Guest Blog by TreeSolution Consulting: 5 tips on cybersecurity. Happy Cybersecurity Month!
To kick off cybersecurity month, we are proud to present the insights of TreeSolution Consulting, a global leader and pioneer in cybersecurity consulting that was founded by Dr. Thomas Schlienger for companies who want to intelligently improve their information security posture.TreeSolution is a longtime partner of Hoxhunt. They have amassed an outstanding track record of helping companies build information security awareness guided by Dr. Schlienger’s visionary, science-based training methodology. Dr. Schlienger believes that employees are the key to security, and organizational awareness will flourish with firm cultural anchors established at all levels of the organization. TreeSolution helps clients build measurably effective security cultures, supported by awareness campaigns and aligned with business goals.
Cyber Security Month—5 cybersecurity tips
Cyber threats are rapidly increasing every year. According to McAfee (1), the global cost of cybercrime in 2020 was around $ 1 trillion. This is an increase of more than 50% compared to 2018. In cyberattacks, companies or individuals are maliciously attacked by individual hackers or groups of hackers over the Internet in order to obtain data, information, or money.October marks the beginning of the annual European Cyber Security Month. It aims to make states, companies, and individuals more aware of the dangers of cybercrime, and of ways to stay protected.Cybersecurity month is a great opportunity to shine a light on five selected information security areas to watch out for. And how to stay safe!
What are cyber threats and cybersecurity?
Cybersecurity refers to technical as well as organizational measures to protect IT infrastructure and organizational data against malicious attacks. This includes the protection of computers, networks, servers, smartphones, and smart devices, but also data protection and information security.There are three types of cyber threats:
- Cybercrime: attacks on systems to make money or to disrupt business operations.
- Cyberattacks: these are mostly politically motivated information gathering.
- Cyberterrorism: attacks on electronic systems to spread panic and fear.
All threats are composed of the same types of attack. The spread of malware—viruses, Trojans, spyware, adware, ransomware, botnets—puts computers and systems out of service or damages them. SQL Injections enable hacking of databases to obtain information. Phishing is an attempt to obtain login and financial data as well as to find out personal information. Man-in-the-middle attacks intercept information between two parties, e.g., a computer and a network. In the case of denial-of-service attacks, networks or servers are flooded with data traffic so that the infected computer systems can no longer run, and companies are unable to function. Attack targets are typically governments and companies, but can also be private individuals.
How can you protect yourself from cybercrime as a company and also as a private person? On the one hand, technical protective measures are essential. On the other hand, our behavior has a decisive influence on the risk of becoming a victim of a cyberattack.
1. What's phishing and how you can protect yourself
Phishing emails are e-mails sent under fraudulent pretext by hackers, who try to obtain login details, bank and credit card details, or other personal information. As a rule, the goal is to make money with the data obtained or to gain access to systems. The emails often look deceptively real and appear to come from a legitimate source, such as your bank. Urgent calls to action entice users to click on links and enter their data.
It is therefore important not to click on links in emails, especially from unknown senders. Be wary of any request for login information. No reputable company will ever ask you to adjust your access data via a stored link or to disclose them by replying to an email. Also, be careful if you are asked to provide your credit card or bank account information.Watch out for misspelt, missing, or misaligned letters in emails and links. These are also indicators of phishing.
2. What's malware and how you can protect yourself
Malware, also known as malicious software, is software that can damage your computer, smartphone, or tablet or disable it entirely. Malware is mainly spread via the internet while surfing, downloading software such as email attachments, or via social media. Malware can also be distributed via USB sticks and other mobile data carriers. As with phishing, the motivation is mostly financial or industrial espionage. Hackers can also be politically motivated or want to damage a company's reputation.Viruses, Trojans, spyware, adware, and ransomware are forms of malware, and they are often spread via botnets.On the one hand, technical measures provide protection against malware:
- Keep your operating system, software, and apps up to date and always install the latest security patches.
- Install anti-virus protection.
- It is advisable for companies to use all-round protection software that analyzes the data in real time and closes security gaps.
