Online Safety Basics

Online Safety Basics

Protecting yourself online doesn’t have to be complicated or expensive. A few simple habits can dramatically reduce your risk of falling victim to cybercrime. While you can never be “hackproof,” you can become resilient in the online world.

At the heart of online safety are four essential behaviors we at the National Cybersecurity Alliance call the Core 4. These simple steps will help shield your personal information, protect your accounts, and keep your devices secure.

MEET THE CORE 4: CYBERSECURITY BASICS

1. Use long, unique, and complex passwords (and a password manager!)

Your passwords are the first line of defense between a criminal and your sensitive information.

Here’s how to have 0000:

  • Every password must be long, unique, and complex. Nowadays, every password should be at least 16 characters long, which significantly overwhelms password-cracking programs. Use a random mix of letters, numbers, and symbols. And every account needs a unique password.

  • Don’t reuse passwords! Every account needs a unique password. Unfortunately, making little changes, like adding numbers or switching out an S with a $, doesn’t count as a unique password.

  • Use a password manager to store and generate strong passwords. If you’re wondering how to manage so many unique, long passwords, the answer is a password manager! There are many free, secure options. Password managers are the safest way to store your passwords. If you prefer to keep a password notebook, treat it like cash.

2. Enable multifactor authentication (MFA)

Multifactor authentication (sometimes called 2FA) adds an extra security layer by requiring something more than just your password to log in. Think of it as using two locks on your digital door instead of only one. This could be:

  • A one-time code sent to your phone

  • A biometric scan like a fingerprint scan or FaceID

  • A physical security key

Enable MFA on your accounts – especially email, banking, and social media. It’s a simple way to supercharge the security on your accounts. Also, never share MFA codes with anyone – this includes not sharing them over the phone, through texts, or via email. Only scammers will ask for MFA codes.

3. Keep software updated

Software updates don’t just bring new features. They often fix security flaws that criminals exploit.   It usually takes a few minutes, but updates are worth it. Here are some tips:

  • Turn on automatic updates when possible for your devices and apps – you can usually find these options in your Settings menu.

  • Install updates promptly for your operating systems, browsers, antivirus tools, and apps.

  • Don’t click Remind Me Later – the security is worth it.

  • Remember your phones, smartwatches, and tablets are computers – keep these devices updated as well!

4. Watch out for phishing and scams

Phishing remains the most common online threat. Criminals send fake emails, texts, or social media messages to trick you into revealing sensitive information or clicking malicious links. These messages aim to get you to click before you think by playing your emotions. Scammers will even call you! Here’s how to look out for phishing and scams:

  • Be highly skeptical of unexpected messages, especially those urging immediate action or asking for personal details.

  • Phishing emails can light up positive emotions (“You’ve won our sweepstakes!”) or negative ones (“You’ve been hacked!”).

  • Don’t click suspicious links or download unexpected attachments.

  • Report phishing attempts to your email provider, social media platform, or IT department.

  • If you’re unsure if a message is legit, ask a friend, coworker, or family member. A second set of eyes can be invaluable in spotting scams.

MORE SIMPLE TIPS TO STAY SAFE ONLINE!

5. Back it up

The best way to protect your valuable work, music, photos, data, and other digital information is to make copies and store them safely. If you have a copy of your data and your device falls victim to ransomware or other cyber threats, you can restore the data from a backup. If you break your computer or it crashes, you won’t lose the data along with the device. Use the 3-2-1 rule as a guide:

  • Keep at least three (3) copies of your data.

  • Store two (2) backup copies on different storage media, like on the cloud or on an external hard drive.

  • One (1) copy should be located offsite – this includes the cloud!

Today, one of the easiest backup storage options is backing up to the cloud – the cloud is a network of secure computer servers that you can access through an online account.

6. Check your privacy settings

Every time you sign up for a new account, download a new app, or get a new device, configure the privacy and security settings to your comfort level for information sharing.

  • Think about what information an app is asking for and if it’s necessary for the app to function.

  • Think about who can see your profile.

  • Audit your apps, platforms, and games every couple of months and delete the ones you don’t use.

7. Share with care

When you’re having fun on social media, think before posting about yourself and others. Consider what a post reveals, who might see it, and how it might affect you or others. With every post, think about:

  • Who will see it?

