Investors Can Boost Their Cybersecurity: Back to the Basics
By: Ziad K. Abdelnour
Security Essential for Financial Transactions Online
Now that the Cyberworld is upon us, most of us do most, if not all, of our financial transactions online. Long gone is the day when most of us paid our bills by check or delivered a check to our brokers to invest for us. Now we pay our bills online, either on the biller’s Website, or on our bank’s Website. We don’t write checks – we transfer funds. We rely on the security of the Web site with which we are dealing to protect the security of the transaction. Most of us make sure that the “HTTPS” designation is at the beginning of the address for every Website on which we conduct transactions or share sensitive information. We maintain security and privacy settings on Facebook, LinkedIn, Twitter, and other social Websites where we publish. We have firewalls for our computer systems, our personal computers, and our home networks. We have anti-virus software and run it rigorously. We have our Outlook set for appropriate levels of security and use spam settings to segregate anything that looks like spam, knowing that in the spam box we can see the REAL addresses behind the links in emails. We know enough not to click on any link in any email, instead copying and pasting the address into our browsers. We have our browsers set for appropriate levels of security and privacy, and use a secure browser like Firefox or Tor. We have our networks set for security against invaders. We understand that the weakest link is usually the employee sitting at his keyboard, and have established suitable policies, procedures and penalties regarding cybersecurity for our employees. We use, and require our employees to use, “strong passwords” and change them often.
Really? Surveys by security analysts show that most people, even tech-savvy people, use passwords they can remember easily, and seldom, if ever, change them. We are our own weakest link. We rely too heavily on all of these measures, but are lazy in our own computer habits. We open Firefox, but forget to go to “New Private Window” for each jump. We click on links in emails that come from friends and trusted associates. Our own lapses can only be remedied by imposing discipline on ourselves. A new report on ways the government can mitigate persistent cybersecurity challenges contains a crowdsourced list of best practices. According to the report, “Much of what is required, expected, or even possible in cybersecurity management is known to cybersecurity professionals, but not fully or properly implemented across the government.” The same is true of industry, even the financial industry.
Communist countries are famous for establishing “five year plans.” China has a five-year plan for cybersecurity targets. Security vendor CrowdStrike has produced a report on China’s next fire-year plan. “They’re focusing on getting Western technology out – they don’t trust it,” said Adam Meyers, vice president of intelligence at CrowdStrike. “They want to use their own technology.” Chinese hackers appear to be looking for information to use in restructuring China’s healthcare sector. This may have contributed to the spike in healthcare breaches in 2015. “Targeting the western healthcare sector may be as much about logistics and know-how for running national level health insurance schemes as it is about siphoning data,” said the CrowdStrike report. The data they took, however, could also be used to build profiles of federal employees for intelligence purposes and spear-phishing campaigns. China seems focused on collecting intelligence that supports its economic system, and not just on military and defense targets. Therefore, financial firms of all types and sizes are potential targets, as well as high-profile individual investors. Hacking investors’ personal computers could provide access to the financial systems in which they work and invest.
There are other measures that savvy investors can take to protect their financial lives and those of their firms. The purpose of this article is to look at them. After you read this, you might say, “I have heard all of that, already.” Perhaps you have, but have you implemented it all? If not, read it again and again until it becomes second nature.
Security Begins at Home: Ten Commandments
Security begins at home. Financial Executives’ home networks are often insecure and are logical targets for hackers seeking entry into financial system networks. Many executives access their office networks from home. There is nothing wrong with that, per se, but if their home network is not secure, their connection to the office is not secure. So, let’s start with the home network and home computer. Make sure that when you are not at home, no one else can gain access to your home and access your computer.
- Use a reasonably new Internet router. If the one you have is over a year old, destroy it and buy a new one. The security of routers is steadily increasing as the technology develops, and an old router will be full of holes hackers can exploit. Set the new router up as a “non-broadcasting network.” That means other computers cannot see it. A computer must send a signal with the appropriate router name in order to be able to see it. You can provide the key to visiting friends or family who need to use your Wi-Fi.
- Set the router up as a secure network requiring a complex key to access it.
- Consider buying a firewall router to place between the Internet router and the rest of your network.
- Encrypt the contents of your computer’s hard drive and any other hard drives connected to the network. Windows 10 has encryption available, but not activated by default. There are also third-party encryption programs available. Here is a site that reviews them and posts ratings for the top ten: http://encryption-software-review.toptenreviews.com/
- To access your office network, use a strong password with at least 8 characters that are a random mix of numbers, lower-case and upper-case letters, and symbols. Example: kyG@2bK&. If you can remember it easily, it is no good. Norton has a good password generator online: https://identitysafe.norton.com/password-generator/#. Use it, or any of the other good programs out there.
