Cybersecurity in a Hybrid Workplace

Kenny Leckie and Chad Johnston of Alterity Solutions discussed the types of cybersecurity threats and how to spot them, as well as best practices for avoiding cybersecurity attacks when working in a hybrid environment.

KEY TAKEAWAYS FROM THE PRESENTATION:

• Disruption breeds opportunities for bad actors. Human behavior accounts for 96% of all successful inroads into organizations and into people’s personal accounts. It’s important to know how to protect yourself and your devices.
• Working in an office provides an added level of security, but when working from home it’s important to configure your home networks to protect yourself and your devices.
  • Change the Default Admin Password to the router from your ISP.
  • Use the strongest Wi-Fi Security Option available (WPA 2 or higher).
  • Configure a Guest Wi-Fi Network and connect your smart devices to that network. “Smart devices were made for connectivity, not for security.”

*Best practices for your Internet of Things (IoT): Change default passwords, update software and firmware regularly, and connect all your internet-enabled devices to your guest network.*

• Passwords and Multi-Factor Authentication are key for securing your identity and accounts.
  • Don’t use the same password for all accounts.
  • Don’t save passwords in your browser.
  • Consider using a password management software (Dashlane, 1Password, LastPass).
  • Multi-Factor Authentication (MFA) requires at least two forms of verification to gain access to accounts/information. There are three factors to MFA: what you know, what you have, and who you are. What you know: passwords, PINs, Security Question answers what you have: phones or email who you are: biometrics, retinal scans, finger printing
• People are looking for ways to learn about you so they can infiltrate your accounts, and one way they do that is through social media. Over 50% of credentialed accounts on social media are fraudulent; they were created to make you think they are someone else.
  • Don’t participate in info-gathering polls – these are scraping schemes to gain your information.
  • Don’t use social media login credentials to create accounts on other websites.
  • Change your passwords regularly and monitor privacy settings.
• Scams haven’t changed, but the lures have. The way scammers are working to get your attention has changed and may mirror real-life companies, news, pop culture references, or other ways to get your attention.
  • Social Engineering: Gather background information of victim, establish a working relationship with target, exploitation using the information and the relationship established, executing the attack social engineering is used through the Four F’s of Human Nature:
    1. Free – enticing you with free things to garner a response
    2. Fear – plays on your emotions to garner a response
    3. Familiar – wants to come across as someone you know so you’re more likely to respond
    4. Fast – convenient and with a sense of urgency that’s meant to throw you off to garner a response
  • Texts, Robocalls, Group Messaging (all start with caps or just the first word)
  • Spear Phishing vs. Phishing (all start with caps or just the first word): Spear phishing emails are carefully designed to get a single recipient to respond where phishing emails are sent to many recipients with the expectation of a small response percentage.

Q&A with Kenny Leckie and Chad Johnston:

Q: Which password management software do you recommend to most of your clients?

• While we don’t really recommend any specific company, here are the most common and largest ones you’ll see: Dashlane, 1Password, and LastPass.

Q. I’ve noticed the “UNSUBSCRIBE” link at the bottom of a phishing scam – if you attempt to get off their distribution list, does that also make you a target? And is “DELETE/DO NOT REPLY” a best practice?

• Anytime you are interacting with a known, or even suspected, phishing scam, you must assume every link is a malicious one. Best practice is to not trust anything that seems at all suspicious – if anything gives you pause or causes you to have doubts about an email/text/article’s legitimacy, do nothing with following links in that message. It’s a good idea to forward it to your authoritative source in your organization that can help you discern if it’s real or reach out using another form of communication to the suspected sender (if possible) to verify they sent it. Otherwise, do nothing and delete the communication.

Q. Can pressing “1” on a spam call put your data at risk?

• It can actually do a number of things. One is that you may be activating a command on the system that called you, which could then activate a number of other possibilities. When it comes to robocalls, just like with phishing, it’s best practice to not interact at all. There are exploits out there that major phone companies are trying to fight against, but the safest thing is to not interact. It’s possible that by engaging in the call in any way might act as you “agreeing” to something on the other end of the call. We always encourage just hanging up on these types of robocalls.

Q. Which account do you assign Alexa to? Guest Wi-Fi?

• Voice-activated devices are becoming a normal part of the fabric in our society, but vigilance is key. Depending on what your device is controlling, like your thermostat or music, it may need to be connected inside your network so making sure it’s connected to your “guest” Wi-Fi is best practice. By connecting them through your “guest” network, it keeps them separate from things that matter. When it comes to things you have to connect to your main network (like Siri), make sure that all the accounts associated with that network are locked down (using strong passwords and MFA).

Q. Does filtering your calls actually help? If I have to use a personalized voicemail for work, should I remove my last name from my voicemail message?

• That answer is driven by policies, which are driven by the organization; a lot of people are beginning to remove certain information from their voicemails for security reasons, and this is causing companies to change their policies. If your company establishes the processes and protocols around how to word your voicemail, it would be a good idea to talk to your organization about best practices and this may raise awareness with them on the risks. A lot of companies are also sanitizing their website so as to not have direct contact information, titles, or the structure of the hierarchy of their company because it makes them bigger targets for phishing. We’d encourage you to talk to your organization to make sure you’re following their policies and best practices.

Kenny provides thought leadership and consulting in the areas of security awareness, change management, user adoption, adult learning, employee engagement, professional development, and business strategy. Kenny’s approach brings immediate value to clients as they navigate the ever-changing landscape of security and technology issues. He combines his years of experience with a strategic approach to help clients implement programs that focus on the business while minimizing risk to confidential, protected, and sensitive information. He is an author and speaker and was named the International Legal Technology Association’s 2018 Innovative Consultant of the Year. Connect with Kenny on LinkedIn today.