  • Could it reveal personal information?

  • How might it affect your digital reputation?

8. Report phishing

One of the best ways to take down criminals is by reporting phishing attempts, and nowadays its easier than ever.

  • If the email came to your work email address, report it to your IT manager or security team.

  • If you’re at home and the email came to your personal email address, most email programs and social media platforms allow you to report phishing.

Do not click on any links (even the unsubscribe link) or reply back to the email. Also, don’t keep that phishing message around – delete it ASAP. You can further protect yourself by blocking the sender from your email program, social media platform or phone.

9. Don’t reply to mistaken texts or messages

A common scam nowadays starts with a seemingly “mistaken” text, where an unknown number contacts you, and it seems like a mistake.

  • The text can be simple (“How are you”) or elaborate (“Do you have a dentist recommendation?”)

  • If you respond, the other person will strike up a conversation and “friendship”

  • These mistaken text scams, which are also called pig butchering scams, can last for weeks or months before the criminal requests money or tells you about an exciting investment opportunity.

Not responding to a text or call from a number you don’t know isn’t rude. It’s safe!

10. Use secure wi-fi

With your home router, remember to change the default password. When you’re out and about, public wi-fi is convenient, but its security might be questionable:

  • Avoid accessing sensitive accounts like banking or email.

  • Use a VPN or your phone’s hotspot for a more secure connection.

  • Turn off auto-connect for wi-fi and Bluetooth. These settings can make your device connect to unknown or malicious networks automatically.

  • On public computers in hotels, libraries, or cafes, avoid accessing personal accounts. If you must, always click “log out” – closing the browser isn’t enough.

Originally posted on National Cybersecurity Alliance

Think Intelligent About Artificial Intelligence

Think Intelligent About Artificial Intelligence

Artificial intelligence, including so-called “large language models” like ChatGPT, has rapidly become a major talking point in the press, amongst governments, and maybe even in your office!

While AI has been a subject in the background for decades, everyday web users can now engage with AI like never before.  

But whenever there is a sea change in technology, it is always smart to think about the security issues. This is how you can stay safe online over the years. And no AI wrote this article – we promise! 

Should I use ChatGPT or other AI platforms? 

With any shiny new technology, you should consider security and privacy risks before diving in. When it comes to AI-powered language models and other services, there are a few major factors to consider when loading up AI for help at work, school, or for fun:

Don’t Hand Over Your Crown Jewels?

AI models partly “learn” from what users input into the system. Therefore, you shouldn’t put any information into an AI model you want to keep private, from your company’s proprietary computer code to sensitive information about your family. 

Prompting Isn’t the Same As Creating

When it comes to your child’s homework or perhaps your own work endeavors, know that putting a query to AI and then copy/pasting the results isn’t the same as doing the work yourself. Also, if you are asking a fact-based question to an AI model (like “what atoms are in a water molecule?”) you need to fact check everything, because these models have become infamous for giving very confident but very wrong information in many situations. Other times, people have noted that AI models produced bizarre – and sometimes creepy – responses suggesting that the model had a mind of its own, which have been deemed “hallucinations.” We say it’s best to look at AI models as tools: they can help you get the work done, but we think you’re more talented than a machine! 

Privacy Concerns

There are many concerns over how AI models scrape the web, from how these programs utilize the creations of artists and writers to what sort of personal information they know about us. Many experts are worried that it is collecting data on children, for example, and how these services can alert people about sharing their data remains an open question. In many cases, your chats with an AI are not private – the company can see what you input, even if it is anonymized. Carefully read the privacy notices of any AI service you use and ensure that you are okay with sharing the data it collects.   

Bad Guys Also Use AI

Another trend is the rise of cybercriminals using AI to get better at their crimes. There is evidence that bad actors are using AI to craft more deceptive phishing emails and help develop malware. When there is any big disruption in tech, take it as a good time to review your cybersecurity basics: use strong passwords, take advantage of password managers, and enable MFA for all accounts that allow it.

Originally posted on National Cybersecurity Alliance

Why Data Privacy is Necessary in Today’s World

Why Data Privacy is Necessary in Today’s World

An unfathomable excess of online data is generated every day as the global economy churns; individuals take to social media; and modern life strives to keep pace with advancing technology.

