After listening to a hair raising program in New Orleans that I mentioned in a blog last week, I spoke to Anurag who suggested I share his article with my readers, so here it is. If you want to discuss these issues further you are welcome to contact Anurag or Joe at their contact info at the end of this blog. Here are Anurag’s five ways you can make your virtual life more cyber secure.
#1 Avoid Using Checks For Making Payments
Your personal checks contain sensitive information like your name, bank account number, routing number and in some cases even your address. Armed with your checking account number and bank routing number, criminals can create blank checks using an online checkbook retailer and can start writing checks from your checking account. So, starting now, stop using checks to make payments. If you plan to continue to use checks, set an auto alert on your checking account to notify you of all check payments. This way you can catch a check fraud early and take it up with your bank. Using electronic payment mechanisms and, whenever possible, using a credit card for payment will give you more time to flag fraudulent transactions and reduce your risk of losing money.
#2 Don’t Provide Your SSN Just Because It Was Asked For!
When filling out forms at the local hospital or when seeing a physician, you jot down your name, address and insurance information. Then you come to a space for your Social Security number (SSN). Should you fill in your SSN? If it’s your doctor or hospital asking, the answer is – No! Doctors, hospitals and other healthcare providers may want your SSN to help with debt collection in the case of a problem with your insurance company or unpaid copay, but you are under no obligation to hand over that information. Just leave the area of the form blank and the provider will likely not ask or notice. If they do, let them know that your insurance ID should suffice and that you prefer not to reveal your SSN unless mandated by law. This can reduce your risk of identity theft by reducing the number of places where you leave your SSN behind.
#3 Security Questions… Thou Shall Not Answer Them Correctly
Many websites and applications now rely on security questions to determine your identity if you forget your password or as an additional authentication layer. While it is human nature to answer these questions correctly during set up, it is not the most secure behavior. There are a lot of people who may know your mother’s maiden name; so why not create a new one and use that as an answer? Now it is not just an answer to a security question but another password that no one else knows and cannot guess. The wackier the answer, the better. And, it’s never too late to update your answers if you, like so many of us, answered them correctly in the first place.
#4 It Is Never Too Late to Reset, Until It Is
With so many hacks and data breaches occurring daily, including the one billion passwords lost by Yahoo, if you have not done so recently, consider resetting all your passwords. Stop and think! Which other websites are using your same old Yahoo password or LinkedIn, Adobe, Dropbox, Tumblr, BitTorrent, Evernote? Yes, they all suffered a breach in the last two to three years. When you do reset your password, make sure that you come up with an easy-to-remember, complex password. Looking for a secure way to store all your passwords? Password safe is a great tool – https://pwsafe.org/. It’s a local secure store and easily meets general password needs. There are many other options which may provide portability and integrate with different browsers. If you use Excel or Word documents or Post-it® notes, then switching to a secure password vault utility should definitely be on your New Year’s resolution list.
#5 Don’t Get Phished
Don’t fall for a “phishing attack.” Never click a link or open an attachment that you did not expect to receive. Scams today look very convincing, coming in the form of voicemails, eFaxes, invoices, social media, ADP/payroll themes or the IRS. If you’re not expecting something or have to think twice about the contents, don’t open it. If you do, you’re opening hackers to the contents of your computer in multiple ways. Remember, your CEO will usually not ask you to wire money via email nor will your CFO request you to run a W-2 report of all employees and email it. If they do, pick up the phone or walk to their office and confirm their requests. Finally, organizations should test their “human firewall” by engaging an external firm to provide “phishing” as a service and identify employees who fall for such attacks and need security training.
Need More Information?
This blog was originally included in the Withum Journal and was written by Anurag Sharma, CISA, CISSP, CRISC, MBA, Withum Principal. Anurag can be reached at firstname.lastname@example.org. If you have any questions about cyber security or would like to discuss your cybersecurity plan, please contact Anurag or Joe Riccie, Partner, email@example.com, both members of Withum’s Cyber Secure Services Group.