Why You Should Care About Cybersecurity

It’s not only the IT professionals in your office who should be concerned with cybersecurity.

Any device can be breached

… and so you’d do well to understand how it can be done. Here are just some of the approaches.

Adware – a form of malware; this is software that contains and displays typically unwanted advertising material when you’re browsing the internet; it’s a revenue source for sites that do not charge user fees

Data leakage – unauthorized data transfer; can be done via technology, or can be as simple as someone watching you enter a password/other data on your computer/other hardware, and retaining information

Email, social media – messages may contain links or attachments that you don’t want to touch

Fraudulent/faux notifications – intended to result in you giving away money and/or information

Hardware theft – smartphones, iPads, laptops, netbooks, tablets, etc.

Laptops and other hardware – internal cameras or webcams

Malvertising – malicious online advertising; can appear in ads that display as pop-ups or banners

Personal devices – data leakage (see above) from your smartphone and other hardware

Social engineering attacks – done through exploitation and through pretext

Employees can be assets – but also digital risks

… and so you need to understand social engineering attacks. Fraud is nothing new. What is relatively recent is criminals’ expansion of their scope of operations from in-person and phone fraud (vishing) to also using email (phishing) and text messages (smishing) to conduct their activities. Social engineering attacks may be exploitative and/or rely on pretext.

Exploitative – of people or emergency situations; the criminal creates a sense of urgency/threat to solicit info/ money. A sampling: fraudulent parking violation/unpaid tax notices … account expiries/updates … solicitation of donations for people/communities experiencing flood, fire, earthquake or other emergency/health crises

Pretext – relying on bits of readily available information to establish a pretext that lulls a person into a false sense of security or readiness to give out personal information. Think of someone phoning you and identifying her/himself as the company’s internal auditor, or as someone from a government body or recruiting firm.

Cyber threats have evolved

… from targeting and harming computers, networks, and smartphones — to people, cars, railways, planes, power grids and anything with a heartbeat or an electronic pulse.

Here are some of the facts, and recent projections:

The US government has declared cybercrime a national emergency.

Criminals’ tactics are constantly evolving.

The average attacker is in a network for about six months before a company realises it. 

Some habits you’d do well to avoid

Think about a typical week, and how frequently you access emails or browse the web.

Consider whether you’re inadvertently exposing yourself or your organization to risk, through any of the following.

Clicking on unknown links or opening attachments, not from a trusted source

Banking on public Wi-Fi networks

Leaving portable hardware in the open when you’re not at your desk

Leaving your screen exposed

Sharing your business laptop

Sharing your passwords

Shopping on public Wi-Fi networks

Using the same password on multiple sites or accounts

Using personal information – your name, special dates, or family members’ names or birth info – in passwords

Inserting or updating a numerical extension to your existing password when you’re prompted to create a new one

How you can be proactive

You don’t need to panic; you simply need to be aware, and mindful.

There are a number of steps you can take to reduce risks; here are just a few.

Androids, smartphones, iPads: routinely check notifications and update your IOS/OS/MOS (operating system)

Enquiries: verify identification and legitimacy of parties seeking information/money from you

Mindfulness: Be aware of people entering office space alongside or behind you; are you unintentionally helping someone gain inappropriate access?

Office hardware: lock away in a secure place when not in use/you’re away from your desk

Personal hardware: install browser, security updates as they become available

Web cams, laptop cameras: cover them when not in use

Switch from passwords to passphrases where possible: Think of a phrase, and feel free to include spaces between words. Aim for 15+ characters, including a mix of symbols, punctuation and upper/lower case.

Test the security of your password/passphrase: There are sites that do just this, providing estimates of how quickly a computer could “crack” your passphrase. Security.org's How Secure Is My Password? tool is one such site. Before you try this: Ask your IT team for its recommendations on such sites.

