Field Notes Blog

< View All Blog Posts

Staying Safe Online – Cyber Security Tips



We recently interviewed Todd Shaak, IT specialist with AgChoice. The use of technology is ever-present in our daily lives. It’s central to how we communicate and conduct business. But with that technology comes risk in securing personal information. It seems like every day that we hear about another business that has been hacked or a consumer that’s fallen victim to a scam. During the interview, Todd shared best practices and practical tips on how to stay safe online.

Online security is something that you and other IT professionals deal with every day, but many consumers probably don’t understand the full risk potential.  Why is this topic so important?

First on the list would just be protection. A data breach is a bad day for everybody - it's a bad day for a business, but it's also a bad day for the consumer. The biggest thing is reputation loss. Well, I shouldn’t even say that's the biggest thing. The biggest thing could be that a data breach could put you out of business.

Even for companies who survive a data breach, they're going to lose lots of time and money to manage the crisis. After a crisis happens, the aftermath is actually the costliest part. Members of IT and security teams will need to upgrade their security solutions, and IT/management/HR will need to conduct security training for employees. There'll be a crisis communications team that's going to have to deal with the customers in the fallout of trying to save that reputation among customers, stakeholders and public in general.

It's a nightmare. I mean, the worst part after it happens is figuring out why it happened and how to prevent it from happening again. But then it just becomes complete damage control and even if you do the best job with damage control, no one comes out of it looking good. Everyone looks bad in that event.

Those costs I mentioned don't even scratch the surface if ransomware is involved. Ransomware is a type of malware that hackers can use it that once they get into your system. They can encrypt which locks down all your files and once they get those locked down, they demand payment to give you your information back.

Companies like AgChoice have systems in place to prevent that, but no one is completely immune to it. It can happen to everyone, even those who are prepared. The best way to think of ransomware is like a hostage situation but instead of people being held hostage, it's the company's data and customer information. It becomes a matter of how much a company is willing to pay to get that information back. In some cases, they have no choice. In other cases, they may have backups and that sort of thing, but still, that could be months of work to restore all that data. So they have to weigh the pros and cons of if they just want to pay to get that data back and if it's worth them losing that data to the hacker and then just re-instituting themselves.

But it's just a nightmare all the way around. Security is important, very much so. I mean, that's pretty much the most important aspect of IT. There are lots of components of IT, but really security is first and foremost.

What are some best practices you suggest for keeping personal information safe online?

We could talk for an hour just on this one question. I'm obviously going to keep it a lot briefer. I picked out five key points to hit:

First, avoid clicking on links or attachments from untrusted sources or anyone you don't know. Trust your gut if something doesn’t feel right. A lot of comes through email, spam calls, things of that nature. That is how hackers are getting in. I'll talk later about some other ways that hackers can crack into systems, but usually the weak point ends up being an employee or someone in the company slipping up that allowed them in.

Next is passwords. It's really the key to protecting yourself. Use complex passwords with combination of upper case, lower case, numbers and symbols. You've probably heard the term passphrase, so if you have trouble remembering your password, sometimes it's good to actually put a phrase together with about three words. In that passphrase, you can mix in symbols. For example, instead of an E you put a three, or you throw in an asterix or an exclamation mark. Mix them up as good as you can. Generally, try to do at least 12 characters, 15 or more is even better yet. I know that sounds annoying to enter in every time, but you are keeping yourself safer by doing that.

The next thing is to have a security package installed in your machine. If you're working for a company like AgChoice, we have that installed for you so that's taken care of. But you have to think about your personal devices as well. Always have a security software. There's all kinds of different ones. You've probably heard many names - Norton, Symantec, Kaspersky is one of them. There are a number of reputable ones available. You are usually your best line of defense, but you also want to put the software on there as well because that can help you if slip up.

Another thing I would say is make sure your security patches get installed. When companies like Windows discover a vulnerability, they put together a package and push it out for consumers to update. They are constantly patching loopholes and vulnerabilities that hackers are finding. That goes for whether you have a Windows machine, a Mac, which is the LS platform, an iPhone or an Android. With the phone, that's just a matter of making sure you're doing your updates and going into your settings so they're releasing them.

You're probably thinking, "Hey, on my iPhone, there was just an update last week. What's there another update for?" Sometimes it's just bug fixes, but a lot of times it's fixing vulnerabilities that they find in the software.

Lastly, check for security on websites. Online shopping is huge now. I know I do most of my shopping online these days. Always check when you're going to make a payment that you're on a secure site. Check for this by making sure the website says HTTPS. Without the S, the site isn’t secure. S stands for secure. On some browsers you can see a little lock icon at the top. Every browser is different, but if you're on a secure site with that HTTPS, you should see a little lock symbol somewhere up there in the address bar as well.

