used with permission from Tektonika (HP)
Information security breaches are becoming so commonplace, they’re seen as the cost of doing business—but they don’t have to be. Promoting internet safety and device security isn’t as hard as it might seem. By making small changes to online behavior, IT professionals and users can do a lot to keep their business safe. And the first way you can start is:
Wait, what? You read that right: The National Institute of Standards and Technology (NIST) recently came out with new guidance on password best practices. According to Mike Garcia, former director of NIST’s Trusted Identities Group, the gist of these guidelines is, “Simply put: Use passphrases, not passwords.”
This is great news for any users who spend a lot of time in “Forgot Your Password?” purgatory. For years, the advice for keeping passwords hacker-proof was to make them more complicated. But that made them user-proof, too. The primary goal of NIST’s new guidance was to come up with a way for people to create logins that would be easy for them to remember but hard for anyone else to figure out.
The secret to creating memorable but unhackable passphrases is the power of association. Instead of using a random combination of letters, numbers, symbols, etc. for passwords, teach your users to create passphrases leveraging words they’d associate together but no one else would. Garcia gives an example inspired by his kitchen: “blender vent sauté pendant red chair.” These words are all associated in his mind, but probably no one else’s (until now). Even if someone found out the passphrase was related to his kitchen, they’d still need to see the kitchen in question to even begin guessing the rest of it.
A good passphrase is a lot harder to guess than “Password1” or even “H@veAn1ceDay!,” but you still wouldn’t want to leave your company’s or customers’ data vulnerable if someone happened to guess it. That’s where the next part of Garcia’s advice comes in: “Don’t rely on passwords, or even passphrases, alone.”
Instead, you should consider adopting multifactor authentication. Having a second login method on a separate device, like a cell phone or YubiKey, ensures it really is the account owner who is logging in—not an impostor. Multifactor authentication is fairly easy for IT pros to implement and for users to adapt to, so everyone can rest a little easier with that added boost to your internet safety and security.
Another easy way to boost your security is to use devices with security built in—not “bolted on.” Devices that come with continuous monitoring and intrusion detection can help IT detect suspicious behavior and prevent breaches before they occur. For example, some modern printers have embedded security features that scan for malware, automatically shutting down and rebooting if any is detected.
The age of the Internet of Things (IoT) makes endpoint device security especially important. I Am The Cavalry, a grassroots organization of IoT security researchers and policy advocates, has developed a “Five Star Framework” to help companies build more secure devices. They recommend having air gaps, or physical and digital separation, between critical and noncritical systems to make sure that if the stereo gets hacked, for example, the car will still keep running. While the group’s guidelines are primarily written for connected cars, they can be applied to any connected device—from thermostats to printers.
Purchasing devices that were designed with security in mind from the beginning is one efficient way to make the internet—and everything connected to it—a little safer.
Everyone knows not to click on that email from “Yu0r Mother!” or the Nigerian prince, but hackers are bumping up their phishing game. Social engineering, or the practice of using natural human tendencies, like trust or a willingness to help, is the hackers’ new strategy, and they’re getting good. Many are using a technique called “spoofing,” where they pretend to be someone else inside your company—like the CEO or someone from payroll—to fool users into sharing credentials or other personal information. Not only that, but attackers are also using spear phishing, or highly tailored messages, to make their phishing more believable.
The most important thing you can do to minimize phishing is educating users as to what they should look out for. However, given how smart phishing scams have become, there’s a chance someone will still click a link, no matter how good your education program. To prevent these incidents from becoming emergencies, you need to cultivate trust between your security team and your users.
Information security analytics Tracy Maleeff demonstrates why this is important by telling a story of using empathy to handle a phishing incident. The story starts when she received an email from an employee that read, “I clicked on a suspicious link. What do I do now?” Instead of getting angry or frustrated, Maleeff says her first reaction was relief: “I don’t even want to think about how many clicks on suspicious links go unreported,” she writes. She was grateful the user felt he could trust her enough to report the incident before it grew into a true security breach.
Maleeff called the user on the phone, used nonjudgmental language as she walked him through remediation steps, and ended by thanking him for reporting and wishing him a happy, “cyber safe day.” And she did it all in less than 10 minutes. The takeaway: “When you can spare some time, show empathy. The language I used and the steps I took were towards the greater goal of creating a culture of security.”
With the constant barrage of breaches and tales of ransomware in the news, it might seem internet safety and device security are little more than fantasies. But they’re easier to achieve than you think. Passphrases, multifactor authentication, built-in security, and a supportive security culture can all help keep your company safer.