Securely store password/passphrase info: Research and use an app or other secure resource to safely store your passwords/passphrases

Safe browsing: use secured Wi Fi networks for your browsing and shopping

Use separate passphrases for each account: at a minimum, have distinct ones for work and personal use

Discuss cybersecurity education with your executive/principal

Practices in place at proactive organizations

Communications – between the C-Suite and IT/employees/ Board of Directors; strategic CIO at “head table”

Controls – in place, and regularly tested

Cybersecurity incident principles – with pre-established protocols that people understand (what steps are to be taken, and by whom)

Employee education – with people trained to recognize phishing and other social engineering scams

Incident response tabletop exercises – emergency simulations

Informed boards – with “nose in; fingers out” of technology systems, protocols, and security

Network Penetration testing – and follow up

Policies – including BYOD (Bring Your Own Device) and communication of risks

Regular data backups, updates and patches

Restrictions – application of “Least Privilege” principle when it comes to software downloads

Risk Registers / Enterprise Risk Management (ERM) – prioritization of technology security

Grow your cybersecurity vocabulary

Adware: a form of malware (see below) that displays advertising material when you’re browsing the internet

Browser hijacking/hijackware: malicious code that modifies the settings on your browser, without your consent; it may redirect you to a new home page and/or advertising, or install other software

Cybersecurity: Measures (technology, practices and processes) taken to protect data, networks, programs and hardware from unauthorized access or attack – includes application, information, disaster and network security

Cryptocurrency: a digital currency that is reliant on encryption/cryptography for its security; not issued by a bank or central authority, the encryption is verified in order to transfer funds. The bitcoin is one example.

Decryption key: digital information; in this context, a password used to restore access to one’s computer/network after payment of ransom (often by bitcoin)

Hacker: someone who uses technology to gain unauthorized access to data

Keyboard/Keylogger/Keystroke Logging: the use of malicious software to record a person’s keystrokes on their keyboard, enabling the criminal to access a person’s log-in details, codes and other data. May be introduced, for example, on a USB stick installed in someone’s hardware.

Malvertising: malicious online advertising; can appear in ads that display as pop-ups or banners

Malware: software/code that is designed with malicious intent; it creates data breaches and uses encryption to make your network/systems unavailable. Samples: adware, bots, bugs, rootlets, spyware, ransomware, Trojan horses, worms. It can impact a single computer, or multiple computers and an organization’s network.

Ransomware: malicious software (malware) used to infect computers; it restricts access to files and sometimes threatens permanent destruction of data. If infected, you’ll find your network/systems inaccessible; your technology is held ransom. Payment is typically by bitcoin (see above).

Shadow Brokers: a group of hackers that has attempted to sell what it identifies as National Security Agency (NSA) source code, and leaked data allegedly from the NSA

Social engineering attacks: attacks that rely on either exploitation or pretext to gather info/money; these may come by email (phishing), text message (smishing), phone call (vishing) or in person

Spam: unwanted, irrelevant “junk” email, typically sent to a large number of recipients and typically for the purpose of advertising, phishing or otherwise spreading malware

Spyware: software used to gather and send personal information from a computer, without the user’s knowledge

Tailgating: an individual following an employee into an area in which s/he does not belong; the tailgater may be dressed as a delivery person, or like many of your colleagues. S/he gains access by walking with or behind you through hallways and doorways as though they have every right to do so.

About the Author: Shelagh Donnelly educates and inspire assistants on topics ranging from meetings and minutes to business acumen, cybersecurity and working with boards. She helps assistants nurture their adaptability, productivity and resilience in order to enjoy the career and continue to add value even as roles evolve. An international speaker, Shelagh worked with C-level executives for more than 25 years and is recognized for her governance expertise. Shelagh founded her globally read Exceptional EA website in 2013, and is the author of the upcoming book, The Resilient Assistant.   

This article first appeared in Exceptional EA, a globally respected professional development resource for administrative professionals. Visit https://exceptionalea.com/ to find out more and tell her we sent you!