Stop using passwords. Start using these

It used to be that a super short, super cryptic password was the bee’s knees at keeping people out. Of course, these types of passwords kept us out, too, because we could never remember them!

Unfortunately (or fortunately, depending on how you look at it), this kind of short passwords aren’t much more than a speed bump these days.

 

Today, use a passphrase instead of using a password.

The difference is how it sounds. A password is generally just a word. Short and to the point.

A passphrase is a phrase made up of multiple words chosen at random, with spaces or other special characters or punctuation you like.

But, a passphrase includes words! I thought that wasn’t allowed?

Ok, I am going to confuse you for a second here. Words still aren’t cool in a password.

When it comes to a passphrase, however, things are a little different. Because you need to string together many words to make a passphrase (and these words are random), the overall length becomes so long the length offsets the problem of using words.

 

Ok, so how do you build a passphrase?

At its base, a passphrase is at least six randomly chosen words with spaces or other special characters in between.

How you choose those words is up to you; however, they must be random.

One method to choose these words we recommend is called Diceware, a technique developed by Arnold G. Reinhold. 

It creates secure passwords that are easy to remember but extremely difficult for hackers to crack. (If you’d like more information on how to use the Diceware method, you can find more information on this page.)

 

Why six words?

We start with a minimum of six words because this number of words usually results in a passphrase of 17-20 characters or more. In 2019, at 17-20 characters, the passphrase took a significant amount of computing power to crack.

No matter which method you use to choose your random words, it is possible to develop a 6-word passphrase that’s less than 17-20 characters. If this does happen to you, then it’s best to start over until you create something with 17-20 characters or more.

Of course, if you want to use more than six words, you are free to do so! More words would mean an even stronger passphrase.

 

A few things to keep in mind

If you don’t use the recommended number of words in your passphrase, or the total number of characters is less than 17-20, then the length is too short. When this happens, the problem of using words becomes a real problem.

It’s essential to keep things random. If you use phrases or words that go together, your passphrase becomes much more guessable because phrases are predictable.

 

Wrapping it up

How do you create your passwords? Your action item here is to evaluate how you could generate stronger passwords.

Try creating some passphrases and see if these will work for you. If you’re worried about remembering your passphrases, don’t be. Next, we will have a tip for you on how to remember your passphrases!

 

Interested In More?

Join our newsletter to learn more and get regular updates! Did we mention it's free?

CLICK HERE TO SIGN UP!

Finally, the best way to backup data

One of the best ways to protect yourself and your business against many the best way to backup your datacybersecurity incidents is backing up.

If you read the previous article, you would have learned some of the most common things people do wrong when it comes to backups.

This week, I wanted to help you further improve your backups by sharing the strategy I think is the best way to backup data.

 

What is this strategy?

The strategy I use is what I call the 3 2 1 backup plan. If you’ve read on how to backup data before, you may have heard of it. However, I’ve updated it in several places due to the cyber risks we face today, specifically the emergence of ransomware.

The 3 2 1 backup plan goes like this:

3 2 1 Backup Strategy

 

Have at least three copies of your data

Initially, this can seem like a lot of work. Why wouldn’t one be perfectly fine? Well, yes, sort of, but.

One copy will achieve the goal of backing up your data. This is true. However, it won’t make for a quality and resilient backup.

That’s because it still leaves you vulnerable to data loss. If anything happened to that one copy, such the hardware died, someone breaks or misplaces it, or it’s lost in a flood, you stand to lose it all.

 

Store at least two of these copies on different storage media

Not all types of storage media are created equal, and they don’t last forever. They all have different failure rates and expected lifetimes. (For expected lifetimes of various media, check out this neat infographic)

To make things even more complicated, how often you use them, how you handle them, and how you store them can also affect how long they’ll last. Then, of course, there is the issue of getting a bad batch of media that fails out-of-the-blue, leaving you without access to your data.

