By: Gene Fredriksen, Security Strategy Consultant
It seems that every day there is another story in the news about cyber attacks, hacks and scams hitting large companies and individual users. Due to the current geopolitical situation, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued alerts about cyber incidents experienced in the Ukraine and the heightened risk to the U.S. from Russian state-sponsored cyber threats.
Since online services like email, messaging, shopping and research are so integrated into our daily lives, locking up your computer and staying offline is not an option. Now more than ever, it is critical to remind your accountholders to be aware of the dangers.
Here are ways your accountholders can protect themselves before, during and after an attack. Share these important reminders with your accountholders and customers to help them remain vigilant.
Before: Prevent the Attack
- Think before you click. Watch for suspicious activity that asks you to do something right away, offers something that sounds too good to be true or needs your personal information.
- Check your account statements and credit reports often.
- Change your passwords regularly; consider using a password manager.
- Make the hacker’s life more difficult by lengthening your passwords to 12 characters or longer. Even with only lower-case letters, increasing the password from eight characters to 12 increases the combinations from 200 billion to 95 quadrillion, significantly more combinations than an eight-character password with upper- and lower-case numbers and common symbols.
- Make sure to use antivirus solutions, malware and firewalls to block threats and be sure to keep the software updated.
- Limit the personal information you share online. While posting to Facebook on vacation lets friends know how much fun you are having, it also lets criminals know you are out of town.
- Protect your home network by changing the administrative and Wi-Fi passwords regularly.
- Educate yourself. Learn tips, find tools and more at dhs.gov/stopthinkconnect.
During: Limit the Damage
- During this phase, your focus should be to limit the damage. Look for unexplained charges, strange accounts on your credit report or unexpected denial of your credit card. Also, check your social media accounts for posts you did not make and people receiving emails you never sent.
- Immediately change passwords for your online accounts.
- Contact banks, credit card companies and other financial accounts. You may need to place holds on accounts that were attacked. Close any unauthorized credit or charge accounts. Report that someone may be using your identity.
- Scan and clean your device. If you are unsure what steps to take, take it to a professional to scan and fix it.
After: Report the Event
- File a report with the Office of the Inspector General (OIG) if you think someone is illegally using your Social Security number. The OIG reviews cases of waste, fraud and abuse. To file a report, visit idtheft.gov.
- You can also call the OIG’s fraud hotline at 1-800-269-0271. For additional resources and more information, visit http://oig.ssa.gov/report.
- File a complaint with the FBI Internet Crime Complaint Center (IC3) at IC3.gov. They will review the complaint and refer it to the appropriate agency.
An attack can happen to anyone. I have been a victim of identity theft myself, when an attacker successfully entered a mail change of address with the post office. They subsequently applied for credit cards in my name using the new address so I wouldn’t be alerted by new credit card statements. All of this happened while I was on an extended trip out of the country. It took months to unravel all the damage to my credit history.
It is important to remind your accountholders to never let their guard down. The bad guys will never stop trying to steal their money; it is how they make a living. Vigilance is the best defense your accountholders have.
Gene Fredriksen is a co-founder and current executive director of the National Credit Union ISAO and the principal cybersecurity consultant with PureIT CUSO. He has previously held the positions of CISO for PSCU, Global CISO for Tyco International, principal consultant for security and risk management strategies for Burton Group, vice president of technology risk management and chief security officer for Raymond James Financial, and information security manager for American Family Insurance.
Fredriksen served as the chair of the security and risk assessment steering committee for BITS, and also served on the R&D committee for the financial services sector steering committee of the Department of Homeland Security. He also served as an advisor on various cybersecurity steering committees for the administrations of George W. Bush, Bill Clinton and Donald Trump, assisting in the preparation of the president’s Cybersecurity Position Paper.