By Mike DuBose and Blake DuBose
Americans are spending more time and money online than ever. Nearly 75% of respondents in a 2015 Pew Research Center survey said that they went on the Internet daily, and 21% reported going online “almost constantly” (that number rose to 36% in respondents aged 18-29). More than half of people now do most of their shopping online rather than in person, according to a 2016 Wall Street Journal article by Laura Stephens dealing with a survey of more than 5,000 shoppers. The Internet is also the second most popular place for Americans overall to get their news, following television. Amongst people less than 30 years old, it’s the most popular news source.
Countless amounts of data—images, words, music, video—pass through the Internet every day. Most people are just looking for entertainment, work, shopping, or learning…but there are others who are seeking something more sinister. They use viruses, malware, spyware, and other tricks to steal information, usually with the end goal of obtaining money. As organizations like Sony, Staples, and even the IRS have learned in recent years, successful attacks can be costly, both in terms of financial impact and client trust.
According to a Forbes column by Dina Moskowitz, the average cost to a company as a result of a data breach is $3.79 million, in the form of “remediation costs, lost productivity, legal fees, lost data, and lower stock prices.” After hackers gained access to roughly 40 million consumer credit and debit card accounts in 2013, retail giant Target was forced to spend $252 million to manage the fallout, with $100 million going toward new cash registers, upgraded security technology, and settling litigation. Profits and sales both dropped considerably in the weeks and months following the breach (by nearly 50%, in some estimates)!
No one is immune from hackers’ attacks, from individual citizens up to divisions of government. In fact, one of our personal computers was hacked, with an outsider gaining control over it. Mike watched in amazement as the pointer from his mouse seemingly moved on its own to open up attachments! (Before any more damage could be done, he promptly powered down his computer until an IT expert could remedy the situation.)
Large organizations tend to have entire departments dedicated to securing their data online. But what can smaller companies and individuals without the budget to hire technology professionals do to protect themselves? Based on recommendations from our partners at Carolina Business Equipment, interviews with technology experts at DuBose Web Group, and other research, we recommend taking the following measures to help increase your online security at home and at the office.
Software and Hardware
Obtain security software. Security software helps protect your home and office computers from malware, spyware, and viruses…but which type of software should you or your business buy? As it turns out, you may not need to buy it at all! Several professionals we interviewed (or whose research we read) said that most computers that run on Windows are equipped with strong security options from the get-go. Windows Defender comes pre-installed in many recent versions (8, 8.1, and 10), and those running earlier versions of Windows can download Microsoft Security Essentials for free from Microsoft’s website. As long as you keep software current and use common sense in your online interactions, this should eliminate many threats.
To add an extra layer of protection, you can install additional software. There are numerous options on the market, with many of them costing nothing. Avira, Bitdefender, Avast, Panda, and AVG are some top free options, according to Consumer Reports and several technology publications. In addition, Malwarebytes, although not an anti-virus program, removes and protects against malware and can be a helpful (and free) supplement to other security software. In terms of paid programs, Consumer Reports recommended BullGuard Internet Security, G Data Internet Security, and ZoneAlarm Pro Antivirus + Firewall 2016 as its top picks in 2016.
Keep security software updated. No matter how comprehensive your security program may be, you need to update it regularly for it to work to its full potential. New threats are constantly being introduced—but software updates to combat these dangers are typically developed soon after. Update your security software, browsers, operating systems, and apps on your computer, smartphone, and any other devices that are connected to the Internet. At the DuBose family of companies, we typically wait until the second version of an update is released before updating on our devices. That way, most of the bugs in the first version have been worked out!
Scan devices before using files contained on them. When plugging in a USB stick or other external memory device (such as a hard drive), run a scan on it using your security software to make sure it has not picked up any viruses. Avoid using others’ flash drives, which could be contaminated. You should also run any questionable attachments you have been sent via e-mail—especially if you don’t know the sender or you weren’t expecting the message—through your security system’s file scanner if you are considering opening them. Even friends can accidentally send you attachments with viruses on them if their computers have been infected, so it’s important to be cautious! Otherwise, you may be helping hackers install malware on your own computer.
