JUNE 2020
CYBERSAFE Walker Security Culture
Walker Corporation Level 21, Governor Macquarie Tower 1 Farrer Place Sydney NSW 2000 walkercorp.com.au
Phishing The most common form of phishing is via email, where someone sends fraudulent emails to recipients hoping for them to surrender sensitive information or click malicious links. Attackers can also use phishing websites, whereby the phishing email leads the victim to a corresponding fraudulent website that looks entirely legitimate. Attackers can also use human interaction, known as “social engineering” to obtain sensitive information and may ask for credit card details through email, or pretend to be a reputable company via email to access things like date of birth, address and employment details over email. This may be followed by a phone call from the same company’s fraudulent sales representative requesting credit card details.
Do not open suspicious emails – delete them straight away. If an email is opened and doesn’t feel quite right, do not respond to it.
•
Always know who you are talking to – check your sources before providing any sensitive information.
Verify the authenticity of any organisation by calling them directly using a phone number from an independent source – do not use the contact details in the email provided to you.
•
If a friend or family member emails requesting money, as they are in trouble overseas – contact them directly or phone their hotel to verify their identity – don’t just send money without checking first.
•
Never send money, financial/credit card details or personal details and documents by email.
Safe Email Use
Here are some ways to prevent a phishing attempt: •
•
With multi-tasking being something that we all need to do, often across multiple devices, it pays to be vigilant about the content of the email, who it is being sent to, and knowing what to do if something goes wrong.
2
•
Only use your corporate email to conduct business. Never use a personal email to send corporate information.
•
Never forward email chains or spam mail as they could contain viruses or inappropriate language or images.
•
Always check who the email is being sent to and who is being cced. It can be easy to select the wrong contact in email or cc someone who perhaps shouldn’t be privy to the information.
Passwords Many of us have strong locks and codes for our physical belongings whether it be our house or car. When it comes to our information however, sometimes we forget to use strong locks (i.e. passwords). It’s a bit like having the keys to the castle – in the wrong hands, password misuse can spell trouble.
•
Avoid single dictionary words or numeric sequences (such as 1234567)
•
Your password should not contain any information that someone could guess or learn about you, such as pet names, birthdays, and street names.
Weak passwords are easy for criminals to guess and with technology on their side, criminals can potentially guess 350 billion passwords per second, according to a one passwordcracking expert who developed such a tool. Hackers delight in creating such tools to quickly and easily crack passwords. This is usually accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. If you have used the same password for multiple accounts, it means the hacker can easily access to a lot of your personal or financial information.
•
Don’t share your passwords with anyone. This includes friends, or colleagues.
•
If you think your password may have been compromised, change it immediately and check for any suspicious activity. If the same compromised password has been used on another site, change your password there as well.
•
Where possible, consider using two-factor authentication (such as receiving one off text messages, or codes to your phone after providing your password) to safeguard your accounts.
Tips for creating passwords •
Create new passwords when requested to do so, or if there is evidence of your account being comprised.
•
PINs should be a random mix of numbers, letters and characters.
•
Ensure you can remember the password without having to write it down.
•
Consider using a password manager.
•
Ensure the password is unrelated to your other passwords. Even a simple two or three-character variation can be easy for someone to crack.
3
Securing Your Device Be careful of auto logins
Apply timed screen locks and passwords to devices, including laptops, mobile devices, tablets, gaming consoles and anything connected to the Internet. To ensure the potential hacking of one account doesn’t lead to the hacking of other accounts, never use the same password on more than one system or application. Use a mix of upper lowercase letters and numbers. Never use your name or birthday in your password.
Don’t use an automatic login feature that saves your user name and password, and always log off when you’re finished. That way, if your device is stolen, it will be harder for a thief to get at your personal information.
Plan ahead
Lock your device
Consider installing an app that allow you to find, lock, or wipe your phone remotely if lost or stolen such as Find my iPhone, Lookout, Lost Phone, or Autowipe.
When away from your desk, lock your screen. If you are using a device in public, for example, a train or café, be mindful of your surroundings and potential ‘shoulder surfers’ looking at your data.
If your device is lost/stolen: Immediately change all passwords for accounts accessed on the smart device, especially e-mail accounts. If someone does gain access to the device, they will have continued access to all e-mail, Facebook, some web account, and more until the passwords are changed.
Keep passwords private Use strong passwords with your laptop, credit, bank, and other accounts. Be creative; think of a password phrase and use the first letter of each word as your password. Substitute numbers for some words or letters. For example, “I want to see the Pacific Ocean” could become 1W2CtPo.
