Features Risk

Cyber hygiene: A balance of convenience and safety

Cyber hygiene has nothing to do with using robots to keep humans clean. No, we’re talking about keeping your data safe. Whether personal or business data, when talking about cyber hygiene it’s important to understand that the time for “security through obscurity” is over.

David Westgate, the vCIO/service business manager at MicroAge Regina, explains that “while targets used to be large businesses in big cities, it’s moving closer to home. Today it’s hitting small town Saskatchewan and having a massive impact.” Small companies are just as likely to be hit as large ones.

“We’ve seen the Regina School Board that was hit recently, we’re seeing medical firms being hit, we’re seeing the financial institutions being hit and we see the small mom-and-pop stores being hit at the same time,” says Westgate. The attackers may be asking for a little bit less from a mom-and-pop shop than they are from some of the larger corporations, but it impacts the targeted business in the same manner. And it’s a bigger issue with more people working from home as this increases the chances of a business being left vulnerable.

However much time, energy, and money you spend on cyber hygiene, it will only be as good as the people with access to your network and data. You can have a million-dollar security system in your house but if you leave the key, address and alarm password on a bench at the airport, you’ve wasted your money.

“Often times what we’re seeing now is less about technology being exploited and more about people and processes being exploited. There are still governments and hacking groups that will spend months working on a particular exploit but is the average cyber criminal really going to spend all that time and effort if they can just send someone an email and get them to open an attachment with a vulnerability in it and then compromise their machine . . . companies are growing so quickly, trying to tap into data in ways that they never could before, and they’re not taking the time to make sure things are set up properly,” says Sean Gowing, from Keepsecure IT. And this has consequences.

Westgate outlines some basics, “from a security perspective you need to ensure that you have a real good firewall in play. Protecting the network . . . that’s going to be the first protocol. Second, is multi factor authentication (MFA). MFA is really one of the most important identity protections.”

Cyber crime is on the rise, but don’t despair, there are good people working on the right side, with an entire industry growing alongside the threats in an endless game of spy vs spy. For example, Gowan explains a type of ethical hacking he offers as a service is a phishing simulation campaign. “We work a lot with phishing simulation campaigns to raise awareness. In a phishing simulation campaign, we send emails and if they click on it, they get a little refresher information session on what to watch for.” These exercises help businesses shore up their biggest vulnerability: human behaviour.

“I always tell people, it’s not an intelligence thing . . . it’s most likely they caught you when you were busy. You’re rushing, and in comes this email that’s just one more thing on your plate and you’re just trying to get it done and help someone out because we’re fairly trusting and helpful in our organizations. That’s what they prey upon,” says Gowing.

As we work smart devices and the Internet of Things into our daily life, and more and more people work remotely and from home, the policies and understanding of the vulnerabilities is going to become critical. You can imagine the embarrassment and liability if a legal firm had their client’s confidential information leaked because an employee was logging onto the network from an encrypted cyber cafe or accidentally opened a back door to their home network using their smart fridge to order groceries. It’s a balance of convenience and safety. Business owners need to help their employees understand that balance.

Gowing’s go-to piece of advice is password management tools. “I know that sounds stupidly simple, but I don’t know how many times I’ve seen accounts compromised on an enterprise level because the person is using the same password for the work account and on the 98 different online services they’ve signed up for and one of those gets compromised and then someone can look and go, hey, Shawn also works at this company. I’m going to try his password over there and sure enough it works right?” A good password management tool helps prevent that. The more protected you are, the less of a target you will be.

Saskatchewan is positioning itself to feed, fertilize, and fuel the world. We need to be ready to protect the critical infrastructure needed to do this—and that is going to require people to operate their cyber security at a global level.