So those are a few tips. As I said, I could go on and on and on, but I just wanted to give you a few things to help keep you protected.

Besides computers, we’re also connected by smartphones. Are there any specific recommendations you have related to smartphones and security?

Number one, and this sounds obvious, but use a passcode. A few years ago consumer reports did a study and the article stated that 64% of people didn't use a passcode of any kind. That blew my mind, especially as easy it is now with thumb print and face recognition. There's really no reason not to have a passcode, especially if you're going to have banking apps and that sort of thing on your phone. It's just another layer of protection. A lot of times the banking apps also have a log in or a finger swipe or a face detection, but still, that puts just another layer of the passcodes on, so instead of just one layer, you get two layers for those banking apps.

Don’t click on suspicious links. I mentioned that is how hackers do it. They find an employee that clicks on a link, gets them into the system, before you know it they're all throughout the network doing their thing. For whatever reason, I think on smartphones, people feel a little bit more immune. I guess they just feel they're less suspicious on their phone than they are computer. It just feels a little bit more personal, a little less serious and businesslike. An Apple or an Android phone can get hacked just as easily as your personal computer or your work computer. So you got to be diligent there as well. It's just people tend to let their guard down for whatever reason on a phone.

I mentioned this before, but keep the software up to date. Those security patches are going to come through in the form of your smartphone updates. Keep up with the updates. It's not like you need to do them the day they come out, but generally try to update it in a timely manner. Don't be one of those people that falls behind when we're supposed to be on iOS 14 and you're still on like iOS 11. You're probably missing a lot of very important vulnerability patches there.

If you do online banking, always have that passcode as your entry-level, but then also make sure that you're logging in, in some way to that banking app. Most banks do kick you out afterwards, they don't let you stay logged in. Whether it's a finger swipe, your fingerprint scan, or face recognition, always have something that is another layer in that app.

Also, since we always have our phones with us, they are very easy to sit it down and forget where we put them. So in that regard, always make sure you know how your device works in terms of that GPS location software. They all have them – Androids and Apples. A lot of people will have the Find my iPhone feature but they never use it and until they lose the phone or it's stolen. So even though it's turned on, the person doesn’t know what they're doing to locate where it's at. Try dry run sometime - sit your phone somewhere and then go on your computer and use the Find my iPhone feature. It’s not a bad idea to practice to see how that works in the event you do lose it.

Next, let’s talk about passwords, a common subject when discussing online security. What suggestions do you have on creating and managing login information and passwords?

I think I've mentioned about passwords in two of the previous three questions. That should tell you everything you need to know about how important they are. There are lots of online articles about how to create strong passwords. I could list a bunch of tips, but you’ll probably forget most of them. So I’m going to give you two to remember, and you’ll be in great shape.  

I know earlier I said to have 12 to 15 characters in your password. If you can do 15, you're setting yourself up to be much safer online.

You’re probably thinking, "15 characters? How am I going to remember it?" That's where that passphrase comes in. String a few words together and then mix in a few characters, and you still have an easy to remember password. The other thing is mixing up those characters - add some uppercase with the lowercase, a number or two, or adding a symbol or two. The longer it is and the more you mix it up with those, the harder it is to crack.

In 2012,  there was an investigation on a brute-force password cracking scheme. A brute-force password cracking scheme is basically when a hacker develops a software that just keeps trying and trying and trying until it hits your password. In this example it was used an eight character Windows password. Keep in mind this is about 10 years ago, so as you can imagine, things have probably advanced. The hacker put together software that had the ability to try 350 billion guesses per second. He was able to crack the eight-character password in six hours.

I’ve read articles that give the percentage on different length of passwords, so a six-character password versus an eight versus a 10. The higher up you go, the more, or the less probable it is that that could ever be cracked.

The longer the password, the better. Again, if you can do 15, do it. It sounds like an inconvenience at the end of the day, it's keeping you safe.

As we wrap up, is there anything else you’d like to share with our listeners about cyber security?

Probably the biggest takeaway is that you are the biggest factor in protecting yourself or the company you work for. It starts with you.

Some of the things I talked about, do they help? Absolutely. Does the antivirus software help? Absolutely. Do the security passwords help? Absolutely.

But at the end of the day, most breaches are because an employee or an individual slips up. Whether that's responding to spam emails by clicking links or opening attachments. Whenever they trace back these big company hacks, it's usually not some extravagant software that got a hacker into the system. It's usually something very simple such as an employee answering or clicking links in an email they shouldn't have or trying to log into a site that was a faulty and getting their password.

You're the biggest factor in protecting yourself.

< View All Blog Posts