It seems almost everyday someone from the sales department asks me, ‘Why is security important?’ ‘Why do we have passwords on everything?’ ‘Can’t we make it easier?’ We do a lot of our business online, and email is an integral part of our organization. If any of our clients data is ever compromised we could face heavy fines, or worse, our clients could lose faith in our ability to provide the services that keep our doors open. By hook or by crook, criminals and imposters everyday are using ever changing techniques to impersonate known contacts in an attempt to exfiltrate valuable information. And of course, all the authentication in the world is useless if you are using a predictable password. Only with a random password and a vigilant attitude can you hope to fend off the fiends that are after information, which at face value may not seem indemnifying, but in the right hands could be the key to hijacking someone’s identity and illegally profiting, from our lack of discretion. With cyber security attacks on the rise, now more than ever, we need to be en garde and security conscious. As we are not only protecting our own security, but the well being of our clients, we should remain cognizant of the threats that constantly peek over our shoulder, analyzing our current actions, and any thing we have ever done. The following is an essay I have compiled to convince you of the ever present danger of identity theft, and the means by which bad actors may attempt to assume your identity, or the identity of someone you know, in an attempt to gain some sort of financial advantage. In the following newsletter, we shall review best practices, possible profiles of bad actors, and review resources for future questions you could encounter afield. Beyond briefing you on appropriate actions and behavior concerning account creation and hardening, I will be providing you with references and resources to expand your education and refresh your memory when the need arises.
As your internet history is forever subject to scrutiny, there are some appropriate precautions we should ingrain in new hires. By forming best practices and habits early, we can ensure the trust of our clients and the reputation of our company. Best practices include: Proper passwords, any password that can be tied to obvious aspects of your life, pet names, child names, spouse names, college teams, or anything else you identify with can be guessed. Only a random password with letters and number, or optimally a pass phrase, with 20+ characters (eg. “The tater tots are as cheesy as most of my jokes.” can withstand the scrutiny of a brute force randomized attack. Data Encryption, make sure websites are HTTPS enabled, you can ensure this by looking for a green lock next to the URL you are visiting (the white bar at the top where you type www.google.com), if you cannot see the green lock, do not submit any personally identifiable information, especially your credit card. Be on the lookout for impersonators, always verify the sender of any email you receive, and double check who the recipient is when you click “Reply To” a common act of obfuscation is to pretend to send mail from a trusted source, only to redirect the recipient to an alternate email account, which results in some acts of impersonation going unnoticed, and making tracing the culprit difficult, if not impossible. Only operate on trusted sources, even if you have a nice password, and you have personally confirmed you are speaking with a legitimate correspondent, you could still be fooled into giving away valuable information by sending it over an unsecured network. Public networks, like those found in airports, hotels, coffee shops, and more, could be compromised, or entirely fraudulent; a wireless network set up as a honey pot to trap unsuspecting users into revealing log in information, passwords, or other invaluable credentials. Only by paranoia and vigilance can you ensure this will not happen to you.
It isn’t only your email that suffers vulnerabilities. The cell phone is one of the most overlooked devices when it comes to information security. Even an old phone can contain sensitive information, and the FTC recommends ensuring a factory wipe of your mobile device before disposal. (FTC, 2012) Also, you should keep postage safe. Install a lock on your mailbox, to prevent identity thieves from utilizing your personally identifiable information present in checks and billing statements. Thoroughly destroying personally identifiable information on statements, envelopes, even prescription bottles can go a long way in preventing identity theft. Even the smallest bit of information can be dangerous in the right hands, so no detail should remain under estimated. But even this is not enough. Most phishing attack occur, not over snail mail or email, but over the plain old telephone. Always be wary of someone calling you asking for credit card information or social security numbers. Even if the voice is familiar, find an excuse to call back at your convenience. That way you can ensure the person on the other line is actually who they say they are, and that you have a verified line of communication established in case the unthinkable happens. Once you have established a verified line of communication, you should lightly (or heavily) interrogate the person requesting your personal information. Ask why they need your information? If it’s for the purposes of verification, ask if there are alternate means by which they can verify your identity. Ask how they will use your information. It’s possible that it’s an optional service they are trying to perform, and is not necessary for the services you wish for them to perform. Inquire about their security practices, and how they will ensure your information will not fall into the wrong hands, and what they will do with your information when they are finished with it. Sometimes even reputable companies are found guilty of selling identifiable information from their databases, so never take your privacy for granted. Finally, ask what will happen if you refuse to comply with the request. Sometimes this is all it takes to exempt yourself from having to share your personally identifiable information.
What needs to be done? Emails and data don’t go away. Even if we can’t recover it, someone can find it, given the means and motivation. We need to assume that, eventually, every email will be read by a bad actor. That means never discussing user account log in information or passwords via email. Lock up your devices. Never leave your cellphone or laptop unattended, and only take your devices to reputable repair services. Never discuss social security data, Mother’s Maiden Names, or dates of birth or other personally identifiable information. Vermont is tough on consumer data leaks, and we don’t want to be responsible for the theft of anyone’s identity. You can do your part in insuring that doesn’t happen by constantly verifying the source. Any email you receive, especially “Re: Emails” can be forged and spoofed. Make sure it comes from a recognizable email, that the …@gmail.com is spelled correctly, and in the instance of a “new” email account, verify the identity of the sender via phone, or in person. Keep in mind that new attacks are hatched all the time, and this is by no means a comprehensive list. Consider this a guideline for your future cyber security strategies. Only by assuming everyone is an infiltrating doppelganger looking to find compromising information, by hijacking email accounts, or making similar accounts, or by other elaborate phishing techniques can you ensure you won’t fall for an obvious attempt to pull the wool over your eyes. Always consider how you would attempt to glean information out of someone, and be aware of possible methods that could be used to glean information out of you.
I hope these brief points have helped explain the urgency of securing our correspondence and the constant vigilance that we need to maintain in order to protect our valuable clients financial information. Not only is our bottom line at stake, by means of fines for a lack of compliance, but our reputation as a trustworthy institution is on the line. All it takes is one data breach for us to lose clientele or even listeners. Therefore it is imperative that we execute due diligence in the protection of our devices and phones. If you wanted to look for more information about tightening your mobile phone, remember you can check here: #best-practices-for-phone-security (Security in a Box, 2017) and if you are looking for a simple infographic to explain various types of email threats, you should go here, and print out this handy pdf: http://impostor-email-threats-infographic/. (Proofpoint, 2017) Remember, no amount of convenience is more important that information security. Even if you are not under scrutiny now, your information persists and you could be targeted many years from now. So do your future self a favor and obfuscate any data you are responsible for. Never send passwords or personally identifiable information over email, and your mission, if you choose to accept it, is to consider every missive as a top secret document.
https://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure
https://securityinabox.org/en/guide/mobile-phones/#best-practices-for-phone-security
https://www.proofpoint.com/us/impostor-email-threats-infographic