Originally published on the Thomson Reuters Tax & Accounting Community Connect
by Joseph Raczynski
Our online connections can be downright frightening! The diabolical among us seize every opportunity to plunder our personal information. In fact, FireEye, a leading cybersecurity corporation, has some startling statistics to support this. When conducting an audit of 1,200 companies, they found that 97 percent of the organizations’ networks had been compromised—meaning that the vast majority of these businesses had malware sitting on their servers collecting internal information and sending it back out through the firewall to a remote locale. For most of these companies, it was at least 225 days before they realized a bad actor was sitting inside their network syphoning critical business data.
That’s the bad news. Here’s the good news: There are best practices and tools that will help protect your organization from hacks. Here are 10 that I recommend.
Create an email address for junk.
Use it for newsletters, online merchants, cable companies and mobile carriers. These companies will be or have already been hacked. More than likely, phishing emails asking you to click on links will come from this group. By creating a separate inbox for junk, you’ll know that most of the email in this account can be ignored or taken with a grain of salt, while communications from trusted accounts will be sent to a different email address (although still be cautious about clicking on links in your “trusted” account, as well).
Encrypt your hard drive.
This will protect your information if ever you lose your computer or phone. Essentially, an encrypted hard drive requires that you enter a password on the device as soon as it boots up. It is not the Windows or iOS sign-on. If the Windows or iOS sign-on is the first thing you see when you start your computer or phone from scratch, your computer is not encrypted and is at risk.
Use a URL defense application.
If your company doesn’t already have one, encourage them to look into getting one. The software determines whether a link is safe by going to a special secure server when you click on it. If the link isn’t safe, the application blocks the content from ever hitting your computer or phone.
Use a browser to identify fake websites.
If you don’t have a URL defense application, don’t click directly on an email link. Instead, open a browser and type in the company’s URL. This may be inconvenient, but many of the links embedded in emails connect to fake websites designed to download malicious software to your computer or phone.
Encrypt, encrypt, encrypt.
At some point, someone will break into your computer, phone, or network. Secure your documents, photos, and other important data beforehand by encrypting them in special encrypted folders. If hackers gain access, they will have to decrypt your important files—which isn’t easy.
Keep antivirus software updated.
While antivirus software has become a bit less effective, make sure yours is up to date and turned on. Many malware applications turn antivirus software off. If you see that your firewall or antivirus protection has been deactivated—usually there is a pop-up that will alert you—have your computer looked at by someone in IT.
Immediately update all software when prompted.
Some of the most recent attacks that have hit machines running Windows operating systems had patches that people put off for six weeks. Those debilitating viruses could have been prevented with a quick update requiring just a few minutes. Even better, turn on automatic updates for all of your applications.
Use a password management utility.
Look into an application like LastPass, which houses all of your passwords and randomly updates them for you so you don’t have to.
Make passwords more complex.
If you don’t use a password management application, create passwords that are actual sentences and vary them among your accounts. There are simple apps that can easily guess passwords, especially if they are short and don’t include a mix of letters, numbers, and symbols. A sentence password can look something like: MyMomW3ntT0HarvardIn1958! Just be sure to avoid including personal information in your passwords.
Authenticate, authenticate, authenticate.
If you have the option of dual-factor authentication, opt for the ones that use something like Google Authenticator. These apps create randomized numbers every 60 seconds which you input after your normal login and password. Sometimes people use a confirmation text with a number that you need to enter, but this is actually less secure than the authenticators. Not all services use this yet but will increasingly do so over the next few years with bank accounts and email.
Finally, in meeting with one of my customers recently, the chief technology officer of a 3,000-person institution mentioned that there had been 12 million attacks on his organization over the last six months—many from foreign actors. His institution is not alone. Malicious cyberattacks will only continue to increase, so implement the tips above, and be mindful of what you are doing with your data to protect yourself.