The idea is that you don’t want to put all your eggs in one basket. Just like how you wouldn’t invest all your money in a single stock, by diversifying your backups across different types of storage media, we are hedging against losing everything in the event a kind of storage media fails or becomes unrecoverable. 

One new type of storage media (which can be referred to as a storage solution as well), is cloud storage. Cloud storage is becoming increasingly popular and can be a cost-effective and easy solution to backup your data. 

The primary con to point out here is that the cloud is just someone else’s computer. You don’t control that backup or your access to it. There is always the chance it’s unavailable, or completely gone, in the event you need it. 

Two other cons to point out: depending on the provider, your backup could still be vulnerable to ransomware (more on this below), and if you lose your Internet connection, there isn’t a way to retrieve your backup.

 

Keep one copy off-site and offline

Having your backups close at hand is great if you need to restore something quickly. However, they don’t do you any good if you suffer a flood, fire, or theft.

An off-site copy will ensure that no matter what happens to your primary work environment, you still have a copy you can use to recover. 

This is even more important for those who don’t have a permanent office or are continually traveling (such as consultants) — moving about increases the risk of accidents, forgetfulness, and theft, resulting in the loss of not only your laptop or devices but their backups as well.

 

Why off-site and offline?

If you’ve heard of the 3 2 1 backup plan before, you might recognize that there is usually one backup off-site, and that’s it.

The reason this needs to be updated is the risk of ransomware. It’s common to use cloud storage or another office’s computer systems to store a copy to achieve the off-site requirement.

However, using cloud storage or copying a backup to another computer system located in a different physical location still leaves your copy vulnerable ransomware, due to the fact it’s still online. 

I’m also not saying here that you shouldn’t use cloud storage or backup solutions. The cloud can be a cost-effective and easy solution to backup your data. However, many cloud storage services work by syncing a folder on your computer. 

This behavior makes it possible for ransomware to encrypt that folder, and for your cloud storage software to then sync the encrypted files to the cloud, overwriting the originals and rendering the backup useless.

 

Implementing the 3 2 1 backup plan

The 3 2 1 backup plan is a great way to ensure your valuable business data is available. However, like everything else in life, it’s not perfect.

The best way to implement it is first to take the 3 2 1 backup plan and combine it with the recommendations from this article. Then, tailor to what will work best in your business, create your processes, and start backing up.

 

Conclusion

You invest a lot in your business. Investing the time, energy, and capital into implementing a robust backup method is like investing in an insurance policy for your files. Ensuring that when a disaster or accident does strike, you can restore and resume operations as quickly as possible without losing your critical data.

Are you using the 3 2 1 backup plan to backup your files? If so, leave a comment below and let me know how it’s working for your business!

Interested In More?

Join our newsletter to learn more and get regular updates! Did we mention it's free?

CLICK HERE TO SIGN UP!

Solve the top cybersecurity risk by doing this one thing

Do you know what the top cybersecurity risk for many organizations is?top cybersecurity risk

If you said patching, vulnerability management, or email, you’d be wrong.

The top cybersecurity risk for many organizations is the human factor. 

Yet, for many organizations, working on the human factor and embedding cybersecurity into your people’s decision-making process is always left for “another day.”

 

Why should you build a culture of cybersecurity?

 

In cybersecurity, we’re used to being reactive. Cleaning up a malware infection, regaining control of an account that an employee gave away the credentials for, the list goes on.

A culture of cybersecurity is all about being proactive. Just like we’re used to doing in our safety culture.

What if employees were empowered to think cyber-secure before they act, never compromise cybersecurity for quick results, and apply cyber-secure practices in every task completed?

Would this proactive approach give you better confidence that your business is cyber-secure?

If you’re still on the fence, consider this:

Proofpoint, a cybersecurity and compliance company, found in its 2019 Human Factor report that 99% of the cyber attacks they analyzed required human interaction to execute.

