It’s the third most wonderful time of the year – Cybersecurity Awareness Month! It didn’t escape us over in Boston’s Department of Innovation and Technology (DoIT) that this frightening topic also falls on the scariest month of the year. With Halloween just a few weeks away, I’ve invited Gretchen Grozier from our security team to recap some of the spookiest cybersecurity threats and go over just how these types of lapses in information security can be avoided.
Think Before You Click
Government workers get dozens, if not hundreds, of emails each day. If you like to stay on top of things, you could find yourself distractedly clicking through your inbox without paying much attention to subject lines, domains and senders. Suddenly, you could find an email from your supervisor with the subject line: “Must complete attached form within one hour.” Being the diligent government employee that you are, you breathlessly follow instructions and click on the attachment. Any number of things could happen next, from a file downloading onto your machine to a questionnaire popping up and asking you to type personal information for a business trip your supervisor needs to book. It takes less than a minute, and suddenly, you have compromised your department’s information security or your own.
This type of attack is called phishing, and if it’s happened to you, then you know how convincing it can be. By imitating an email with a domain similar to your agency’s, peppering the email and subject line with commanding or pleading language or including links in unsuspecting places, hackers prey on users who don’t scan an email before clicking on things. Remember, never click on links or download files from people you don’t know, and report any such attempts to your cybersecurity group, as you could be part of a larger attack to steal sensitive information from anywhere in your network.
Good Doggie, Bad Password
According to a poll released by Gallup, 60% of Americans own a pet. Pet names are often a go-to for easy-to-remember passwords. After all, fewer people meet your cat or dog than meet your siblings, parents or other significant people whose names you might use for a password. Unfortunately, hackers are as creative as they are tenacious. Cybercriminals have been known to do research on their targets and will even stalk your social media for hints they can use when trying to guess your password. So, if you’ve posted pictures of “Rex,” then Rex1234 probably shouldn’t be your password. Likewise, avoid commonly used words, as these are still too easy to guess. Remember, longer is stronger – a set of five words strung together is much harder to crack. Your best option is to get a password manager which can generate (and remember) long, strong passwords for you!
“I followed best practices but my email still got hacked”
Even if you adhere to these basic cybersecurity tips, have a strong password and avoid suspicious messages, you could still have your password stolen. That’s why DoIT recommends everyone implement multi-factor authentication. Multi-factor authentication is a feature you can implement on your email, financial or social media accounts that would require you to produce a one-time passcode or physical token to verify your identity. There are many options, including printing out a code at a predetermined location, having a code sent to your cell phone, getting a code from an app on a smartphone or entering a physical token into your device. By implementing multi-factor authentication, you drastically reduce the likelihood of someone accessing your accounts if your password is stolen.
Don’t get tricked this Cybersecurity Awareness month. With reports of ransomware shutting down major city governments and Russian hackers swinging the presidential election, it’s easy to get overwhelmed and resign yourself to hoping you won’t be next. It is true that increased sophistication of certain cyberattacks requires equally serious emergency preparedness, but let’s not make it so easy for cybercriminalss to take advantage of us by following a few simple guidelines to protect ourselves and the public organizations we work for.
We love cybersecurity, so check back in a couple of weeks for an interview with Boston’s Cyber Security Liaison to the Metro Boston Homeland Security Region.
Susanna Ronalds-Hannon is part of the GovLoop Featured Contributor program, where we feature articles by government voices from all across the country (and world!). To see more Featured Contributor posts, click here.