Along with reporting the loss to your manager or IT contact, report the loss to the police. Even if you think your device is just lost (not stolen), you should report it to the police so if the device is turned into them it can be returned to you.
Use two-factor authentication Apply multi-layered authentication, requiring the input of a unique code sent to your mobile device after you’ve entered your password.
4
Stay up to Date
Being Safe Online While Out and About
Ensure all above devices are running the most up-to-date software, web browsers and operating system to reduce security flaws and risk of a cyber threat.
Whether you’re traveling for the day or for an extended period, be vigilant about keeping your device with you, especially when in a public space. Know the risks of using communal computers and publicly accessible Wi-Fi on all devices.
Out with the old, in with the new The devices that we use every day, from phones, tables and laptops to wireless speakers and digital radios are driven by continually improved software – fresh software allows us to have access to new features and a higher level of functionality for our devices, but more importantly, it’s the first aid kit that fixes all of the ever-growing security flaws as they arise. New updates are readily available, all you have to do is apply them – this is easy to do and should happen regularly and as soon as updates become available.
Be wise about Wi-Fi Wi-Fi is everywhere these days, from the tram stop to your favourite café, but it pays to be careful about what you do over a Wi-Fi network. Before you send personal information over your laptop or smartphone on a public wireless network in a coffee shop, library, airport, hotel, or other public place, see if your information will be protected. If you use an encrypted website, it protects only the information you send to and from that site. If you use a secure wireless network, all the information you send on that network is protected. Remember to check your phone as devices with Wi-Fi switched on can automatically connect to public networks that are not always safe.
Mobile/tablet device Android and Apple devices typically enable app autoupdates by default, which updates your apps as new update become available. To check which recently updates apps or to manually update apps, access your apps by either launching the App Store (Apple) or the Play Store (Android).
Turn off services when not in use Wi-Fi, Bluetooth, and other virtual private networks are handy to have when you're using them but when you're not, they can expose your device to unwelcome remote connections.
5
Protect Your Identity Checking-in
Own your online presence. Set the privacy and security settings on social websites and applications to your comfort level for information sharing. If someone is harassing or threatening, remove them from your friends list, block them, and report them to the site administrator.
Checking in to locations and enabling geographic settings on your phone or device allows people to not only see where you are, it allows them to see where you’re not. This visibility of your location can promote stalking and can also put your home and assets at risk of theft and damage if you’re clearly out at dinner or away on holiday and away from home.
Don’t overshare on social networking sites Once information or data is online, it’s difficult to permanently remove. Sharing too much online can cause problems not only with friends, family and potential employers; it can provide an identity theft with enough ammunition steal your identity. Information about your life can be used to answer ‘challenge’ questions on your accounts resulting in access to your money and personal information. Consider limiting access to your networking page to a small group of trusted people. Never post your full name, tax file number, address, phone number, or account numbers on publicly accessible sites.
Carefully choose the group of users who can see the geolocation information generated by applications or geo-social networking. Most social networks allow you to configure this function, restricting posts to private groups. Avoid proving information that could lead to the place where a user is at any given time being deduced. To do this, you should avoid announcing movement patterns (e.g. to your working environment) and holiday periods.
6
Securing Data Sharing data securely with an electronic collaboration tool
Protecting corporate data is critical. How can you make sure information is transferred and stored securely, and only seen only by the people you choose? This will depend on the policy or process within your organisation. The following tips can provide guidance on the secure transmission of data, particularly sensitive data.
Sharing files with larger audience, such as a team or project group, can be done via a collaboration tool. You can invite people from your own organisation but also from outside the organisation. It is even possible to make sure that the file cannot be downloaded but is only readable.
When looking for a solution, ensure you can set:
Email is not recommended for distributing confidential or sensitive information. If email must be used for transferring files, then the following controls should be implemented: •
Encrypt the file (with a password) before emailing it.
•
Use a separate communication channel (e.g. phone call or text) to advise the recipient of the password to open the file. Do not include the password in the email.
•
Use a separate communication channel (e.g. phone call or text) to advise the recipient of the password to open the file.
•
Workspace and file expiration dates
•
Multi-tier access and permissions to workspaces and files.
Before you share/send sensitive data to third parties ensure the recipient has a contractual obligation with the organisation to keep the data confidential, secure and has a data destruction process in place.
Removable storage is not recommended for distributing confidential or sensitive. If removable storage must be used for transferring files, then the following controls should be implemented: Encrypt the removable storage (with a password).
Automated security policies to validate recipients
Sharing data with Third Parties.
Removable storage (USB drives)
•
•
7
Walker Corporation Level 21, Governor Macquarie Tower 1 Farrer Place Sydney NSW 2000 walkercorp.com.au