Securing that data is rapidly becoming a necessity as companies recognize it as an asset and realize the potential value in collecting, using, and sharing it.  

In recent years, many companies have learned the importance of data privacy through breaches and privacy failures. To avoid such calamities, having protective measures and strategies in place is crucial. From the smallest of businesses to major corporations, everyone is at risk. As the data economy continues to evolve, companies find the roles of data protection officers and similar professionals becoming a demand. This demand intensifies with new regulations and standards on information security.  

WHAT IS DATA PRIVACY?

Also known as information privacy, it is a branch of data security involving properly handling the collection, storage, and dissemination of information — including to third parties. Currently in the U.S., there is legislation in place regarding data privacy and protection in many industries. One piece of federal legislature in health care is the Health Insurance Portability and Accountability Act (HIPAA). It was designed to protect patient information in health care and health insurance.  

Another federal piece of legislature is in finance and is known as the Gramm-Leach-Bliley Act (GLBA). This was passed to help protect nonpublic personal information — such as income, credit scores, and more. While there are several regulations at state and federal levels, consumer privacy is regularly compromised by companies and governments. We are poised to see a significant increase in regulation in the future. As data protection regulation grows worldwide, the demand for global privacy and requirements also increases. 

FOR BUSINESSES

Integrating data privacy training into your onboarding process and general training programs is a first step. Implement free security tools available on the market such as VPNs, encrypted storage solutions, and password managers. You can reduce vulnerability with these tools that are relatively easy to install and operate. Next, be sure to monitor your network for suspicious activity and potential attacks. These breaches can happen to organizations of all sizes. 

FOR CONSUMERS

On a consumer level, there are some steps to take to improve your privacy despite not having much control over how organizations store and secure your data. A good first protective measure to take is in line with businesses. Password managers and VPNs are available on an individual level to encrypt your Internet connection and keep sensitive information safe. Also, be sure to back data often to secure it in the event of a compromise. Lastly, ignoring click-bait content and strange requests via email or social media is a simple way to protect your network and data.   

Originally posted on Stay Safe Online

As Cybercriminals Act More Like Businesses, Insurers Must Think More Like Criminals

As Cybercriminals Act More Like Businesses, Insurers Must Think More Like Criminals

Cybersecurity is no longer an emerging risk but a clear and present one for organizations of all sizes, panelists on a panel at Triple-I’s Joint Industry Forum (JIF) said. This is due in large part to the fact that cybercriminals are increasingly thinking and behaving like businesspeople.

“We’ve seen a large increase in ransomware attacks for the sensible economic reason that they are lucrative,” said Milliman managing director Chris Beck. Cybercriminals also are becoming more sophisticated, adapting their techniques to every move insurers, insureds, and regulators make in response to the latest attack trends. “Because this is a lucrative area for cyber bad actors to be in, specialization is happening. The people behind these attacks are becoming better at their jobs.”

As a result, the challenges facing insurers and the customers are increasing and becoming more complex and costly. Cyber insurance purchase rates reflect the growing awareness of this risk, with one global insurance broker finding that the percentage of its clients who purchased this coverage rose from 26 percent in 2016 to 47 percent in 2020, the U.S. Government Accountability Office (GAO) stated in a May 2021 report.

Panel moderator Dale Porfilio, Triple-I’s chief insurance officer, asked whether cyber is even an insurable risk for the private market. Panelist Paul Miskovich, global business leader for the Pango Group, said cyber insurance has been profitable almost every year for most insurers. Most cyber risk has been managed through more controls in underwriting, changes in cybersecurity tools, and modifications in IT maintenance for employees, he said.

By 2026, projections indicate insurers will be writing $28 billion annually in gross written premium for cyber insurance, according to Miskovich. He said he believes all the pieces are in place for insurers to adapt to the challenges presented by cyber and that part of the industry’s evolution will rely on recruiting new talent.

“I think the first step is bringing more young people into the industry who are more facile with technology,” he said. “Where insurance companies can’t move fast enough, we need partnerships with managing general agents, with technology and data analytics, who are going to bring in data and new information.”