That means that of the attacks they analyzed, only 1% didn’t require someone in the organization to take some action. Imagine if we could stop just some of these actions. Would that reduce our risk?

By encouraging employees to report unsafe cybersecurity practices, we can also reduce the risk of internal threats as well. In 2018, the numbers were climbing when it comes to internal threats, too: 54% more organizations recorded a growth of insider threats in 2018 (ENISA Threat Landscape Report 2018).

 

We’re not talking about just writing a policy and having the CEO promote it at the quarterly town hall. 

 

We’re talking about working to ensure everyone includes cybersecurity in every decision they make.

That includes everyone from the CEO, down to the front-line workers.

Encourage the cyber secure and cyber-safe behaviors you see and take action to implement corrective actions for the cyber-unsafe practices you also see.

 

Leadership modeling cybersecurity solidifies buy-in.

 

One common misconception is that cybersecurity is just for the “workers.” Unfortunately, everyone in an organization plays a collective role in the organizations’ cybersecurity.

Any effective culture stems from employee buy-in. However, to achieve that buy-in, employees need to feel that the desired outcome is believed and practiced by leaders in the organization.

Leaders are the ones who set tone in an organization. They model what is acceptable and valued in an organization. In other words, you need to practice what you preach. If leaders require employees to practice good cybersecurity behaviors, then leaders should as well.

Understanding this from the executive level will remove the barriers in promoting and enforcing the culture change and demonstrate that doing work in a cyber-secure manner is a priority from the top down.

 

Why should I start from the top? Why can’t I delegate building a culture of cybersecurity?

 

Many organizations delegate the task of cybersecurity to a team within IT. From there, that team will implement the “task” of increasing the organization’s awareness of cybersecurity through usually one yearly awareness training exercise.

The issue with this approach is that cybersecurity made into a compliance task. A task to quickly complete the yearly training module, and then it’s back to the old habits.

It shouldn’t be a surprise that cybersecurity is a process of continuous improvement, just like other organizational issues such as safety. Why not continuously monitor and promote good cybersecurity behaviors year-round, and reinforce those that are going to protect your employees and your company?

Not only that, but cybersecurity needs to be taken into account in all decisions, and coaching right from the top down. Having the executive level down to the front-line workers participating ensures no gaps are leaving you vulnerable.

 

How can I begin creating a culture of cybersecurity in my business?

 
Develop a system to encourage positive cybersecurity behaviors and correct negative behaviors

It can be built effectively by using the same approach as done with safety. Encourage the cyber secure and cyber-safe behaviors you see and discuss the practices and corrective actions that are not.

 

Include cybersecurity in performance reviews

Document how active employees are at practicing good cybersecurity behaviors in their daily work within their performance reviews and include KPIs to measure.

Different than the usual generic compliance training, this allows the employee and their leader to identify specific gaps and find training specific to those topics.

 

Provide mandatory cybersecurity training for new hires.

Not everyone that comes into your organization is going to have top-notch cybersecurity skills. Including cybersecurity in new-hire training can help ensure all employees start at a baseline. It is also the first place where you can educate on how to report suspicious behavior or incidents, and get help.

 

Implement cyber-safety moments

Do you have safety moments at the beginning of your meetings? Encourage the addition of cyber-safety moments.

What’s critical here is to provide a copious amount of cyber-safety moments for your employees to use. The more comfortable you make it for people, the higher the probability it will catch on. 

Plus, they’ll still be learning even if they didn’t come up with the cyber-safety moment.

What are some cyber-safety moments you could write?

  • Basic hygiene (Examples are: passwords, emails)
  • Examples of publicly-reported breaches or near-misses in your industry, or related industries
  • Success stories in avoiding breaches or cyber incidents due to the action of employees in your business reporting suspicious activities or practicing cyber-safe behaviors
 
Mentor top-level management, and business leaders 

As we’ve mentioned above, culture change starts with everyone living and breathing it, from the top down.