On the other hand, users must also behave securely:
- Do not open any e-mail attachments from unknown senders and be wary if you do not expect an attachment from a friend. If necessary, ask the sender first for more information.
- Do not click any links that you are not certain are legitimate. Check links for misspelt, missing or replaced letters, for example, if the letter "O" is replaced by the number "0".
- Visit only secure webpages. You can recognize them by the small security lock sign next to the URL in the address line.
- Do not access the Internet via unsecured WLAN networks. It is best to use your mobile phone to generate a personal hotspot.
- Protect your private WLAN with a suitable password and create separate access for guests.
- Do not connect any unknown data carriers, USB sticks, or hard drives to your computer.
- Only download software that is authorized by your company or that is offered in the official app store.
3. What's social engineering and how you can protect yourself
Social engineering is a method in which fraudsters fake an identity in order to obtain information or to convince their victims to take a certain action. For example, they can pretend to be a help desk employee in order to persuade the victim to provide login data or to convince them to visit an infected website. Most of the time, social engineering is used to attempt to obtain login data, steal credit card or bank information, or gain access to IT systems. The more information that can be gathered about a victim, the higher the chances of success in an attack. Most of the information is found on the Internet, e.g., on company websites or in social media, but it may also come from public registers or the phone book.It is important that you never pass on internal or confidential information about yourself or your company to strangers. Passwords and access data should never be shared. Do not allow yourself to be pressured or persuaded to download a particular file or visit a given website. Read more tips on how to protect yourself from social engineering in our blog.
4. Secure password protection
Every day we have to enter passwords for our work or private lives in order to log in to systems. A well-chosen password is essential for protecting yourself against dangers from the Internet.If passwords are revealed, data can be manipulated or stolen. Hackers have special tools with which they can easily discover passwords if the passwords are not created according to certain rules.To ensure protection, a good, secure, individual password must be created for each application. Never use the same password for multiple systems or websites and never give your login details to anyone else. Otherwise, the passwords lose their effectiveness for protection. Always activate 2-factor authentication if the system allows it. This also increases security.Note the following points when creating a new password:
- It must not contain any personal information such as name, date of birth, license plate number etc. or username.
- The current NIST recommendation is to choose a password that is easy to remember, contains at least 16 characters and is made up of at least 4 existing words. If the password must be shorter than 16 characters, it should contain numbers, upper and lower case letters as well as special characters and ideally be more than 10 characters long.
- It cannot be found in a dictionary, and it does not contain sequences of numbers or letters (e.g., AAA, 1234, abcd, etc.).
The following tips can help you avoid having to write passwords down and make them easier to remember:
- Acronyms: use the first letter of every word in a sentence.
- Multiple words: combine at least four random words. You can add numbers and / or special characters.
- Password manager: use a password manager to create and manage passwords. Most password managers can also be combined with two-factor authentication. This means that you only have to remember one password instead of many.
5. Protection through training and awareness
Nowadays it is more important than ever that employees are trained on the topics of information security. Training courses should take place at regular intervals and ideally be coordinated with one another.Employees are the most important element of protection when it comes to cybersecurity. Use this element of defense by enabling your employees to recognize the dangers associated with the Internet and to behave correctly.The European Cyber Security Month is a good opportunity to train employees with a targeted campaign. Create virtual games, quizzes, e-learning courses, or events where employees can actively participate on site. The topic can also be brought to people’s attention with posters, intranet pages, or e-mails.In our blog posts we discuss how to plan and implement a security awareness campaign and how to successfully change the behavior of employees.
Dr. Thomas Schlienger, Dipl-Inform., is managing director and owner of TreeSolution Consulting. He has specialised in the subject of Information Security Culture, in particular on the questions of sustainability and measuring of Security Awareness. Since 2002 he has dealt with this subject, at first during his academic career, since 2005 with his own company. He has studied Business Informatics at the University of Zurich and has written his doctoral thesis about Information Security Culture at the University of Fribourg. Thomas Schlienger is an author of numerous professional and scientific publications, ISO 27001 Lead Auditor and lecturer at the Bern University of Applied Sciences and the Luzern University of Applied Sciences.