There is no question that 2014 has been a most eventful year for InfoSec – and that’s not necessarily a good thing. Data breaches, malware attacks, compromised Point-of-Sales systems, more data breaches. And of course – the Sony hack. A lot of painful lessons have been learned, many at high cost. So as the year draws to a close, let me present my Top 10 List of what I hope we learned from this year of events we wish we could forget.
1. PATCH IT. Patch it good! System software patches are an integral part of keeping your business, and yourself, safe. Windows, Linux, Adobe, Oracle to name a few, all offer regular patches to cover those vulnerabilities that leave them exposed to hackers looking for a way in. Ideally, you should have a regular ie monthly schedule where patches are checked and updated. Another thing to remember: test patches before you apply them. Microsoft has had two terrible months in a row issuing then recalling bad patches, but not before inflicting some major headaches on those who already applied them. http://www.darkreading.com/application-security/time-to-rethink-patching-strategies/a/d-id/1318256?_mc=RSS_DR_EDT&utm_source=dlvr.it&utm_medium=twitter
2. THINK before you click that link. Phishing and malvertising have reached prolific levels, and are designed so well it’s easy for everyone to fall for the bait. The onus is on us to be certain we know and trust the sender before we open attachments or click on links. Visiting popular websites or social media hopping is an open invitation to a nasty case of malware because many of these destinations have now become choice phishing holes. Don’t get lured in. http://www.esecurityplanet.com/malware/dridex-and-email-a-nasty-social-engineering-team.html
3. Pass on that Password. This is your first and your best defence to secure anything of value. Here is how to do it right. Ideally a length of 16 characters, with a mix of upper and lower cases, including numbers and special characters. Oh – and take a tip from Sony. Don’t file under “Passwords”. http://www.wired.com/2014/09/dont-get-hacked/?linkId=9521469
4. AntiVirus Protection. There are a range of options, and many good SOHO programs are even free, though I would strongly encourage paying more to invest in additional protection against cyber threats. And yes – you definitely need to have this on your phone & tablet. Mobile devices are targets of choice. Given how much of our lives we keep on our phones, why would you put that at risk? Finally, don’t rely on out-dated or lapsed programs. In the constantly evolving world of malware and viruses, yesterday’s solutions won’t cut it. Always keep your AV updated.
5. Breach Protocol 101. If you get breached, handle the situation correctly and professionally. Your customers deserve the decency of being informed as soon as possible to protect themselves and take appropriate action. As in the case of Home Depot, don’t make customers wait for the bad news. Because you can’t put a price on trust and reputation. http://www.theglobeandmail.com/report-on-business/international-business/us-business/home-depot-shares-drop-after-chain-investigates-data-breach/article20308768/?cmpid=rss1&click=sf_rob
6. Secure your SOHO tech. Especially routers. Update, upgrade.
7. WiFI Hotspots: Use with extreme caution! In this holiday season of travel and shopping, convenience may be king but letting your guard down isn’t worth it. Secure your tech first – ‘Free’ comes with a price http://www.onguardonline.gov/articles/0014-tips-using-public-wi-fi-networks
8. Things aren’t so fantastic when you pay in plastic. This year has proven repeatedly that credit cards are not secure. But given that so much our retail and online world run on plastic, what can you do to stay safe? For starters, Always Check Your Statements. Be in charge of your accounts and know everything coming or going. Secondly, cover the keypad when you enter a PIN anywhere. Because there really are “eyes in the skies” that are waiting for you to enter the magic number.
9. You get what you paid for. When you buy pirated software and 3rd party apps, you often get a free gift-with-purchase, but trust me, it’s one you don’t want. Malware, browser hijackers etc. It’s a headache to huntdown and then remove these nuisance products. You’re better off paying for the real deal. http://www.scmagazine.com/pirated-joomla-wordpress-drupal-themes-and-plugins-contain-cryptophp-backdoor/article/385552/
10. Best for Last. HAVE A PLAN. When it happens – and it will – have a real Disaster Recovery/Business Continuity plan in place. According to exper Dejan Kosutic, “It is the combination of people and technology that keeps a business running, not computers only, and this is exactly why the concept of business continuity has prevailed in the last couple of years.” According to CISCO, “60% of Canadian businesses either don’t have a security strategy in place, or don’t know if their current one accounts sufficiently for change and evolution to effectively meet threats.” http://www.itworldcanada.com/article/majority-of-canadian-firms-not-prepared-for-cyber-threats-cisco/100226
And on that cheery note, let me wish you all a safe and successful 2015!