What is it about cybersecurity that sends a chill down the spine? Maybe it’s our understanding that it can never be fully understood—never fully stopped. Maybe it’s that just as soon as we think we have it handled, we learn that we never could.
In this post, I’ll attempt to put a little courage where before, cyber fear may have lived. In each card, I’ll ask, “Which of the following is a security best practice?”
You’ll respond (in your head or out loud…it’s up to you) and then keep reading to see how well you did. You’ll also see some cybersecurity facts and stats scattered throughout this post. Don’t let that information frighten you—even though it’s almost Halloween…
Let’s get started.
Which of the following is a security best practice?
Question 1: Password security best practices
There are many schools of thought about the best, most effective way to store passwords, but here are a few cybersecurity best practices that you should keep in mind:
- Some of the most popular web browsers are also some of the most insecure. So if you choose to store your passwords there, those passwords (and all the data “secured” behind them) are at risk.
- Because hackers know that web browsers store a lot of usernames and passwords, they’ll target them. To them, it’s like using one stone to hit a billion birds.
There’s no way with the number of apps and software we login to every day that we can’t save our passwords. So, instead of using your browser to save, opt for a password manager like 1Password.
Answer A: Using a password manager.
Question 2: Multifactor authentication
Never—ever—EVER—share passwords with other people. Today’s colleagues become tomorrow’s ex-coworkers. (Too rough?) Beyond that, it’s just unsafe and insecure.
Instead, protect your confidential information with:
- A username: Usually this is an email address. Ensure you’re using an email address that only you have access to. If it’s a work-related app, use your work email. If it’s an app you use in your spare time, use your personal email. You get the idea.
- A password: Make sure it has plenty of characters, and add in numbers, letters, uppercase, lowercase, symbols, hieroglyphics and runes (just kidding about those last two).
- Multifactor authentication (MFA): MFA protects your information even if a hacker were to get access to your username and password. It uses a combination of what the user knows (e.g., password, security question) and what this user is (e.g., biometric identification like a fingerprint).
Answer B: Protecting data with a username, password and multifactor authentication.
Question 3: Email due diligence
As long as the sender is who they say they are, both A and B responses would be okay. But…what if they weren’t? What if the hacker had access to the sender’s inbox, continued to pose as them and convinced you to open the email attachment?
It’s not totally out of the realm of possibility. Business email compromise (BEC) is getting more popular all the time. (And don’t even get me started on deep fakes.)
“Business email compromise (BEC)—also known as email account compromise (EAC)—is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional.
In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request.” FBI
There’s only one secure way to verify that the sender is who they say they are: Use a different communication mode to verify their identity. In this case, the security best practice is picking up the phone and calling.
Answer is C: Call the sender to verify they sent you the attachment.
Question 4: Social media best practices
Believe it or not, there is a right answer. And while we’d love to go with A, captioning a photo with a beloved animal’s name is actually a big negative, according to the FBI.
When it comes to sharing things online, don’t. Even if you weren’t using “Sirius” as a component in your password, you may have used it to answer one of those pesky online account setup questions. You know the ones: “What was the name of your first pet? What’s your mother’s maiden name?”
Don’t give the scammer any information—keep the following off the internet, just to be safe:
- Pet names
- Any schools you attended
- High school jobs
- Your birthday
- Family members’ names
- Favorite movie, book, etc.
Answer is B: “Woman’s best friend.”
Question 5: Transferring personal information
This answer? Purposefully tricky. While A may be the most secure, it’s definitely not the most efficient. Three years ago, in the lockdown days, it wouldn’t have even been possible. Additionally, it limits the geographical area you’re able to serve.
For this reason, the answer is C. It’s the most secure and efficient way to grant clients access to a cloud portal where they can input their PII (personally identifiable information) themselves.
After all, do you really need to know their Social Security number? Do you really want to take the time to read and confirm numbers over the phone?
Answer is C: You give them their own unique username and password to your cloud portal—insist they enable MFA—then have them fill out the information themselves.
Were you able to answer the security best practice questions correctly?
Thoroughly reading this post offers you security best practices information. Another and even more effective way? Signing up for ongoing cybersecurity awareness training.
Nearly three in every four breaches—74% to be exact—include the human element. This is based on research done by Verizon for their annual Data Breach Investigations Report.
That means three out of every four people caused their own cyberbreach via:
- Simple error
- Privilege misuse
- Stolen credentials
- Social engineering
Security awareness training could have helped avoid nearly all these attacks, or at the very least, lowered the probability that they occurred.
Cyberbreaches: The scary truth
No person is completely immune to error; no company is 100% safe from a breach. But you can do several things to keep yourself safer:
- Implement ongoing, year-round security awareness training: Security best practices training should be offered across the business. From receptionists to executives, everyone needs to be trained.
- Consider an outside technology provider: Seek out an IT provider who specializes in your niche, offers 24/7 support and has plenty of security experience.
- Use a managed cloud: The cloud offers more than just security benefits—it improves productivity across the organization, provides a collaborative workspace for users that updates in real time and so much more. Keep in mind: Not all clouds are built the same. You’ll want to make sure any cloud technology you’re using is managed by a vetted provider and that it offers additional services (like automatic backups, 24/7 support and more.)
For more information about securing your accounting firm or small business, subscribe to our blog today.