Cyber Security: Malware vs Non-Malware & Creating a Plan
Aug 01, 2017
Hello everyone – welcome to today’s Digitize Your Firm webinar where we’ll be discussing cyber security!
For anyone joining us who has some cyber security knowledge or anyone who is looking to gain some additional insights, simply click the green speech bubble at the top of the screen to open the chat and either type out your comment or ask to speak.
As with all Digitize Your Firm webinars, this will be recorded for later playback in case you wanted extra time with a certain section or for listening on the go. If you haven’t already, visit the Weekly Webinar Schedule on our Digitize Your Firm page to check out our past webinars.
Now, let’s go over today’s agenda.
Our first topic on today’s agenda will be familiarizing ourselves with the concept of cyber security. After that, we’ll touch on the viral topic of malware and non-malware. We’ll then close off by giving you the tips on how to create a cyber security plan for your own organization or company. As always, we’ll go over lessons learned and answer any questions you may have.
Cyber Security 101
Today we’re talking about a popular topic that at one time or another you’ve seen in a newspaper, on TV, in your office or even on your personal Facebook feed: cyber security.
Last year brought a flurry of hacks that reached from Yahoo in Silicon Valley, California to the Democratic National Committee in Washington D.C. As more organizations, both international and local, grow their presence on the internet so too should they be growing their knowledge and skills in cyber security.
If you own an online business, you will need to learn how to sell your product to clients while keeping their data secure. If you are part of a larger organization reviewing your crisis communication plan, you’ll need to learn about how to make an effective cyber security breach plan. Regardless of the industry or company size, cyber security is a vital sector that requires attention and consistent review.
Take a moment and think about how many passwords you enter in a day. First you need to log onto your computer (1), then log onto to any websites you may use such as Twitter (2), Facebook (3), and LinkedIn (4). Let’s not forget the password you use to access your cellphone (6) and your Apple or e-mail account password to buy applications (7). Oh – don’t forget that you need to pay your bills! That means you’ll have to login on to your bank’s website (8), the power company’s website (9), and the water company’s page as well (10). You get the point.
To be fair, much of today’s technology has allowed for biometric scanning (fingerprints) and patterns to simplify your access, but the principle remains the same. Those ten passwords present ten opportunities to gain access to your personal and professional information.
To begin, it is best to use a variety of passwords so that not all of your accounts can be accessed should someone manage to get into one of your profiles. These passwords should not contain any personal information about you such as a birthday, your initials, or sequences like ‘abcd1234’. Instead, use a phrase mixed in with numbers and characters.
Take the time and try to come up with a few on your own that would stick to your memory. If you’re worried about possibly forgetting these types of passwords or if you are seeking to beef up your security, look into installing password managing software. There are services to chose from that offer a place to keep generated secure passwords which can be accessed through a master account. You can also look into the security options certain websites and profiles may have in place, such as activating two-step verification which adds an additional layer of protection and by setting backup emails.
Locking Your Computer
If you work in an office place, you’ve most likely spoken with IT during your orientation about the importance of locking your computer when you are away from your desk. Locking your computer lets you keep the program you are working on open while password-protecting your computer. This way, no one can access your stored files or documents while you’re away – just as you would lock your file cabinet when your work day is finished.
Unfortunately, even if you have lock your computer every time and password protect your accounts with top notch phrases, there are still ways people can acquire your information: phishing.
Don’t Get Phished!
Phishing (pronounced ‘fishing’) is a method of technological and social engineering designed to get personal and financial information from you. Some can be emails from unknown addresses claiming to be a friend in need, others can be chain letters, false notifications from your bank, and more.
As an example, let’s pretend there is a person called Tom would loves shopping online at a popular e-commerce site. In the evening, he received an email claiming to be from the company claiming that there had been multiple attempts to access his account and that he needed to sign on to secure it. The email was very well crafted: the branding colours and buttons were identical to a generic company email. Tom’s name was used and came from an ‘admin’ address. Tom clicked on the button and went to secure their account, putting in their email and password before being prompted to enter their credit card information.
Luckily, this immediately drew red flags for Tom as he knew that no reputable institution or service asks for credit card information as a form of verification. The vast majority use pre-selected questions (Your mother’s maiden name, the first movie you saw, etc) the user sets up when they create an account.
Realizing their mistake, Tom went to the official company’s website and logged, successfully changing their password to a more complex one before he lost control of their account. When he looks back on the phishing email, he sees some tell-tale giveaway:
The spelling, grammar, and sentence structure was not polished and was disjointed.
The email had the company’s .com logo, NOT the company’s .ca logo.
The admin email extension was not from the company’s .ca address but was a convoluted string of letters that did not lead to an existing website.
To be sure no damage had been to their profile, Tom submitted a report through the website’s customer service page, forwarded the email to the company’s fraud division and reported email through his email account.
While this situation ended positively, if it had not been caught, the individual’s credit card information would have ended up in the wrong hands. There are more threats out there, however, which we will discuss in our next session.
Malware vs. Non-Malware
You know what bytes? Malware.