Require a password to start up your smartphone and computer. If your phone or computer falls into the wrong hands, it’s more than just a matter of losing an expensive piece of machinery—you’ve also potentially given a stranger the ability to steal your identity. Depending on the types of documents, photos, and passwords you have saved to your device, a thief could figure out your social security number, access your bank and credit card accounts, or even try to blackmail you to send them cash. To help keep this from happening, set up your computer and cellphone so you must enter a password to unlock each of them before using. Something this simple can also be very effective; potential thieves will be locked out after the tenth failed attempt to access Apple iPhones using a numerical code and will likely move on to easier prey. Some newer smartphones even allow you to unlock the phone using your fingerprint!
Guard your laptops, tablets, and cell phones. Unattended technology devices are attractive targets for thieves because they often hold valuable information and can eventually be resold. Busy areas where many people are passing through (such as airports or popular restaurants) are some of their favorite hunting grounds. For example, Mike’s iPhone was stolen from a Delta Airlines SkyClub in Atlanta, Georgia. When activated, the “Find My iPhone” feature used satellite data to show the phone at a Michigan airport. Since the phone was clearly labeled with Mike’s business card and contact information, this was clearly not a mistake! We moved quickly to deactivate the phone and cut off the thief’s access to Mike’s e-mails and other sensitive documents.
Be sure to wipe your smartphone or computer completely clean before disposing of it or turning it in for an upgrade. You want to remove all sensitive data, restoring the device to factory settings (after backing up your files in another place, of course). Once you have donated, thrown away, or sold them, it’s impossible to tell who will have your hands on your old electronics. Make sure these people don’t also gain access to your confidential files and information!
Create strong passwords. The US Department of Homeland Security says that “using long and complex passwords is one of the easiest ways to defend yourself from cybercrime.” Yet far too many people are pushing their luck by relying on simple, easily-guessed passwords—even ones like “password” or “123456!” Hackers can easily find or create programs that try variation after variation of password repeatedly until they hit upon the combination that works. Your best defense from these type of “brute force” attacks is to make your password as hard to guess as possible. Try using the following guidelines when crafting passwords:
Use separate passwords for each account. Though it might be more convenient to use the same password for all of your online accounts, this makes you extremely vulnerable. If a hacker somehow figures out that one password, he or she will gain access to all your accounts! Therefore, you should vary your passwords amongst your different accounts. It’s safer to do this and keep a written record of them (in a secure place away from your computer, of course) than repeat the same password or variations of a password on multiple sites.
If you don’t think you can remember multiple passwords or don’t feel comfortable keeping a written record of them, consider using a password manager. Password managers create unique, very strong passwords for each site you visit, and “remember” them for you. All you have to do is log into the password manager, and it will take care of logging you into all other sites. (Of course, you want to make sure your password for the manager itself is extremely difficult to crack!) Dashlane and LastPass were the two most highly recommended password manager programs in a November 2016 PC Magazine article, and both offer free versions.
Set up two-factor authentication. We spoke to multiple information technology professionals for this article, and one recommendation that came up repeatedly was two-factor authentication. Basically, this type of authentication requires you to prove your identity twice, adding an extra level of security. For example, if you set up two-factor authentication for Gmail, when you enter your username and password, you’ll then be prompted to enter a code that has been sent to another device (for example, to your cell phone via text message). This way, even if a hacker figured out your password, they would likely lack access to the code on your phone, and would not be able to get into your account. Many social media accounts, including Facebook and Twitter, can be protected in the same way.
Change passwords frequently. Many organizations that deal with sensitive information, such as banks or health insurance companies, require their staff to change passwords every month or so. Although this may sound inconvenient, it’s actually very helpful in thwarting cybercriminals. Most large-scale security breaches take place over a time period of several months in an attempt to “stay under the radar.” So, by changing passwords frequently, the organizations can often head off attacks before they start. The same thing goes for personal passwords: change them regularly to throw criminals off track.
Choose false information for your security questions. Most places where you have online accounts will also use security questions as an additional way to prove that you are you. The idea is to confirm your identity by asking questions only you would know the answer to—but, unfortunately, this isn’t always the case. For example, a security question might be, “What is the name of the street where you grew up?” This information is usually pretty easy to find with a little digging on Facebook and some Google searches. A better strategy is to provide inaccurate information on the questions, giving an answer that only you will know—because it’s not true! If you think you will have trouble remembering the correct answers, write them down or save them in a password manager account.