Educate management and leaders on good cybersecurity behaviors. Actively mentor them on implementing these behaviors in their daily work and mentoring their direct reports to do the same.

 

Summing it up

 

If you’re looking to start combating the top cybersecurity risk of the human factor in your organization, developing a culture of cybersecurity is one way to work towards it.

Have you developed a culture of cybersecurity in your business?

 

Interested In More?

Join our newsletter to learn more and get regular updates! Did we mention it's free?

CLICK HERE TO SIGN UP!

3 Mindset Shifts to Improve Your Cybersecurity

I’m sure it’s not surprising that cybersecurity isn’t a destination, but a process of continuous improvement that’s always evolving.

If cybersecurity is constantly evolving, then how could we possibly learn how to keep ourselves cyber secure?

By using a mindset shift

Shifting away from looking at cybersecurity as a task to be completed, or a problem to be solved and towards a continuous process of analyzing whatever situation we find ourselves in along the way and making the best cybersecurity choices.

Does that seem crazy?

Mindset shifts to improve your cybersecurity? Doesn’t make much sense, right?

Think about your personal safety in the real world. Do you put a lock on your front door and call yourself safe? Or do you analyze if its safe to cross the street, make that left turn in your car, or jump off that cliff into the lake below?

Some of this analyzing might be second nature or subconscious, sure. But you’re still analyzing each situation and making a call based on the safety risks you find.

The goal is to begin doing the same for cybersecurity and shift our mindset to thinking this way.

There are three mind shifts we need to make. What exactly are they? Lets look at them below:

 

Mind Shift #1: Stop thinking of cybersecurity as tools and methods

Most of the traditional cybersecurity advice includes what tools and methods you should be employing right now. Tools such as Antivirus or Multi-Factor Authentication and methods such as how to identify phishing emails are all important.

While these are good right now, at the end of the day they’re all solutions designed to reduce certain cyber risks. They’ll also change as technology or your situation changes.

How do you know how many tools and methods you need, and which ones are applicable to your situation? How do you know how much security is acceptable?

The first mind shift is to understand that cybersecurity tools and methods are solutions to reduce certain risks, such as flu shots are solutions to reduce your chances of getting the flu, or seat belts are a solution to reduce your chances of getting seriously hurt in a car accident.

 

Mind Shift #2: Start thinking of cybersecurity the same way we think of safety

You wouldn’t leave your home with the front door unlocked, leave your tax returns or personal documents in a public place or cross the street without looking to ensure its safe to do so. So why would you do that on the Internet?

Just as we evaluate each situation we find ourselves in to ensure we’re safe in the real world, we need to shift our perception of cybersecurity from the idea that we can’t “see” the risks, so we don’t need to worry about them to the idea that even though we can’t “see” any cyber risks, there are still some there and we need to be able to identify them for ourselves.

 

Mind Shift #3: Not everyone has the same risk or cybersecurity needs

While everyone has the potential to be a victim of cybercrime, the more we share, communicate and integrate our lives and businesses with the internet the more we open up ourselves to the risk of being caught up in cybercrime.

While for most of us the risk is manageable, there are many factors which can increase your risk level and make you a more appealing target to cybercriminals. Some of those factors include:

      • Wealth
      • Business Status
      • Publicity, Fame or large social media followings
      • Frequent travel
      • Internet-connected  Technologies or Internet of Things (IoT)
      • Business or domestic employees

The traditional cybersecurity advice intends to cast the widest net as possible and secure the most people possible. The goal of the third mind shift is for you to understand what your personal situation is, and what in your life might be exposing you to cybersecurity risk. Then you can employ the tools and to reduce the risk most applicable to you.

Of course, the list above isn’t exhaustive. It’s meant to get you thinking and considering all aspects of what could impact your cybersecurity, both online and offline.

So, how can we shift our mindset? Stay tuned for our next post!

Interested In More?

Join our newsletter to learn more and get regular updates! Did we mention it's free?

CLICK HERE TO SIGN UP!

