Throughout the second quarter of 2015, the Center for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC) noted a significant increase in the number of account compromises impacting state, local, tribal and territorial (SLTT) governments.
The MS-ISAC monitors the Internet looking for leaks of sensitive information, including posts uploaded by malicious actors. An average month will see about 6 posts that includes SLTT email and password information, but through April, May and June of this year there were 82 different posts – that’s a 350% average monthly increase!
With recent headlines reporting data breaches effecting government organizations, it’s more important than ever to make sure that we’re combating account compromises, like the ones detected by the MS-ISAC, as best we can. This will require the help of every government employee, from entry-level to directors.
How does this happen?
The first step in understanding how to minimize the number of account compromises is knowing how SLTT emails and passwords ended up being included in these malicious actors’ posts.
The common explanation is that whenever a SLTT government employee uses their work email address to gain access to a private website, that information is stored in a database. Then, when a cybercriminal finds a vulnerability in that private website and exploits it, they’ve gained access to the database – thus your email address and any other information you shared with the website.
This kind of breach can possibly give cybercriminals information on the government employee’s location, potential login name, and potential passwords. With this kind of information, hackers could gain access to government servers and sensitive information.
What can you do?
We all prefer convenience, especially when we’re online – we want to be able to log in to our accounts as quickly as possible, without having to overthink it. But, this is what leads to more accounts being compromised. By following the advice below, we’ll be one step closer to more secure accounts and will ultimately help minimize the cyber threats government agencies face.
Use strong passwords.
You’ve heard this advice before, but it’s effective so cybersecurity professionals like to repeat it often. Create complex passwords by using at least 10 upper and lower case letters and including numbers and symbols. More advice on how to create a secure password is available here.
Change your passwords.
Although it can be tough to remember new and unique passwords (especially when they’re complex!), it’s important to use different passwords for each account. If hackers gain access to one of your accounts, this will ensure that they can’t break into your other accounts. In the same vein, make sure you’re changing your passwords often (about every two months).
As mentioned, when we’re online we’re always in a hurry. However, avoid automatic login options. These can be easily exploited by hackers to gain access to your accounts.
If someone calls or emails you requesting personal information like your login credentials or employee number, do your own confirmation checks to make sure the request is legitimate. Keep in mind, though, that most reputable organizations are not going to ask you for those kinds of details and there are fake websites meant to fool you into providing exactly this type of information.
Use multi-factor authentication.
If you have the option of multi-factor authentication, use it. Although it’s not a silver bullet to absolute cybersafety, it’s a great extra layer of security that can help minimize risks.
What other advice do you have to secure your accounts? Share in the comments below!