Activate alerts. Most banks and credit cards now offer alerts. If someone uses your credit or bank card in a certain way (for example, buys something in another country or makes a purchase costing over a certain amount) and you have requested to be notified about the action, the company will call, text, or e-mail you. (In fact, if you request it, some credit card companies will send you an automated text every time your credit card is used.) If you get an alert and it was not an authorized use, you’ll know immediately and can move to freeze the card. Similarly, e-mail providers like Google will let you know if someone has signed into your e-mail address from an unfamiliar computer. Check your account to see if you have these options and set up alerts so that you are informed of any irregular activities taking place. (To avoid issues when travelling to other states or internationally, alert your credit card and banking companies of your travel plans.)
E-mails, Websites, Links, and Networks
Look at e-mails with a cautious eye. If you receive a message from a place where you have an account, but you don’t know of a reason to be receiving the e-mail, be wary. There’s a sort of cyber-attack called “spear phishing,” where scammers send e-mails purporting to be from places like Google, FedEx, and Apple that look and sound legitimate. They mimic the same colors, text, and style of the real companies’ e-mails to convince you to send them information like your passwords and usernames, which allows them to access your accounts. They may also direct you to a website where you’re prompted to enter login information or even your Social Security number, which is collected and used to steal your identity.
A related scam is “spoofing,” where criminals also create e-mails made to look as if they originate from real companies—or even people close to you. John Morelock, head of Carolina Business Equipment’s Managed Network Services, calls spoofing “similar to phishing, but trickier,” noting that the fake e-mails can appear to come from “someone you know, like your clergy, your boss, or even your mom.” The goal is to get you to click on a link that downloads a malicious program to your computer, then spreads throughout your network, infecting friends and colleagues, too. Keep your eyes peeled for slight misspellings in e-mail addresses—hackers may have “spoofed” them to appear to come from a credible company, but were off by just a letter or two. Another tip: try hovering over links included in e-mails. If the web address that pops up looks different than what you were expecting, don’t click on it! Also, don’t open any e-mails with attachments ending in ".exe," ".scr," "zip" or ".bat"—that’s a good indicator that they could contain harmful programs.
When you receive a suspicious e-mail and have doubts, call the company it’s supposedly from (go to the official website to find the number rather than using any in the suspicious e-mail—these may be fake as well).Telephone representatives should be able to tell you if the organization really needs to talk to you, and you can give any necessary information over the telephone. If most legitimate organizations need to contact you, they will call you, so be suspicious of e-mails supposedly originating from your bank, credit card company, or other high-security vendors.When it comes to e-mails from friends, business contacts, or family, Morelock recommended, “If you’re not expecting something or you’re not sure, call the person who sent you this message to check validity.”
Also, use common sense. If you get an e-mail wanting you to enter credit card information or download an app for a deal that seems too good to be true, it probably is. According to a November 2016 USATODAY article by Susan Tompor, “Industry experts are warning of apps that impersonate well-known retailers, such as Payless ShoeSource, Torrid, and Dillard’s.” These apps promise deep discounts if downloaded onto your phone—but they’re really just a way for con artists to steal your information. One red flag that an app is not legitimate, according to Tompor, is that it has no reviews. That means it’s only been up temporarily, which would be odd in the case of established businesses. (Fortunately, they are typically not up for long—Apple removes the fake apps once they are reported fraudulent.)
Dangerous links aren’t just limited to those found in e-mails, either. Look out for them on websites, pop-up ads, and social media posts as well. As the National Cyber Security Alliance explains, “Links in email, tweets, posts, and online advertising are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.” If the suspicious material is in the form of a link, don’t click on it, even if you are curious!
Watch what you share on social media. It may seem tempting to brag about an upcoming trip out of the country on Facebook—but what if potential thieves see your post? They now know that you’ll be out of town, leaving your home and valuables vulnerable! Sharing pictures and memories afterward is a safer bet. Consider longer-term dangers as well, such as identity theft. Allowing people to see where you were born, how old you are, and other personal details may allow them to impersonate you and access or open accounts in your name.
The nature of social networks is that they connect people. However, this can easily allow strangers to see information that you’d rather keep private within your circle of friends and family. Make sure that only people you actually know and trust can see your social media activity by setting strict privacy settings (and only accepting requests to connect from people you actually know). On Facebook, for example, you can go to “General Account Settings” and then select “Security” to limit who can see the photos and posts you share; other social media networks also offer customizable security settings as well.