Don’t Let Your Connected Devices Ruin Your Holidays

Ah, December.

It’s the time of year when we go out and buy our friends, family and even ourselves (You know you’ve done it!!) brand new computers, phones, and *insert gizmo here*.

Connected devices, wearables, drones, and so many other tech gadgets are all making the holidays much more fun.

However if not configured or set up correctly, these devices could put your personal security and privacy at risk.  They could even expose important personal and financial information.

Default credentials

Many of these devices are shipped with default usernames and passwords. This means that the default username and password combination is well-known by the manufacturer, and support people. It may even be written in documentation posted on the Internet.

Yikes. Because of this, it is important to change the default password and even the username, if you can.

If the device will allow you to use a passphrase, then even better! This will prevent anyone from being able to access your device if someone gets on your home network, or if it accidentally gets connected right to the internet.

If your device also connects to the cloud or an online component (i.e. you log into the manufacturers’ website to use it) its a good idea to change this password as well!

Default configurations

Normally the default configurations these devices are shipped in, are ready for you to use immediately. This means that any barrier to the shortest setup-and-go has been turned off.

Often most security features may be turned off, or be optional. It’s a good idea to acquaint yourself with all the features of your new device – security and otherwise. Acquainting yourself will help in understanding what the implications to your personal security and privacy are when each one is turned on and off. Then make the decision on which ones to turn on.

Some devices will also include administration portals or some advanced network administration tools. If you don’t have any intent to use these, turn them off. This will ensure an attacker can’t use them.

Connected directly to the Internet

Most connected devices out there aren’t mean to be connected directly to the Internet.

It’s easy to assume that when you plug the cable into your Internet router or connect the device to your home WiFi that it is only accessible to your home network.

Have you ever actually checked?

It’s important to understand what the internet needs are for your device and make sure that your router and network is configured properly. Any extra port forwarding or other settings are removed if not required.

If your device is accidentally left accessible on the Internet it could be easily accessed or hacked. This could expose important personal and financial information, be used as a gateway to access or hack other devices or computers in your home, or be used as a staging ground to hack others.

Two things that can also be overlooked here. First, ensure you’re using a strong passphrase or password on your wireless network. A weak one will only put your connected devices (and everything else on your network) at risk.

Second, do not put your devices on a guest or public WiFi network. Where devices are concerned, these networks can be just as bad as the internet.

Cloud connectivity

Devices now often include some type of cloud connection capabilities within them. This capability could be for extra features, or at times is required to use the device.

When you have a device that includes cloud connectivity, it’s important to understand what information is being sent to the cloud. This is to ensure you know what it’s being used for and how it’s being protected.

If your device is collecting personal, location or other sensitive information and it isn’t protected well, there is a risk it could be lost in a breach.

Start by reading any manuals that came with the device, the manufacturer’s website and Terms of Service and Privacy Policy documents, to start.

Ensure other computers and phones are secure

Do you connect to your device via an app on your phone, or from your computer?

If an attacker can compromise your other computers, they can take advantage of them to then attack your connected devices.

Update your connected devices

Check if the manufacturer of your device releases software or firmware updates. If they do, update the software and firmware as often as possible.

Software and firmware are only as good as the humans who create them. It’s easy for humans to accidentally introduce errors and security holes while writing software. Because of this, when manufacturers find these errors, they normally create an update to fix the issue. Updating the software allows you to get these fixes and plug any holes that an attacker could use.

It also will ensure you have the latest set of security features. Sometimes additional features can be released after you’ve purchased the device.

Wrapping it up

Connected devices are becoming much more popular. Not only are they fun, but they can make life much easier. However, they need to be used smartly. If they also collect personal or sensitive information or are left unsecured, they could be putting your online security and privacy at risk.

Photo by Alex Knight on Unsplash

Interested In More?

Join our newsletter to learn more and get regular updates! Did we mention it's free?

CLICK HERE TO SIGN UP!