Top Cybersecurity Threats and Vulnerabilities

San Diego cybersecurity expert Jim Stickley joined CCMI clients and guests on June 2 to share best practices to keep our online information safe. Jim has spent over 25 years as a cybersecurity expert with a focus on identifying security flaws before criminals find them and warning people and organizations about what they can do to protect themselves.

As Jim confirmed, there is no one solution to keep yourself safe in the internet era, but there are steps you can take to improve your online security. Here are some highlights and takeaways from the discussion:

On Hackers and Russia…

While hackers probably won’t be targeting individuals, mid-sized banks, or even credit unions, there is a risk they may target larger players like Microsoft, and then try to send a software update to all Microsoft users, which could be very dangerous. There is also a risk that the data “cloud” could be hacked and information could be compromised.

• Suggested Solution: The antidote may be more work for people but necessary for the world we are living in—back up your critical data (even wedding photos!) in two places at all times: 1) on the cloud and 2) on a physical device you can control.

On if a Financial Institution has a Breach…

In general the risk is low, but it is possible that you could lose money from a data breach at your bank. However, most of the time the bank will help you get the money back as a consumer. Be aware that small businesses are more at risk to lose their money because of something they did that might be interpreted as a business transaction and is less likely to be recovered.

• Suggested Solution: Cybersecurity insurance for businesses is a great start, but beware—since acts of war are usually not covered by insurance, some policies are claiming Russian-based cybercrimes are part of war and the insurance company is excluding them. Check with your insurance provider on what the policy covers. This type of insurance is not available to consumers so monitoring your transactions is the best way to detect fraudulent activity.

On Social Media Risks…

Social media itself doesn’t create malware but it can be a vehicle that cyber criminals use to send dangerous links and malware to you. Scrutinize the messages you receive; sometimes hackers see you are tagged in a photo with someone else and they impersonate this person when they target you.

• Suggested Solution: If a message you receive on social media includes an attachment or link, be very hesitant to click on it to help protect yourself from malware. 

On Malicious Websites and Typo-squatting/Domain Spoofing…

Jim noted that while 270 million domains exist today (like www.myccmi.com), 140 million are not live websites. Some aren’t malicious, but some are put out there by cyber criminals with an incorrect character (a typo) from the legitimate site. Unfortunately, checking for HTTPS in the corner doesn’t work anymore to tell if you are on a valid website. In general, you can tell an invalid website by how it looks; the page will tend to look clunkier because criminals don’t normally put forth the effort to create a single site. They are more incentivized to create many lower-quality sites because they are quicker to establish and can potentially reach a wider audience. 

• Suggested Solution: Sometimes if you type the wrong site address you may see an 800 number pop up, which inevitably goes to a scammer. Do not call any numbers from a pop-up. If you see these messages on your computer and they are taking over your screen, an easy way to get around them is to hit the escape key, which will make the window smaller and allow you to click the X in the upper-right hand corner to close out the window. Then you may want to shut down your computer entirely. If you aren’t online, they can’t get to you.

On Antivirus Software…

Jim uses the analogy of a lock on your front door—it will stop some criminals, but if someone is truly determined to break into your house, that person will go around to your side or back doors to try to enter. Antivirus will not keep you safe from everything.

• Suggested Solution: You should have antivirus software on PCs and Macs, but know you are still at risk. Free antivirus is better than nothing, but do your research on the tools you use to protect your devices. You may want to choose one of the larger antivirus companies as it may have more thorough protection.

On the Safety of Certain Devices…

In terms of whether certain types of computers or mobile devices are safer, Jim Stickley says criminals tend to go to where the people are, which tends to be Windows. Mac has a much smaller footprint, particularly when it comes to corporate America. There really aren’t any safe file types and new threats appear daily. Attachments are a major risk, and even in preview mode you can be hacked.

• Suggested Solution: Mobile devices hold up really well, so if you want to open a suspicious link, open it on your phone rather than on your computer. The risk to mobile devices lies with apps; scrutinize who created the app, where they are based, and how long they have been around. Don’t make your decision to download the app based on how many people have downloaded it! Be very judicious about giving the app access to contacts, emails, photos, etc. For example, a game shouldn’t need access to your contacts and email.
• Chromebooks also hold up really well and high schools across America are using them. You may want to give your high-risk employees (or children) a Chromebook.
• While Chromebooks might be amazing, Chrome (the web browser) has vulnerabilities, and Microsoft’s Edge browser has been holding up better recently. Firefox and Safari are also holding up well but seem to be phasing out in terms of popularity. 

On Passwords and Using Password Manager Apps…

Most people use the same password over and over on multiple sites. Even if you think your password is incredibly strong, the risk is that it can be reused across multiple websites very quickly. If you sign up at a retailer with your email and password, and then a criminal hacks the retailer, they may now have access to your login information for your email and bank accounts if you use the same username and password. Hackers take what they have accessed and check on every major site for that email and password combination. It’s not that your password is weak, it’s that a third party didn’t have adequate security!

• Suggested Solution: Use a password manager and try to make sure your password is different for each site you want to access. The risk is far less with a password manager than using the same password everywhere. If you don’t want to pay for a password manager, you can also come up with a strong base password with seven to eight characters including letters, numbers, and symbols, and then use the domain to make your password distinct by changing the letters in the password (for example, eight characters then add GO at the end for Google, YA at the end for Yahoo, etc.). If you are offered the ability to enable two-factor authentication (or “2FA”), you should enable it as an extra measure of security. This will send a code to another location (an email to you or a text to your mobile phone, for example) which you will need to enter before you can gain access.

Jim was asked about good news in the industry and his answer was “awareness.” People are becoming more aware of how to operate safely online. In summary, there are many tools to keep you safer online but there isn’t one single thing you can do to be safe; it must be a combination of several efforts. A few additional tips include: 

• Be very careful about what you click and hover over a link to verify the address before you click.
• Remember your Social Security number is with you for life; you don’t just get another one if it’s stolen. It will take constant monitoring if you think your identity has been stolen.
• Consider using a Virtual Private Network (VPN) with a legitimate corporation behind it to access the internet and make it harder for hackers to get access to your information.

---