Skip to main content

Humans: The Achilles' Heel of Cybersecurity. Better Passwords For Your Data Care.

When I’m not researching and writing about cybersecurity, I have a normal day job working in the development department for a nonprofit organization where, just yesterday, I found three cybersecurity alerts in my Outlook email. “You must change your password…”; “We had a phishing incident…”; “Our IT company has initiated MFA…”. It was a lovely way to begin my morning. I was puzzled that someone in our mid-sized company was tricked into clicking a malicious email link. How could this happen? Doesn’t everyone realize what phishing emails look like? The improper English; fake links, the sense of urgency? Apparently, not…

Humans: The Achilles' Heel of CybersecurityHumans are still the weakest link in any data care plan. I sometimes feel that costly cybersecurity tools are more about protecting companies from their own employees than external threats. Businesses should elevate employee education, awareness, and periodic trainings to strengthen data care and minimize human error. I have some inexpensive ideas I often share with business owners, employees, my kids, and anyone else who will listen. It focuses on steps to incorporate better passwords.

In the intricate world of cybersecurity, businesses often focus on fortifying their systems with firewalls, advanced encryption, and sophisticated threat detection tools. However, even the most sophisticated defenses can be ineffective if the human element comes up short and opens the gates to the Trojan horse. And with the high expense of a typical cybersecurity plan that most small businesses simply can’t afford, how do we bridge the gap? 

Running a small business is a constant hustle. Between managing customers, operations, and marketing, you barely have time to breathe, let alone consider cybersecurity. But in today’s automated world, we are all aware of the advertised percentages of companies targeted by cyberattacks.

Imagine your data like your most prized possessions, which consist of customers’ information, financial records, employee information (and maybe even your secret family recipes stored on a Google Drive). These valuables are everything to you, and yet, we leave small gaps protecting them. So how can small business owners improve their cybersecurity efforts and deter hackers without breaking the bank? Improve human knowledge.

Human error, negligence, and a lack of awareness often serve as the gateway for cyberattacks, allowing bad actors to infiltrate even the most secure environments. In the digital arena of data care, a single unsuspecting employee clicking on a malicious link or disclosing confidential information can unravel years of cybersecurity efforts. The human factor manifests in various forms, each posing unique challenges to data care. Negligence, poor passwords, and lax awareness create open doors for cybercriminals to exploit. 

The Human Factor and its Manifestations

Negligence: Leaving passwords unprotected, neglecting software updates, or ignoring security protocols can create opportunities for cybercriminals.

Poor Password Practices: Using basic guessable passwords or reusing the same one across accounts gives hackers quick access to valuable data.

Lack Of Awareness: Unaware and distracted individuals are susceptible to social engineering tactics. These attacks exploit people and lure them into revealing sensitive information or clicking harmful links—and it happens every day.

Poor cybersecurity awareness makes employees easy targets for scams and fake links in emails. You might believe this only happens to the sweet old bookkeeper that isn't savvy on the computer (who still has a rotary phone at home), but I’ve seen some tech-savvy people get swindled. The helpful news is, you don’t need to be a tech whiz to keep your business safe. By focusing on the “human element” of cybersecurity, you can further reduce risk.

To address the human element and strengthen cybersecurity defenses, businesses should prioritize education and training. HR departments need to increase the knowledge base in their online libraries to include more than basic cybersecurity information. 

Employees should be well-equipped to identify and avoid cyber threats, understand the importance of strong password practices, and recognize the red flags of email scams. Regular trainings, simulated phishing exercises, and clear guidelines for reporting suspicious activity can significantly reduce the human error factor. Moreover, and dare I say, beyond DEI awareness and staff behavior videos, companies should foster a culture of cybersecurity and data care awareness, emphasizing the collective responsibility of protecting assets across the board.  

With the help of a Data Care/Cybersecurity Consultant, businesses can prioritize building a culture of cybersecurity by implementing the following:

  • Educating employees: Furnishing them with knowledge to identify and avoid cyber threats, understanding the importance of strong password practices, and recognizing social engineering scams.

  • Providing regular security awareness training: This can include simulated phishing exercises to test employees’ vulnerability and build a resilient environment.

  • Establishing clear guidelines for reporting suspicious activity: This encourages employees to be proactive in identifying and reporting possible threats.

Don’t Forget Good Ol’ MFA

In addition to education and training, multi-factor authentication (MFA) can serve as an additional layer of protection, adding a second or third step to the login process beyond simple passwords. This extra layer of verification can significantly hinder cybercriminals attempting to access unauthorized accounts by requiring a second verification step—like a code sent to your phone—after entering your password.

Remember, the needs of digital protection for the small business community, as well as large corporations, are very different from even five years ago. The post-Covid world is firmly planted in a remote existence, cloud-based storage, and mobile connectivity. And with the explosion of AI in the last few years, the battlefield will only get smarter on both sides of the wall. Data Care is not just about technological advancements and sophisticated tools; it’s also about empowering employees to become active participants in safeguarding the organization’s digital assets. 

So, How Do You Keep Your Business Safe?

1. Knowledge is power 

2. Make security everyone’s responsibility

3. Technology is your friend, but awareness is key 

Supply your employees with the tools to identify and avoid cyber threats. Train your employees to spot scams and red flags by showing them real-world examples with periodic tabletop exercise sessions. These controlled group meetings are similar to fire drills. They provide management and staff the opportunity to experience simulated cyberattacks, allowing people to discuss how to handle real incidents.

Make strong passwords mandatory. Encourage employees to use unique combinations for each account and avoid common words. Explain the importance of keeping software updated. Outdated software has vulnerabilities that hackers continuously exploit.