“Reinsurers are in the game,” said Catherine Mulligan, Aon’s global head of cyber, stressing that reinsurers have been doing a lot of work to advance their understanding of cyber issues. “The attack vectors have largely remained unchanged over the last few years, and that’s good news because underwriters can pay more attention to those particular exposures and can close that gap in cybersecurity.”

Mulligan said reinsurers are committed to the cyber insurance space and believe it is insurable. “Let’s just keep refining our understanding of the risk,” she said.

When thinking about the future, Milliman’s Beck stressed the importance of understanding the business-driven logic of the cybercriminals.

If, for example, “insurance contracts will not pay if the insured pays the ransom, the logic for the bad actor is, ‘I need to come up with a ransom schema that I’m still making money’,” but the insured can still pay without using the insurance contract.

This could lead to a scenario in which the ransom demands become smaller, but the frequency of attacks increases. Under such circumstances, insurers might have to respond to demand for a new kind of product.

Originally posted on Insurance Information Institute

Cyber Security: Think Before You Click

Cyber Security: Think Before You Click

If you are concerned about your cyber security – and you should be – it’s essential to know the biggest threats to you right now.  So, what is cyber security anyway?  And how can you protect yourself?

Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. Global cyber threat continues to increase at a rapid pace.  Most, but not all, cybercrime is committed by hackers who want to make money.  As the result of the COVID-19 pandemic, Cybercrime, which includes everything from embezzlement to data hacking and destruction, is up 600%.

Types of Cyber Threats:

Malware, short for “malicious software”, refers to any intrusive software developed by cybercriminals or hackers to steal data and damage computers and computer systems.  Malware is often activated when a user clicks on a malicious link or attachment, which leads to installing dangerous software.  There are several types of malware:

  • Virus: A self-replicating program that attaches itself to clean files and spreads throughout a computer system, infecting files with malicious code.
  • Trojans: A type of malware that conceals its true content to fool a user into thinking it’s a harmless file. Cybercriminals trick users into uploading Trojans onto their computer where they can collect data or cause damage.
  • Worms: Malicious software that spreads copies of itself from computer to computer within a network. Worms exploit vulnerabilities in your security software to steal sensitive information and corrupt files. A worm is different from a virus, however, because a worm can operate on its own while a virus needs a host computer.
  • Spyware: A program that secretly records what a user does, so that cybercriminals can make use of this information. Spyware is often used to steal personal or financial information.
  • Ransomware: Malicious software which locks down a user’s files and data with the threat of erasing it unless a ransom is paid.
  • Adware: Unwanted software that displays advertisements on your screen. Adware collects personal information from you to serve you with personalized ads. While adware is not always dangerous, it can redirect your browser to unsafe sites and can even contain Trojans and spyware.
  • Rootkits: Malicious software that is extremely difficult to spot and also very hard to remove. A rootkit allows someone to maintain control over a computer without the computer owner knowing about it.  Once a rootkit has been installed, nothing on your computer is secure.

Where does malware come from?

The most common sources of malware are malicious websites, email attachments, and shared networks.

  • Phishing: E-mails that appear to be from a legitimate company asking for sensitive information. Phishing attacks are often used to trick people into handing over personal information or credit card data.
  • Shared Networks: A malware infected computer on your shared network can spread malware onto all devices on the network.
  • Malicious Websites: Some websites may install malware onto your computer – usually through advertisements on popular sites (malvertising) or malicious links.

How to Prevent Malware – 7 Things You Should Start Doing Now:

  1. Install Anti-virus Software: Anti-virus software will scan your computer to detect and clean the malware and provide enhanced protection against newly created viruses.
  2. Regularly Update Software: Keep your software updated to stop attackers gaining access to your computer through vulnerabilities in outdated systems.
  3. Install a Firewall: A firewall blocks all unauthorized access to or from a private computer network.
  4. Use Secure Authentication Methods: Use strong passwords with at least 8 characters, including an uppercase letter, a lowercase letter, and a number or symbol. You should also enable multi-factor authentication, such as a security question in addition to a password.
  5. Don’t Open Emails From Unknown Sources: Hackers often send emails with links that are sure to send malware your way and hack into your important information. It is better to delete the email than to suffer the consequences of opening it.
  6. Avoid Using Unsecure WiFi Networks in Public Places: On an unsecure network, a cybercriminal can intercept communication between two individuals to steal data.
  7. Maintain Regular Backups of Your Data: Backups do not secure your network from attacks but they help when you face a malware attack.

