Cyber Security & Vulnerabilities Survey – Top Security Tips

Your breath catches in your throat and a cold sweat breaks out across your brow. Your hands are trembling as you anticipate one of the most harrowing experiences of your life. No, it’s not taking the podium to deliver a speech. According to those in a recent survey we conducted, it’s the terrifying thought of identity theft. More than 64% percent of people we surveyed confessed they were more afraid of cybercrime than public speaking.

Statistics indicate that fear is not misplaced. One in three of the people we surveyed reported that they, or someone they knew, had been hacked.  Experts agree that’s a conservative estimate but the New York Post definitely agrees. Research by the Ponemon Institute revealed that in 2014, nearly 47% of American adults had their information exposed by hackers.

When asked about their biggest perceived vulnerabilities when it comes to cyber crime, survey respondents said they feared identity theft by a wide margin. Baby boomers were especially concerned about the perils of their personal data being stolen. But should they be?

The FBI reports that on average there are 1.5 million cyber-attacks annually in the United States. Most of those are directed at larger businesses and government websites such as Equifax who was hacked in 2017 and exposed almost 148 million personal records. Many hacks are the result of malware and viruses. Certain behaviors, however, have been shown to carry a much greater danger of personal data breach. Let’s look at the patterns of risk that came up in our survey results and discuss simple steps you can take to protect yourself from the rising levels of cybercrime (see also ‘Enterprise Data Security’ post).

Public Wi-Fi

It’s easy to pull up a table and a latte at your local coffeehouse, spending hours surfing in a bubble of semi-social contentment. But public Wi-Fi is a risk because many networks are unsecured, leaving you and your information vulnerable to hackers. Even if the Wi-Fi requires a password, those passwords are usually shared and changed infrequently.

In our survey, a whopping 49.9% of respondents indicate they connect to public Wi-Fi frequently, with nearly 22.5% reporting daily use of public networks. Millennials were much more likely to utilize these shared hotspots, but Baby Boomers are at greater risk overall of becoming victims of cybercrime.

Next time you jump onto your favorite network in the neighborhood, take a moment to consider the risk you’re taking and the information you might be exposing. Public Wi-Fi is a great perk, but it can come with a cost.

When you’re on a public Wi-Fi network don’t access your bank account and sensitive details. Even Facebook and email, sometimes you send sensitive information over emails, if you don’t want to expose information, don’t use these things on public Wi-Fi. Use it for Web browsing or using Netflix maybe, but nothing else.

Gabe Turner, Director of Content at Security.org recommends,

“connecting to a Virtual Private Network, or VPN, instead. VPNs encrypt users’ web traffic and replace their IP addresses, making them much less susceptible to hacking.”

This is why we strongly recommend getting a VPN protection app.

Software Updates

You’ve seen the notice pop up. Time to update your security software. But you’re in the middle of a status update. It can wait, can’t it? You click the option to”remind later” and move on to the next exciting post in your feed. And you’re not alone.

82.5% of people in our survey said they initially ignored prompts to update their software. A majority of them even confessed to delaying updates multiple times. What’s the big deal? As cyber security experts have explained, these patches are vital for your online security.

Greg Scott has had several issues with not having the most up to date software. He explains:

When I first built my website, I found blog posts I never wrote. Which was embarrassing because I’m supposed to be an expert. Turned out, I had set up a WordPress admin account, username admin, password wordpress, and exposed the website to the world before it was ready. Who knew attackers would guess such an obvious password. I got what I deserved. It  was a first-hand exercise in poor password management. I’ve also had people exploit WordPress bugs to take down my website. These were first-hand lessons in patch management.

For most people that means just updating WordPress, but Kyle Hrzenak,  President & CISO of Green Shield Security takes it a step further by recommending you update not just your CMS, but also to,

“Make sure your server software, or hosting software is up-to-date”

Why should you trust him? Well, he’s one of the few who have never been hacked he claims!

Storing Passwords

Keeping all those passwords straight can be a real hassle. After all, you can barely find your car keys some days. But it’s an essential component of operating safely in an online environment. Many browsers offer the option to automatically save your passwords and fortunately, the majority of the people in our survey didn’t utilize this function, but this is a big security risk even with the most secure browsers.

59% of millennials confessed to password storing in their browsers on a regular basis. And this behavior does pose some security risks, especially if you have a shared computer. There so many secure, attractive  options to keep a myriad of passwords safe, that there’s no excuse for continuing to utilize browser password storing.

“At some point you will get hacked. It’s just a matter of time. If that’s unacceptable to you, don’t put it online.”

Jeremiah Grossman, Chief Technology Officer at White Hat Security

Login Portals

These may  not apply to every site, but for any business that uses content management systems (CMSs) this is a major risk because only about 3 percent of companies change the default login URL.

Leigh, from Life Operating Systems, says:

“My #1 tip for preventing your website from getting hacked is to change the WordPress login URL from the standard /wp-admin to something unique.

This will stop 99% of brute force attacks on your website which not only significantly reduces the chance of getting hacked, but also significantly reduces the amount of server resources consumed by your website.

There are every free WordPress plugins that allow you to make this change without any coding ability (Cerber, Wordfence), but you can also have a website developer make this change if you’d prefer to keep the number of plugins on your website to a minimum.“

Alex Furfaro, an SEO Consultant states:

We’ve seen this in our experiences as we consult for a number of WordPress blogs. Stop having your logins be sitename.com/wp-admin!  This doesn’t apply to just WordPress, but if you’re having any content management system (CMS) that is used in bulk then this can definitely reduce the risk if you getting hacked!

