] directly from the internet, you can purchase scanner software and run it that way. Some of them are fairly inexpensive; you can do ad-hoc scans for free. It’s a good way to see where your weaknesses are,” he said. “We have to protect everywhere that a hacker or a bad guy could get into because the one thing we don’t protect is the one thing they will find and they will get in. … Not one security thing is going to fix everything, so you have to kind of layer everything around so everything will get covered eventually.”
Beyond those basic steps, anti-virus and anti-malware software are good ideas, as are using email gateways and implementing data loss prevention systems. User training can also go a long way, Richards said, and for companies looking for a real test-run of their security, a third party or remote group affiliated with the company can hack systems and see what they’re able to get and how.
Security software and keeping devices up-to-date are useful on a personal level, as well, he said. Obsolete software, which is no longer supported by the developer and could put the device at risk, should be deleted, he warned. Ten exploits accounted for 80 percent of all hacks last year; three of those 10 were related to the now-obsolete Windows XP operating system.
“You want to make sure your systems are configured to make sure they’re receiving those updates,” he said. “That will take you quite far down the road in terms of being secure.”
People should also practice good email hygiene, Richards said, which includes typing in legitimate-looking links in fishy-looking emails rather than clicking on them.
Richards said when someone does believe their device has been compromised, their first impulse is often to check and make sure their accounts haven’t been used—by going to and logging in on their accounts. Doing this would only give a hacker that information if a computer really has been compromised, Richards said.
“It sounds kind of silly, but people get kind of panicky when they believe their system has been compromised,” he said. “Don’t do that.”
For his own security, Richards reports a possible breach on his credit cards about once a year, prompting his credit card company to send him a reissued card with a new card number.
“Since there have been so many breaches of retail organizations, if you travel a lot, it’s highly likely that your credit card information has already been captured by some nefarious people, and a quick, easy way to make sure that credit card number is of no value is to just cancel it and make that number is of no value,” he said. “What they steal is that actual number, so by changing the number, the old one is invalid and so doesn’t do anything for them anymore.”