If you have children, you should also watch the amount of information you post about them on social media, especially where they go to school or daycare. Predators may be looking for this information, and could use other knowledge gleaned from your page (relatives’ names, number of siblings, etc.) to try to convince your child that they know you. It’s a scary thought, but it’s better to err on the side of caution than have to worry about a potential child abduction! If you want to share photos and detailed information about your kids with friends and relatives, consider sending them privately in an individual e-mail. It takes a little longer, but it’s worth it for the peace of mind.
Browse in “private” or “incognito” mode. All major Internet browsers have options that allow you to browse in “private.” They delete temporary files and browsing history after you close the window, blocking others from seeing the sites you have been viewing. Advertisers want this information so they can see what you’re interested in and try to sell you related things. To avoid annoying targeted ads (and others gathering information on you for potentially more harmful reasons), always browse in private mode.
Only exchange financial information on secure sites. For many people, online shopping is simply more convenient than driving to a store, looking around, and waiting in line—but it also comes with inherent dangers. Sending any financial information over a connection that is not protected with SSL (“secure socket layer” encryption) means that it could be seen by others. Microsoft recommends, “Before you enter sensitive data, check for evidence that the site uses encryption, a security measure that scrambles data as it crosses the Internet. Good indicators that a site is encrypted include a web address with https (‘s’ stands for secure) and a closed padlock beside it.” The same thing goes with online banking sites: make sure the page you are accessing uses encryption before entering any passwords or other sensitive information.
Beware of using public Wi-Fi. Many public areas like airports, bars, shopping malls, and restaurants offer free Wi-Fi, and there are public computers in places like libraries that can be used to access the Internet as well. However, be very careful about the sites you visit and information you exchange over these networks. Hackers can use simple applications to monitor traffic going through public networks that will notify them when certain information appears, like usernames and passwords. Then, they simply collect the data and use it to access your accounts. Therefore, you never want to log into any accounts you wouldn’t want someone else to know the password to on public Wi-Fi. As Jeff Hussey noted in an October 2016 Forbes article, “Financial transactions, work-related operations or anything else you consider sensitive should be conducted on devices and networks that you trust. Data can be easily obtained through public devices and networks.”
Enlist the help of IT professionals. Profit is a major factor behind most criminal activity, including cybercrime. Businesses deal with larger amounts of money than a single person does, making them an attractive target to skilled scammers. There are many ways that hackers can wreak havoc on a business: for example, they might try to obtain sensitive client information to use for wide-scale identity theft, or encrypt important business files, holding them for “ransom” until they receive payment. Organizations of all sizes are vulnerable. According to Morelock, “Theft from small businesses by itself may have a relatively low value, but when combined with data from a group of businesses, it can greatly increase in value. This will cause an increase in attacks on small businesses, since they continue to be easy targets.”
Every company, no matter how small, needs the help of someone experienced in information technology. Whether they’re members of the organization’s staff or consultants (Carolina Business Equipment has proved an asset to our family of companies), these IT professionals have a firm grasp on the dangers that cybercriminals pose and can help formulate strong defenses. Some leaders may balk at the added cost, but should weigh it against the devastation that a data breach can bring. With 60% of small businesses that experience major attacks going out of business within six months (according to a report by HP), it’s an investment in the future.
Find security weaknesses through audits. Once you have found qualified professionals to help protect your organization’s online security, Moskowitz recommends beginning with a security audit to “secure your entire IT infrastructure and prevent hackers from accessing your network,” then “encrypting your data, securing your hardware, locking your network.” Morelock echoes her advice, noting that “contracting with a third party to phish and spoof your organization can expose your weaknesses and provide a valuable training tool to help shield your business. Third-party testing can also search for infrastructure gaps.” Once you are aware of the most dangerous flaws in your system, your IT staff or consultants can take steps to address them and stop problems from occurring.
Enact preventative measures. With the guidance of IT advisors and the information gained from security audits, companies should create comprehensive plans for how to protect themselves from cyberattacks before they even start. One key strategy is using the right software, hardware, and cloud storage. Companies need business-class computers and equipment (such as routers), servers, cloud storage, and data-sharing options, which are more secure than those suited for individual users. Another vital security action is making frequent backups of important files in different places. This allows continued access to important files even if some versions become compromised. Morowitz also recommends assigning someone to be accountable for patch management, running regular tests and scans, and developing security and risk assessment plans.
