TL;DR: Don’t click on the link! Don’t open that attachment.
We’ve all been there: email from from someone we know; attachment that looks legit; click; Oh no! Now what? And phishing attacks have gotten more subtle and sophisticated. The most common type looks like it comes from a company you actually do business with (think Amazon, PayPal, etc.) and asks you to reset your password or otherwise “correct” an “urgent” issue with your account. It mimics all the formatting and logo-ing from the actual company. However, while the link looks like it will take you to a good place, it actually redirects to the hacker’s site.
What to do? The simplest thing is to never click on links in emails. Instead, go to the website in question (Amazon, PayPal, etc.) and log into your account. You can always change your password that way, and legitimate communications will not ask you to click on link to deal with any sensitive information.
2. USB drive
There’s a super cool, high storage USB drive on the floor under where the computer nerd was working at the coffee shop. You’d like to keep it, but you think you should first see if you can identify its rightful owner. So, insert it into your USB drive. And now your laptop is a brick. Or worse, you use that USB on your work network and it infects the system!
Or you want to work on some work documents at home, and instead of using some secure file-sharing service you slide those files over onto a USB drive and stick it in your jacket pocket—and if falls out when you pull out your gloves in the parking lot. Bad news: You didn’t password protect the files or encrypt them, and now some miscreant has sensitive information.
What to do? Never take candy from a stranger—and never use a strange USB drive. Never. There ya go. That simple. Regarding your USB drive: Treat it like it’s a credit card—actually it’s less secure than a credit card because you can cancel a stolen card, but you can’t get back your stolen data. For more information about more sophisticated USB issues, see “more reading” below.
Yeah, you’d never make this mistake. No one would, right? You install some new software and use the user name and password that come with it. You get interrupted before you’ve had a chance to really get into it. When you get back to it, you have a deadline so you dive right in with the new software and get started. And yes, you forget to change “user” and “password.” You might think that no one would really make this mistake, but in case you haven’t heard, the Equifax breach was precisely this easy. Take a few minutes to read what Brian Krebs wrote about this (below).
4. My Favorite Password
Passwords gets two entries because it started innocently enough: You came up with a really great password (your grandmother’s first dog’s name and favorite toy and food plus the year of his birth). It’s so great, you use it for both your favorite email and for your online banking. And your Tinder account. And Amazon. But really, there’s even more at stake when you get to choose your own password for sensitive work data: credential theft is often the target of phishing attacks and can affect more than your Tinder account: it could affect your work network or be the key to stealing your customers’ data. Consider a password manager. Or at the very least, use different passwords for different accounts, and read the tips below for creating strong ones (some the best are full sentences).
5. Work from home
You’re ambitious and overworked. You open your Dropbox files (or a MSWord attachment or anything, really) at home on your kid’s computer because you just need to do a few quick things and your laptop is outa juice. But you haven’t updated virus scanning on his old machine in a while. A virus latches on and then gets shared with your workgroup. Dropbox isn’t unique in its vulnerability (see below for their helpful tips).
What to do? Run anti-virus software; be careful what websites you open (or what your kid opens); stick to work machines for sensitive work.
Fun reads and views
Watch as Richard Ford gives an overview of typical security issues: http://techfieldday.com/video/forcepoint-welcome-and-introduction-with-richard-ford/
Here are some ways employees compromise their company’s security: https://www.virtru.com/blog/enterprise-data-security/
USB drives and how they’re hacked: https://www.kaspersky.com/blog/encrypted-usb-drives-audit/17948/
Is your username/password on this list of stolen credentials? https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
A story of the sentimentality of password choices: https://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html
Yeah, Equifax really did that: https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/
Development/coding security into apps: https://www.toptal.com/security/10-most-common-web-security-vulnerabilities
Short article on how to create a password: http://www.businessinsider.com/hacker-strong-password-2016-4
In-depth info on passwords: https://www.takecontrolbooks.com/passwords
Dropbox security tips: https://www.dropbox.com/help/security/viruses-malware
File-sharing safety tips: https://digitalguardian.com/blog/6-security-risks-enterprises-using-cloud-storage-and-file-sharing-apps