Engage in open communication about potential threats and empower employees to report suspicious activity they encounter. Create a culture of security awareness by talking about cybersecurity regularly and provide advanced security awareness training videos. These can even be interactive, like simulated phishing attacks initiated by the IT department to test and score employee vigilance, then create a user-friendly system for staff to report activity and win rewards for high scoring.

Don’t rely solely on software and firewalls. Use them as tools to complement your “human firewall”—but remember, the most advanced tools are useless without human vigilance. Strong next-generation antivirus and firewalls are tools that help block malware and other threats before they reach your systems. Consider managed security services that are available by a multitude of companies. If you don’t have the time or expertise to manage your own data care, hire a professional.

Better Passwords For Your Data Care

Poor password practices, such as using predictable word combinations or reusing passwords across multiple accounts, provide hackers with easy access to valuable data (I’m talking to you, Mr. and Mrs. Password123).

It’s really important for business owners to have strong password policies in place to keep sensitive information safe. By setting up and making sure everyone follows these policies, business owners can greatly reduce the chances of data breaches and unauthorized access to their systems. 

The obvious and simple first step is to ask employees to come up with strong passwords that have a mix of letters, numbers, and special characters—easy. Also, it’s a good idea to suggest employees use different passwords for each account and platform they log into. This makes it harder for hackers to get into multiple accounts if one password gets compromised.

A Baseline Password

Even though standard passwords are beginning to make way for more advanced policies like MFA, biometrics, and passkeys, some people still like to use the old 6-12 character password. It’s easy, and it’s familiar—I get it. But with that said, let me give you one alternative technique that you can use to improve your security until you move on to more advanced techniques. Consider adopting something I call a Baseline Password.

Creating A Baseline Password

Training employees—or anyone, for that matter—on the importance of strong password policies is key when educating people on the risks of weak credentials. I sometimes show a simple technique for creating passwords. My suggestion is to begin by creating a baseline password that includes a combination of alphanumeric characters and symbols. Flip through a dictionary (yes, I’m over 50 and I have one) and pick two or three words—completely random—and don’t be concerned if they have nothing to do with you, your life, or your interests. The more random they are, the better.

For example, let’s pretend we’re creating a series of new passwords for several websites. We’ll begin by taking a few random and unrelated words. Let’s say we selected “Sunday” and “Honey”.

Now, let’s change a few things: 

  • With the word “Sunday”, replace the “S” with a “$”.
  • For the word “Honey”, let’s use all lowercase and replace the “e” with the number “3”.
  • Then, for fun, we’ll add three random numbers:6-9-2, and finish with a few symbols at the end. 
  • We created: $unday692hon3y!#

This is our baseline passwordour starting point. Then, you memorize it! Trust me, it’s easier than you think. And you won’t write it down anywhere. After that, whenever you need to create a new password, you’ll add an indicator at the beginningor the endyou decidebut keep it consistent. 

For example, if you’re registering on a website called www.SpecialTimes.com, take two letters from the name that seems logical; I’ll pick “S” and “T” for “Special Times”.

Add these two indicators to the beginning of your baseline password that you tattooed on your brain. The new password for www.SpeciatTimes.com will read “ST$unday692hon3y!#“. Your passwords will always have a pattern that only you know. This example pattern will be: 

indicator from the website name + my memorized baseline.

You will continue to use this formula for any website registration. Let’s try a few more examples. We'll assume you’re joining Amazon.com: How about the letter “A“ for Amazon? Your new password would be “A$unday692hon3y!#”. 

Sometimes, I pick indicators based on the phonics of the name. “AmaZon” could also create “AZ$unday692hon3y!#” After six months, or a year, come up with a new baseline password and start the process again.

Understand, you don't always have to use the first letter of the website. Come up with your own pattern for creating an idicator. Maybe you always use the first and last letter of the website name; or you always use the 2nd and 4th letter; it's your password, it's your indicator, it's your choice.

It’s not a silver bullet for fail-safe protection, but it will provide you with an alternating constant… and, yes, it’s far better than “Password123”. Remember, a little awareness can go a long way in protecting your business and your identity from the big bad Trojan horse.

Labels:

Comments

Post a Comment

Popular posts from this blog

AI and Cybersecurity: A Powerhouse Duo for Small Businesses

Small businesses face complex and expensive cybersecurity challenges, but AI is being used to simplify defenses, making cybersecurity protection more affordable for small companies.  Read on to discover how embracing AI can work to secure your digital assets and improve your data care. Cybersecurity can feel like a complex beast, especially for small businesses.  Between technical jargon and ever-evolving threats, it's tough to know where to start.  But there is good news: Artificial intelligence (AI) is entering the scene, offering powerful tools to simplify and strengthen your efforts. Think of AI as a super-smart security guard.  It's constantly scanning, analyzing, and learning, keeping you one step ahead of the bad guys. Here's how AI can be your cybersecurity hero:
Post a Comment
Read more

China Actively Preparing Cyber Threats: US Grapples with Balancing Security and Privacy Concerns

I recently watched the January 2024 House hearing entitled "The CCP Cyber Threat to the American Homeland and National Security". It highlighted the growing concern over China's aggressive cyber activities that have plagued our technical infrastructure for decades.   U.S. Cyber Command Commander General Paul Nakasone, FBI Director Christopher Wray, National Cyber Director Harry Coker, CISA Director Jen Easterly, and Rep. Mike Gallagher (R-WI). I was locked into what Jen Easterly, the Director for the Cybersecurity and Infrastructure Security Agency (CISA) was saying throughout the hearing.  She emerged as a key voice, emphasizing the need for a shift in perspective against China and their active pursuit of cyber threats toward the U.S.
Post a Comment
Read more