Everyone agrees that we need to be better at cybersecurity in our organizations.
For most organizations, from the small mom-and-pop shops to the medium-sized accounting and insurance offices to the large firms with thousands of employees, the call for cybersecurity is ubiquitous. On a seemingly daily basis, business owners are called to lock down their computers and networks and adopt strict cybersecurity policies. An endless litany of attack scenarios they should address are based in technical jargon that the typical end user can struggle to decode.
Terms like phishing, spear phishing, business email compromise and DOS attacks, describe relevant threats, but where do you start?
The sheer number of possible points of attack themselves make the task of cybersecurity overwhelming for most non-tech businesspeople. And, when things become overwhelming, we push them to the back burner.
This is part of the issue with cybersecurity talking heads and experts. They give us all the stats and theories but don’t spell out explanations that are easy to understand. Most important, they often don’t make suggestions that are actionable by most business owners.
It’s true that hackers are trying to overwhelm and overrun our internet-dependent business processes in a multitude of ways. A reality that’s rarely discussed is that hackers’ primary focus of exploitation is email.
It’s true: your email password is the key to the front door of your digital life.
Hackers today will get access to our email then sit back and observe. They peer into our lives via our inbox. Email is a powerful communication tool ripe with correspondence among executives, bankers, investors, vendors and customers. The volume and importance of information we discuss in our email leaves us vulnerable to exploitation by hackers.
How do you know there isn’t a cyberpirate in your inbox watching your life right now?
A reality that’s rarely framed accurately is that cybersecurity really boils down to people trying to steal your money — money you’re using to make payroll, capital purchases, marketing and other operations. It’s also about them stealing money we use to pay down the mortgage, put our kids through college and save for retirement.
Regardless of the type of business we have or the customers we serve, from a people and community standpoint we are all striving to make our lives better. Thieves and con artists don’t support that. As business leaders, parents and colleagues, we need to join hands and fight this head on and the biggest first step is to lock down your email passwords.
There are three big things you can do immediately to protect your money.
First, change your email password(s). Your email password is the key to the front door of your digital life. Start there and start now.
Don’t simply add a “1” or “!” to the end of your current password. That’s a behavior hackers expect. According to the National Institute of Standards and Technology (NIST) you need to use a 25-character password in the form of a passphrase. Yes, I know that seems overwhelming, but we created a great tool to help you at smadatek.com/have2.
This tool provides an easy-to-follow format to help create and remember your new passphrase. Just remember the acronym “H-A-V-E-2” and pick one word per category: “H” is for hobby; “A” is for activity, “V” is for vacation “E” is for event and the 2 signifies two special characters. There’s your four-word passphrase. And, for those sites requiring a capital letter, comply by capitalizing one of the words in your passphrase. See smadatek.com/have2 for some examples.
Second, once you safeguard your email and other passwords, add another layer of security by enabling two-factor authentication (2FA). Both Office 365 and Google Workplace (formerly GSuite) have this capability. The majority of cybersecurity breaches we see come from customers that don’t have 2FA enabled.
Third, enable 2FA with every vendor, online program or cloud-based system you use. If you find an online application that doesn’t have 2FA, contact them and learn when it will be available. Most popular web-based apps, including Salesforce, Quickbooks, ZOHO, Dropbox and Amazon offer 2FA as an option. However, 2FA can’t be an option — it must be a new minimum requirement in our organizations.
According to our local corporate attorney, Rueben Ortega at Grivas Law, 2FA has become the new minimum business standard. It’s possible that failing to enable 2FA may increase your risk of having your claim denied, as most insurance companies consider this to be a standard practice and required for a rider or cybersecurity addendum.
Does 2FA take a little more time to log in and authenticate? Yes. But it’s a mild inconvenience compared with a business email compromise that results in a customer list being stolen, a ransomware attack being launched against you or hackers directly robbing your bank account. Hackers are hunting for employees who are not using 2FA.
Banks and insurance companies are tired of paying monetary damages that result from inadequate cybersecurity that’s within every business owner’s grasp to implement. Voiding claims for lack of cybersecurity measures is a way for banks and insurers to push cybersecurity responsibility down to policy owners.
Taking these three steps yourself will enhance your defenses against cyber criminals. In my opinion and experience at ground zero, helping innocent people recover from these attacks, most of them could have been mitigated with 2FA.
The next crucial step is almost as simple: require your employees to complete these tasks. Every employee needs to change their email password. If you’re the admin of your email platform, you can enable 2FA for your company; if you’re not, have your IT person enable 2FA for everyone in your organization.
Remember: For increased cybersecurity today, change your password and upgrade it to a passphrase using the HAVE2 acronym, enable 2FA on your email and lastly enable 2FA on all web-based applications.