Certain types of Content-management systems allow access to your websites login page. For example, if you type /wp-admin/ after a domain on a WordPress site, that will reveal most companies login page. From here, someone can attempt to crack your username and password. We use a plugin to change the login URL to something different, therefore reducing the possibility of the website being hacked.

Social engineering hacks:

Social Engineering hacks are particularly annoying. Who hasn’t gotten an automated, suspicious message with some mischievous-looking links? They can pose a serious security threat as many people  have their guard down when it comes to social media.

Daniel J. Mogensen, a co-founder of Kodyl.com, says:

“One type of hack that has become more common is through social media messaging, and these types of scams are difficult to prevent since scammers use social engineering tactics. In other words, a Linkedin message will come from a friend or trusted connection whos account was compromised, making it seem like a genuine message. The unsuspecting victim will then be asked to open a link or download a file in order to trigger a virus to start hacking their computer, which can then compromise the entire company network.

The best way to spot this is by common sense, so if a friend you haven’t messaged in several months randomly starts a conversation asking to open a link, don’t open it. Only open links and attachments from friends that you interact with on a daily or weekly basis, and are in context with your conversation.

Another way to tell is by the bad grammar and use of the English language since many cybercriminals don’t really use finesse, and these Facebook messages are sent en masse to several recipients. So if all of a sudden you receive a big block of text from someone random, and a link at the bottom, do not open it!”

David Jenssen from vpnoverview.com also warns against social engineering hacks:

Something occurring more frequently lately is people receiving a request from someone they know to send over a verification code. Never send someone a simple verification code you might have received. It’s highly likely you are talking to an imposter who has gained access to the account of your contact person. The imposter is now also trying to take over some of your accounts, by registering your accounts on a new device (these can be accounts for all sorts of services). The only thing the imposter needs to succeed is oftentimes a confirmation code, which will be sent to your device or inbox. With some excuse the conman will ask you to send over the code; never comply. Keep in mind they are pretending to be someone you know. Call and make sure the request is genuine and makes sense, to begin with (what is the code for, and does it make sense it ends up with you?).

Email Phishing

This is an issue similar to social engineering, with some noticeable differences. For one, it’s done over email (duh). Essentially, the hacker will send an email pretending to be a company, often pretending to work with the company. The email may come from a domain similar to to the main one so it’s not obvious that the person is a hacker. For example, instead of [email protected] it may be [email protected] Stephen Arndt President of Silver Linings Technology, says:

It’s the perfect time for hackers to send e-mails with dangerous malware and viruses. Right now, your inbox is probably filled with “COVID-19” subject lines and coronavirus-focused e-mails.

Hackers are even using a fake cdc-gov e-mail address that’s not legitimate and spamming inboxes.

How can you tell a phishing e-mail from a legitimate one? Here’s a few telltale signs:

• Look closely at the e-mail address to make sure it’s spelled correctly.
• Hover over any links in the e-mail (but DON’T CLICK) to see the ACTUAL website you’ll be directed to. If there’s a mismatched or suspicious URL, delete the e-mail immediately.
• Watch for poor grammar and spelling errors.
• Never download an attachment unless you know who sent it and what it is.

When in doubt, call the person who supposedly sent the e-mail on the phone to verify it’s legitimate.

Unethical Vendors

Unfortunately, even business you hire can be threats themselves. Business Consultant Nacy D. Butler has, ironically, ran into several issues with hiring a security company. She recounts,

“Several years ago, I set up a recommended on-line system to help improve the security on my computer. Periodically the company would call and after verifying who they were, I would give them access to the computer and they would “clean it up” and remove anything questionable. After several years using this service, one day I receive one of our standard calls. I asked them to confirm my account number, e-mail, and other critical information so I could be sure they were who they said they were. After everything was confirmed I let them into the computer only to find that soon after I let them in, they locked me out of my computer, accessed and stole from my bank account, credit card and several on-line accounts. They then refused to let me back into my own computer unless I paid them a fee.”

Her advice for avoiding this headache?

Before allowing anyone into your computer for any reason, check with the Better Business Bureau and search on-line to be sure they have no reported issues against them. Also, use local computer experts you know and trust to manage your computer security and use only the software they recommend

Your own employees

It’s rare that your own employees are intentionally leaking data, but it’s easy for them to fall victim to any of the above threats.

Nick Santora, CEO and Founder of Curricula, cyber security awareness training company, advocates for investing in employee training.

“Security awareness training is essential to teach people how to recognize and defend themselves against hackers. Constant communication helps, such as reiterating ‘see something, say something’ to alert management if someone receives a suspicious email that could actually be a phishing scam.”

“Your company’s employees have to become the first line of defense against potential hackers, and that is where security awareness comes in to play. You’re all in this together to help defend against cyber threats. It’s about learning and working as a united front, because hackers only care about themselves.”

 

“Each and every employee needs to develop the soft skills that are needed on the cyber side to really understand how

to block the bad actors attempting to hack someone through phishing and social engineering.”

3rd party Website Integrations

While 3rd party technologies, such as live chat and personalization, create an engaging online experience, they also pose the risk of noncompliance and exposing user data. Considering that the average eCommerce site has between 40 and 60 3rd parties, and many brands aren’t even aware of all the 3rd party services running on their sites, let alone the shopper data they are collecting, it’s no surprise that companies are making headlines for data breaches left and right.