Organizations should also have strategies in place for what to do if they are hacked (including how they will lock down sensitive information and notify those impacted) so that they can move quickly if that day ever comes. A template for an example continuity plan is available at https://www.fema.gov/planning-templates.
Set up smart technology policies. Every organization should have a detailed employee handbook to guide the behaviors of its staff, including how employees are expected to conduct themselves online when representing the company and how they are to treat company computer systems. For example, staff members should know from reading the handbook that they are not authorized to download any unapproved software to their work computers—a rule that could potentially prevent malware from spreading throughout the system. They should also know that they are expected to keep valuable company information private, and that any messages they send through company systems are property of the company.
Educate employees on good technology practices. All staff should be well-versed in the basics of Internet and e-mail safety. It may take some time to teach them smart practices regarding Internet use, but this preventative measure can save countless hours down the road. “Basic cyber hygiene such as ensuring workers don't click on questionable links or open suspicious attachments can save headaches,” noted Tami Abdollah in a 2016 AP article. Have your IT staff member or consultant teach a class on basic rules for Internet safety, or have employees participate in online or in-person trainings so that they have the knowledge they need to avoid making potentially costly errors.
Limit connectivity. The more points of entry that hackers have, the more likely they are to get through. As Carolina Business Equipment explained in a recent e-newsletter, “Small business owners’ data has become increasingly networked. For example, today’s point-of-sale (POS) systems and printers include software that makes them vulnerable entry points because they are networked, shared, and connected to so many other applications in your business.” Your IT consultant can help you locate tools and programs with appropriate protections for your organization’s needs, like printers with built-in business-class security features.
This idea applies to employees as well. By giving them access only to the networks needed to perform their jobs, you can protect other parts of the system from being impacted if their computers become infected with viruses or malware. As Abdollah recommends, “System administrators should ensure that employees don't have unnecessary access to parts of the network that aren't critical to their work. This helps limit the spread of ransomware if hackers do get into your system.” CBE also recommends isolating the physical components of your system from staff members who don’t need to be around them in the course of their work. Simple things like locking your server room and using security covers for tablets can make a big difference!
If attacked, report it. If you are the victim of a cyberattack, report it to the FBI’s Internet Crime Complaint Center at http://www.ic3.gov/.
The bottom line: The Internet is an incredible tool for sharing information and doing business, and it shows no signs of losing popularity. If you use it correctly, it can make your life a lot easier and simpler—but if you don’t follow smart online security practices, you can open up your business, non-profit, or self to theft and fraud. Experts say that cybercrime is thriving and will continue to grow in the future. Follow our simple recommendations to foil these attacks and protect yourself, both as a person and a leader. As Ben Franklin once said, “An ounce of prevention is worth a pound of cure!”
About the Authors: Our corporate and personal purpose is to “create opportunities to improve lives” by sharing our knowledge, research, experiences, successes, and mistakes. You can e-mail us at firstname.lastname@example.org.
Mike DuBose received his graduate degree from the University of South Carolina and is the author of The Art of Building a Great Business. He has been in business since 1981 and is the owner of Research Associates, The Evaluation Group, Columbia Conference Center, and DuBose Fitness Center. Visit his nonprofit website www.mikedubose.com for a free copy of his book and additional business, travel, and personal articles, as well as health articles written with Dr. Surb Guram, MD.
Blake DuBose graduated from Newberry College’s Schools of Business and Psychology and is president of DuBose Web Group (www.duboseweb.com).
Katie Beck serves as Director of Communications for the DuBose family of companies. She graduated from the USC School of Journalism and Honors College.
© Copyright 2017 by Mike DuBose—All Rights Reserved. You have permission and we encourage you to forward the full article to friends or colleagues and/or distribute it as part of personal or professional use, providing that the authors are credited. However, no part of this article may be altered or published in any other manner without the written consent of the authors. If you would like written approval to post this information on an appropriate website or to publish this information, please contact Katie Beck at Katie@dubosegroup.com and briefly explain how the article will be used; we will respond promptly. Thank you for honoring our hard work!