Keeping Your Personal and Professional Data Safe – the Importance of Cybersecurity
October is National Cybersecurity Awareness Month (NCSAM). NCSAM was started in 2004 by the National cybersecurity Division within the Department of Homeland Security and the nonprofit National Cybersecurity Alliance, with the purpose of raising public awareness about the importance of cybersecurity and keeping Americans safe and secure online.
Our lives are digital. From our homes to our offices and cubes, we work, learn and are social online. Everyone has a role in making our digital space secure – including being knowledgeable of malicious methods used by cybercriminals, how they can be easy targets, how to spot potential threats and what they can do to avoid falling victim to these insidious threats.
We sat down with John Childers, Information Security Director, and Brandon Black, Security, Governance, Risk and Compliance Manager to talk about NCSAM and what all employees can do to better protect themselves from threats.
John has been with Essential Utilities for 11 years and his responsibilities include: leading Essential’s cybersecurity program, and developing our functions for IT and OT security engineering , technology risk management, incident response, and cybersecurity compliance. John also teaches as a part-time Adjunct Lecturer at Penn State University’s World Campus in the Security Risk Analysis curriculum.
Brandon has been with Essential Utilities for four years and his current responsibilities include: leading Information Security’s Governance Risk and Compliance team which focuses vulnerability management, assessing risk, security compliance, and overseeing functions for access management.
Why is cybersecurity important to personal security and to the company?
JC: This is an important question. Technology touches all of our lives both personally and professionally and it’s important to have a plan in place to address cybersecurity. Everyone in the company who uses our technology has a role in protecting it. There is also the thought that “it’s not going to happen here.” But it can happen anywhere – that’s why the company has plans in place to reduce the risk – but it’s everyone’s job to be vigilant.
BB: cybersecurity is an all-hands approach. Protecting sensitive data both at home and at work requires buy-in from everyone and every user. Data can be exploited anytime from anywhere and it’s important to know what to do if that happens. There is also a human element to the exploitation – someone innocently clicks on a site, opens an attachment, processes a payment….it’s so important to know the tips for avoiding these situations.
What are some of the basic cybersecurity terms everyone should be aware of?
- Social Engineering – A category of techniques where a malicious actor attempts to manipulate human nature to achieve a specific outcome. Social engineering includes attacks you may be familiar with such as Phishing, but can also include text messages, social media requests, phone calls or in person requests. The attacker will typically focus on urgency, fear, opportunity, or trust to accomplish one of the following goals:
- Obtaining sensitive information such as your username and password
- Gain access to sensitive data or even facilities
- Bypassing our security controls to run malware or provide unauthorized access to our technology systems
- Transferring funds or processing fraudulent payments
- MFA/2FA – Multi-factor authentication and 2 factor authentication are technology techniques used to improve the security of authentication with username and passwords. At a conceptual level, authentication involves something you know, something you have, or something you are. In most cases, access to a system or data involves something you know such as a username and password, but the concept of multi-factor authentication includes at least two of those elements, such as your username/password as something you know, and something you have such as a phone to receive an authentication text message or an app such as Duo to confirm your identity when logging in. The ‘something you are’ category of authentication involves biometric access such as a fingerprint, eye scan or Apple’s FaceID. When we combine more than one authentication technique, the security of systems and data greatly increases.
- Malware - Malware is a broad term for several types of malicious software, and includes terms you may have heard such as viruses, worms, and ransomware. Malicious actors use malware for many outcomes, such as gaining unauthorized access to our systems and data or disrupting the technology that supports our business processes. Ransomware is a type of disruptive malware that has become very popular with cyber-criminals over the last several years and is used to encrypt data and prevent access to technology in an attempt to extort money from the target.
What are your top 5 tips to help protect data and privacy online?
- Multi-factor Authentication - One of the easiest things you can do to improve security and privacy is to turn on multi-factor authentication for any type of online account that you have. Many services will prompt you to do so such as your bank or healthcare organizations, but you should turn this on for all of your business and personal logins. In the business environment, contact IT for help on questions related to multi-factor authentication.
- Passwords – Make sure to follow best practices to keep your passwords secure. Here are some tips:
- Use passphrases instead of passwords. For example, instead of a single word, use a sentence such as ‘I went to the beach 3 times!’.
- Use separate passwords for each of your accounts and avoid sharing the same password for multiple logins. If a shared password becomes compromised or disclosed, cyber-criminals will attempt to use those to gain access to other services they are able to identify as yours.
- Avoid easily guessed and insecure password components such as:
- Any form of company name, season, month, and year, such as CompanyFall2022, or MarchSpring2022.
- Any personal information that can be easily found online such as your town, important dates and anniversaries, or family member names. Cybercriminals will often search through social media for this type of information.
- Never share your passwords with anyone else.
- Privacy Settings – One of the best things that you can do is to review the privacy options available to you for the technology services you use. Many people are unaware that they can limit how companies use and monetize their data. Great options to start with are looking at your social media sites such as Linked In, Facebook, but also other services such as Comcast, Verizon, and Amazon.
- Software Updates - To keep your technology secure, make sure to apply security updates when they are released. In the business environment, IT takes care of this, but for your personal devices such as your computer, phone or tablet, the best practice is to turn on the setting that applies security updates automatically. These updates help to fix any newly discovered vulnerabilities in the software. Always make sure to only apply security updates that come directly from the software provider or manufacturer, and not from third party or unauthorized sources.
- Know When to Engage IT – When you are looking to implement a new technology, or need access to new software, engage IT early in the process. IT and Information Security can help make sure to meet your business objectives, but ensure that we are protecting the confidentiality, availability and integrity of systems and data appropriately which helps us to manage our cyber risk.
What happens if you click on something or see a suspicious e-mail?
JC: In general, the first place to report any suspicious email is to your security team, or your IT help desk if you are unsure who to contact. If you have a suspicious email, have your security team in IT evaluate it before interacting with the sender, clicking links, or taking action that the email requests.
BB – If you have a security incident at home, there are agencies you can report this too. There are great free resources to help you understand what to do before and after a security incident, such as:
What are the risks in accessing a free WIFI?
JC – Know what you are connecting to – if you are in a public place (hotel, café) you don’t know what else is on the network and who can see what you are sending over the network – just be cautious when accessing sensitive data on public networks. When possible, try to avoid accessing your sensitive accounts when using public wireless.
BB: Most important – when traveling, use VPN – this provides security and protection and helps to make sure that the data you are sending is protected from anyone else on the network. Make sure that when you are using technology in public places, such as a coffee shop or café, to consider whether anyone can see your screen and any sensitive data you are working with.
Thanks to John and Brandon for talking with us about this important topic.