Jeh Johnson, former U.S. Secretary of Homeland Security, stated “Cyberattacks of all manner and from multiple sources are going to get worse before they get better.  In this realm and at this moment, those on offense have the upper hand.  Whether it’s cyber-criminals, hacktivists, or nation-state actors, those on offense are ingenious, tenacious, agile, and getting better all the time.  Those on defense struggle to keep up.”

It is imperative that you protect yourself and your family from cybercriminals.  With technology increasing, criminals don’t have to rob stores or banks, nor do they have to be outside to commit a crime – they have everything they need on their lap.  Their weapons are no longer guns, they attack with a computer mouse and passwords.

Spam and Phishing

Spam and Phishing

Malicious Email

A malicious email can look just like it comes from a financial institution, an e-commerce site, a government agency or any other service or business.

It often urges you to act quickly, because your account has been compromised, your order cannot be fulfilled or there is another urgent matter to address.

If you are unsure whether an email request is legitimate, try to verify it with these steps:

  • Contact the company directly – using information provided on an account statement, on the company’s official website or on the back of a credit card.
  • Search for the company online – but not with information provided in the email.

Spam

Spam is the electronic equivalent of junk mail. The term refers to unsolicited, bulk – and often unwanted – email. Here are ways to reduce spam:

  • Enable filters on your email programs: Most internet service providers (ISPs) and email providers offer spam filters; however, depending on the level you set, you may end up blocking emails you want. It’s a good idea to occasionally check your junk folder to ensure the filters are working properly.
  • Report spam: Most email clients offer ways to mark an email as spam or report instances of spam. Reporting spam will also help to prevent the messages from being directly delivered to your inbox.
  • Own your online presence: Consider hiding your email address from online profiles and social networking sites or only allowing certain people to view your personal information. 

Phishing

Phishing attacks use email or malicious websites (clicking on a link) to collect personal and financial information or infect your machine with malware and viruses.

Spear Phishing

Spear phishing involves highly specialized attacks against specific targets or small groups of targets to collect information or gain access to systems. For example, a cybercriminal may launch a spear phishing attack against a business to gain credentials to access a list of customers. From that attack, they may launch a phishing attack against the customers of the business. Since they have gained access to the network, the email they send may look even more authentic and because the recipient is already customer of the business, the email may more easily make it through filters and the recipient maybe more likely to open the email.

The cybercriminal can use even more devious social engineering efforts such as indicating there is an important technical update or new lower pricing to lure people.

Spam & Phishing on Social Networks

Spam, phishing and other scams aren’t limited to just email. They’re also prevalent on social networking sites. The same rules apply on social networks: When in doubt, throw it out. This rule applies to links in online ads, status updates, tweets and other posts. Here are ways to report spam and phishing on major social networks:

Tips for Avoiding Being a Victim

  • Don’t reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Before sending or entering sensitive information online, check the security of the website.
  • Pay attention to the website’s URL. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, not information provided in an email. Check out the Anti-Phishing Working Group (APWG) to learn about known phishing attacks and/or report phishing.
  • Keep a clean machine. Keep all software on internet-connected devices – including PCs, smartphones and tablets – up to date to reduce risk of infection from malware.

What to Do if You Are a Victim

  • Report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
  • If you believe your financial accounts may be compromised, contact your financial institution immediately and close the account(s).
  • Watch for any unauthorized charges to your account.
  • Consider reporting the attack to your local police department, and file a report with the Federal Trade Commission or the Internet Crime Complaint Center.

Protect Yourself With These STOP. THINK. CONNECT.™ Tips

  • When in doubt, throw it out: Links in email, tweets, posts and online advertising are often how cybercriminals try to compromise your information. If it looks suspicious, even if you know the source, it’s best to delete or – if appropriate – mark it as junk.
  • Think before you act: Be wary of communications that implores you to act immediately, offers something that sounds too good to be true or asks for personal information.
  • Make your passphrase a sentence: A strong passphrase is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
  • Unique account, unique passphrase: Having separate passphrases for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passphrases.
  • Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passphrases are not enough to protect key accounts like email, banking and social media.

Additional Resources

Originally posted on Stay Safe Online