Welcome to Cyber Security Today. It’s Monday January 3rd, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Happy New Year to all of you.
As always my first podcast of the year deals with New Year Resolutions. Now’s the time to think ahead about cybersecurity when the year is still fresh.
I’ll break this up into resolutions individuals should make, and ones for IT leaders.
Individuals should resolve to make sure all their personal Internet-connected devices have the latest security updates. Start by making a list of what you have — smartphones, modems, tablets, laptops, desktop computers, outside video cameras, doorbells and whatever else. Updating phones and computers is relatively easy. Their operating systems can be set for auto-updates. Still, regularly check that patches have been installed. Don’t risk data theft by keeping an old phone or laptop. If your device can’t get updates because the operating system is too old it’s not worth keeping. Modems and routers are harder to update because usually fixes have to be added manually. Check the instruction manual on how to do it.
Resolve to take a second look at your passwords. Make sure they aren’t easy to guess. Don’t use the same password for more than one application or website. Make sure you don’t use the default password that came with the device or software.
Download a password manager so you don’t have to remember them all. There may already be a password manager in your anti-virus or anti-malware suite. Otherwise, check sites like PC Magazine, Tom’s Guide, Wired or Consumer Reports for advice on picking one.
Resolve to put a PIN number on your cellphone account. That way an attacker can’t call up your carrier with a sob story and fake ID and switch your phone to one they control.
If you have children, make sure the computers, tablets and smartphones they use have security features turned on, and have security patches installed regularly. Keep an eye on where kids go online. Judith Bitterli, senior vice-president of consumer marketing at McAfee, also urges IT pros to talk with their families about their cybersecurity, teaching them how to be safe online. That includes reminding them the Internet is a public space so certain personal things shouldn’t be talked about online.
Bitterli also reminds parents who work from home to make sure little ones can’t access computers. She knows of one work-from-home mom whose five-year-old was able to order a PlayStation online without her knowledge.
Finally, resolve to use two-factor authentication where it’s offered to protect logins. Two-factor authentication means that in addition to a username and password you have to type in a six-digit number, or use a fingerprint or facial recognition to log into a device or website.
For organizations, with more staff working from home it’s management’s job to make sur e they have the software and hardware to work safely. That not only includes properly configured remote access. It also includes regular training about safe cybersecurity practices.
Cybersecurity is about risk management. You can’t manage risk if you don’t have a plan based on a cybersecurity framework. Briefly, IT leaders have to list what applications and data the organization has, list the security weaknesses and plan for fixing them, have a data backup plan and have an incident response plan. The goal is to create a detailed strategy for the IT staff to follow, and a quarterly report for senior management ranking issues by level of seriousness.
If you’re a small or medium-sized Canadian firm look at the Canadian Centre for Cyber Security’s Baseline Cyber Security Controls framework.
By the way, you need to test the data backup plan and the cyber incident response plan.
That’s a simplified version of what to do. There are lots of resources on the Internet. Some cybersecurity companies your firm deals with have free advice on how to create a strategy. Your industry may have a cybersecurity group that offers advice, or the IT leaders in your community may have formed a resource group.
Remember even companies that spend a lot of money on cybersecurity still get attacked successfully. Usually it’s because they haven’t been rigorous enough in applying their cybersecurity policies. If you’re not rigorous that increases the odds of you being a victim.
That’s it for now. If you need a reminder of this advice see the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at cybersecurity professionals.
Cyber Security Today can be heard Mondays, Wednesdays and twice on Fridays on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.