- Because you can’t remember your passwords, use an encrypted password keeper to keep track of them. There are several available. There are a number of methods, including software vaults you can put on your computer, and also separate devices. Some allow access only by fingerprint identification. DO NOT write the passwords down where someone other than you can access them. Here is one of the many good separate devices available: https://keepersecurity.com/
- In your security software, turn on the feature that flags dangerous Websites and prevents access to them. Even good websites can get hacked and then infect computers accessing them. Porn sites are notorious for this, especially the free ones that show up in free catalogs of porn sites. Beware of foreign sites, especially in Africa, the Middle East, Russia, and East Asia.
- Know the source of software you load, including security software. A consultant with whom I have worked values security, and has on his server an anti-virus package he considers very good and very reliable, and he recommended it to me. I googled it, and found that it came from a Chinese software firm. Given the publicity recently about Chinese hacking attempts, I would beware of using security software from China.
- On your computers (all of them) activate the feature that loads the screen saver after a period of inactivity and requires a password to allow access again to the computer. Use a different password for each computer, of course
- Do not use outside data CD/DVDs or thumb drives on your computer until they have been separately tested and scanned for spyware and viruses.
Security at the Office: Ten Commandments
- Retain an outside cybersecurity expert to advise your IT department. Explain to your IT department that it is not that you don’t trust them, but a second opinion is always better than a first opinion alone. Before hiring the consultant, run a background check. Some real hackers work as cybersecurity experts, and could leave backdoors for themselves.
- Make sure your facility is physically secure. Most successful “hacks” consist of a “hacker” walking into someone’s office when he or she is out, sitting down at that person’s desk, and using his or her computer to access the network to extract intelligence, install spy software, or open a back door.
- Make sure your IT department has a robust policy for protecting and policing the network.
- Retain an outside consultant to attempt penetration of the network. There are “honest hackers” who specialize in this service. Many IT security firms provide that as a service. If you know where the back doors are, you can close them and lock them. If you know where the open windows are, you can do the same with them.
- Ask your IT department to set up a computer to test flash/thumb drives and data disks brought in from outside the office before they are inserted into any computer. It should be a stand-alone computer with strong anti-virus software. Do not allow any thumb/flash drives or outside CDs or DVDs to be used on an office computer until they have been scanned.
- Make sure your office network is isolated from the Internet with a secure firewall appliance. If you allow employees to bring into the office their own devices capable of connecting to the system, make sure they are screened first by your IT department and equipped with the necessary security software. If they come in and connect, your system firewall has just been bypassed. Establish a robust BYOD (Bring Your Own Device) policy
- Make sure every server, file server and computer workstation is protected with robust firewall, anti-virus, anti-spyware and anti-malware software. Windows 10 has a good suite built in. Use it. Make sure that every computer is running Windows 7 or 10, and make sure that any operating system older than Windows 7 is banished from the office. Yes, I really like Windows XP, but it is no longer secure.
- If you are an Apple or Linux person, don’t relax. Apple and Linux computers and devices are also subject to viruses, spyware, and other malware, as well as to hack attacks. Make sure your Apple devices are protected by robust firewall, anti-software, anti-spyware and anti-malware software.
- Make sure your CIO and IT departments keep up to date with the latest information and technology on cybersecurity. Send them to conferences and continuing education on the subject, and make sure they are on mailing lists for the appropriate newsletters. Equally important, make sure they actually read the material and implement best practices.
- UPDATE. Make sure all software on your system and in your computers is updated with regularity. For operating systems and software like Microsoft Office, make sure auto-update is implemented. For an office system, have the IT department download all updates and install them on all computers, if you don’t implement auto-update.
OK, Now What?
Now, go practice safe surfing, but warily and carefully at all times. “Come into my parlor, said the spider to the fly.” Her parlor is the Web. You are the fly. Whether you are online or offline, if your computer does something unexpected and irritating, power it down immediately using the power switch. Start it up using a start-up CD/DVD with an anti-virus program on it, and use it to scan the computer.
An attack will generally come when you are relaxed or sleeping. Many will come online when your computer freezes on a website for no apparent reason. Often, that is because the website has been contaminated. Vigilance is the key to security. BE YOUR OWN BEST WATCHDOG! (Sorry, I didn’t mean to shout).
Sophos is one of the best providers of computer security software for computers and networks. Their blog is worth reading.
Naked security You can read their newsfeed online, or subscribe to their newsletter.
“Industry Ideas for Boosting Government Cybersecurity: Go Back to the Basics”, www.NextGov.com (01/20/16) Moore, Jack.
“China’s Next Five-Year Plan Offers Preview of Cybersecurity Targets”, CIO, (02/03/16) Korolov, Maria.