If you’ve never heard the term “malware,” it relates to software and programs that aim to disrupt and disable your computer. There are several different types of malware out there from viruses to trojan horses and spyware. Much of these invade your computer through the means file transfers, downloaded files, spam emails and even memory sticks. While originally targeting home and corporate computers, today’s malware can even worm its way into your cellphone. Malware puts your personal and organizational data in jeopardy as it makes sensitive data such as official documents, banking information and the like in danger of falling into the wrong hands.
Perhaps one of the most worrying growing malware trends is the use of ransomware. True to its name, ransomware is malware that infiltrates your system with the mission of locking and encrypting your data. Once this is done, you’re required to wire money to have your computer unlocked. These types of attacks had increased by close to 50% last year and continue to be an ongoing threat. One of the more notable issues of ransomware is an attack on Los Angeles’ Hollywood Presbyterian Medical Center where they held vital files on patients for ransom.
Non-malware does much the same as malware, but is done by finding holes in the security of existing programs you may have installed. This brand of digital nastiness does not require a file to take control of your computer making it an increasing concern. In fact, it was reported that there has been a large increase in non-malware attacks since the beginning of 2016. Perhaps the most disturbing realization is that most common type of non-malware attacks are on customer data, corporate IPs, service disruptions, credentials, and financial data. All of these components are in the hands of a business and illustrates just how critical proper security is.
How do you protect yourself these kinds of attacks? Having good antivirus and antimalware running on your system is often key as they can provide a radius of protection, run regular scans and be wary of what you download. Both malware and non-malware can find its way into your system through small portals like word documents and images. Be vigilant just as you would be with a phishing email: if you don’t recognize the sending and it has files attached, it may be an attempt on your computer.
Regardless of whether you are part of a large organization with an dedicated IT and security division, a small business or a freelancer – being cyber security smart is everyone’s business.
Tomorrow, we will look at how we can carry these principles over into keeping not only you but your online customers safe.
Building a Cyber Security Plan
Now if I said ‘Heartbleed’ – would that ring any bells?
As you may or may not recalled, the Heartbleed Bug was a vulnerability that existed in OpenSSL encryption. SSL encryption is used to protect online stores, banking websites and anywhere that sensitive information was leaked and can be noted by the ‘https://’ at the beginning of URLs. While the bug existed, it allowed individuals access to encryption keys could decode sensitive information sent between connecting computers.
Immediately, numerous companies sent to task to secure their data with the fix coming shortly after.
What was truly brought into focus after this event was the importance of having a digital security plan ready in the event that a similar situation is to happen. Regardless of whether it is a hacker, malware or a bug – being prepared is key to staying secure.
In the field of communications, one of the most valuable pieces of documentation a company can have is a crisis communications plan. This is a plan that lays out what procedures take place when an event happens that puts your organization into a crisis. It is the first aid kit you pull out when your organization metaphorically is injured. Often times they detail the chain of command, how to secure certain resources, prepared messaging and roles for members of the organization to take on.
A security breach response plan is just that – but for your company’s digital assets. It is what you turn to when a situation appears that has threatened the integrity and safety of your data.
Like any plan, it should set out clear instructions as to what roles will need to be filled, who will play them, who will be responsible for what deliverables and who needs to lead teams. It is integral that a chain of command is established so that employees know where to go and who to talk to for advice, insight, and approvals.
Any templates that can be developed will definitely be beneficial as they will cut down on the time required to create messages in the moment. These templates can cover any potential incident that may happen (hacker activity, failure of a server, malware, non-malware, etc). A process that can also take place is the collecting of evidence regarding what happened, identifying and patching weaknesses and making sure there is an element of documentation.
Finally, do not forget the old idiom: practice makes perfect. Take the time to have drills practicing the event of an unfortunate breach and to keep your plan updated with the latest information.
Like any other crisis plan, remember to keep your stakeholders first. Whether they are customers, volunteers, shareholder or all three, they want to know their data is safe and secure.
To review, let’s go over what we’ve covered today:
- When it comes to cyber security, it is a big issue that taking protective steps can help tackle. Ensure that you have strong passwords on all of your logins, and consider investing in password management technology (as there are many free options). Don’t forget to always lock your computer when at the office, and be on the look out for phishing emails. Easy giveaway signs include incorrect email sender addresses, spelling errors, and asking for financial details to access your account.
- Next we discussed the very real threat that malware and non-malware poses to you and your organization. The key difference between them is that malware infects through files, downloads, memory sticks, and more. Non-malware infects your system by exploiting holes in the security of your computer and the software on it. The best way to defend against each is to be vigilant of what files are sent, have anti-virus software to protect your computer and keep your programs up-to-date.
- We then closed with tips on creating your own cyber security plan should your business come under siege from a digital threat. Remember to keep your employees, customers, investors and more top of mind. Have a written plan outlining the chain of command, the roles team members may take on, and ensure that evidence is collected while documentation is written as you fix the problem. Just like with any emergency plan, don’t forget to practice, practice, practice!
Next week, we’ll be talking about growing your contact base with:
- Signup Forms
- Landing Pages
- And Customer Relationship Managers (CRMs)