The Ohio Arts Council recently presented a webinar titled “Don’t Get Hacked,” aimed at providing tips, practices, and tools that will reduce vulnerability to data theft.
The presenter Ted Hattemer started out with common advice about upgrading from vulnerable operating systems like Windows Vista and XP and using anti-virus/malware software.
Often though it is human beings that are weak link in the security chain, employing poor discipline like opening email attachments from unknown sources, visiting phishing sites, using weak passwords or the same passwords in multiple places, and using devices on unencrypted public Wifi connections over which login information can be intercepted.
One of the first suggestions he makes is to stop accepting email attachments altogether, including from co-workers and use project management platforms or collaborative work environments to exchange information. This practice allows everyone to work from the same version of a document. It also cuts down on the number and size of files being stored on an email server (i.e. There aren’t 10 copies of the 5MB file you just emailed sitting on the company email server.)
Among the file sharing tools he suggests are Microsoft’s OneDrive or OneNote, Google Drive, Box, and Dropbox. Each of these services have different benefits and drawbacks as sharing and collaborating tools so you will want to do some research before adopting one.
While he doesn’t specifically make any suggestions about how to address receiving email attachments from external entities, you can request that people send links from one of these services instead of an attachment.
Though the same rule about opening attachments from unknown entities applies to links to files on services like Dropbox. A stranger can send you a link to a malware file as easily as attaching to an email.
For true project management platforms you might check out services like Basecamp, Jira, Asana and Slack among others. These services allow for project tracking, time line creation, assigning tasks to project members, etc. where the file sharing tools don’t.
Another suggestion Hattemer makes is to encrypt your hard drive, something that is possible with both Windows (Bitlocker) and Mac (Filevault) operating systems. This protects the content of your hard drive from being accessed without a password. This can be especially important for preventing access to data on stolen laptops.
As an answer to the “how can I possibly remember a zillion passwords for every site and service I use?” he suggests employing a password management tool that remembers all your passwords so that you only have to remember the single (strong) password to the management tool. Drew McManus wrote about his experience with one of these tools last year.
Most people have probably already run up against two factor authentication if they have Google or Facebook logins or do online banking. This requires you to prove your identity in multiple ways, including having a code sent to your cell phone which you need to enter or using a thumbprint. If you have the option on whether to use it or not, Hattemer suggests you use it even though it may pose an additional hassle.
He also suggests talking with your web hosting provider about getting an encryption certificate for your website so that any personal information like login information isn’t being sent in the clear as plain text. If nothing else, someone can get in and mess around with your website if they can intercept your administrative login. If you are using your website for any sort of financial transactions from ticket purchases or donations, you absolutely need to have secure encryption set up otherwise you are doing your patrons a grave disservice.
Finally, and perhaps most importantly, Hattemer advises everyone to have a “We Got Hacked” plan in place to address any hacking instance.
• The first step is to discover what and who was affected. Consider how you will be impacted if you isolate the affected area (no company email? no online purchasing? all customer data will be wiped out?)
• What is the back up plan to operate with the reduced capacity?
• If you do think you have been hacked, shut affected systems down quickly and pull them off the internet/internal network.
• Determine how the breach occurred. Compromised password? Out of date security software? Software patches weren’t applied?
• Alert local police & FBI
Check out the full video.