5 Cyber Tips from a Local Leader in Information Security
From SSNs to security questions, Anurag Sharma of Withum’s Cyber & Info Security Group keeps us safe from phishing and scams
Were you affected by the recent Netflix scam? If your personal information went untouched this go around, it’s only a matter of time until it is targeted by another cyber attack. Fortunately, there are ways to thwart these scams with a little know-how and online savvy. Here, Anurag Sharma, Principal of Princeton’s Withum’s Cyber & Information Security Services Group, shares his tips on cyber security for 2017.
Tip #1: Avoid using checks for making payments
Personal checks contain sensitive information, such as one’s name, bank account number, routing number and in some cases even address. Armed with a checking account number and bank routing number, criminals can create blank checks using an online checkbook retailer and write checks from the checking account. So, stop using checks to make payments. When using checks, set an online banking auto alert on the checking account for all check payments. This allows account holders to catch check fraud early and alert the bank. Using electronic payment mechanisms and, whenever possible, using a credit card for payment allows more time to flag fraudulent transactions and reduce the risk of losing money.
Tip #2: Don’t provide a SSN just because it was asked for
When filling out forms at the local hospital or when seeing a physician, providing one’s name, address and insurance information has become the norm. But, should you fill in your SSN? If a doctor or hospital is asking, the answer is “No!” Doctors, hospitals and other healthcare providers may request a SSN to collect debt or unpaid balances. However, be informed patients are under no obligation to provide that information. Just leave it blank and, if asked for it, relay that the insurance ID should suffice. If pressed, remind the provider/staff that you prefer not to reveal your SSN unless it is mandated by law. This reduces the risk of identity theft by reducing the number of places where a SSN may be found.
Tip #3: Security Questions: thou shall not answer them correctly
Many websites and applications now rely on security questions to determine one’s identity, adding an additional authentication layer in the event a password is forgotten. While it is human nature to answer these questions correctly during set up, it is not the most secure behavior. There are a lot of people who may know a mother’s maiden name, so how it is advisable to create a new fictitious one and use that instead. Now it is not just an answer to a security question, it is another password that no one else knows and cannot guess. The wackier the answer, the better. It is never too late to update current answers if you, like an overwhelming majority of people, answered them correctly in the first place.
Tip #4: New Year, new passwords
With so many hacks and data breaches in 2016, including the 1 billion passwords lost by Yahoo, it is advisable to reset all passwords for 2017. Stop and think! Which other websites are you using former Yahoo passwords? Think LinkedIn, Adobe, Dropbox, Tumblr, BitTorrent, and Evernote – and yes, they all suffered a breach in the last two to three years. When resetting a password, make sure it is an easy to remember, complex password that is unique for each website. Here is one suggestion: Take the first letter from each word of a favorite song lyric to get eight to nine letters for a password. Then add a number and special character to it.
Looking for a secure way to store all your passwords? Consider the website Password Safe (https://pwsafe.org/). When utilizing Excel or Word documents or “post-it” notes, switching to a secure password vault utility should definitely be a resolution that is kept.
Tip #5: Don’t get phished!
Never fall for a “phishing attack” by clicking a link or opening an attachment that was unexpected. Today’s scams look very convincing, coming in the form of voicemails, eFaxes, invoices, social media, ADP theme or from the IRS. If opened, hackers can gain entry to a computer’s contents.
Remember, a CEO will usually not ask an employee to wire money via email. Similarly, a CFO should not request a full W2 report and then have it emailed. Always pick up the phone or walk to the appropriate office and to confirm such requests. Finally, organizations should test their “human firewall” by engaging an external firm to provide “phishing as a service” and identify employees who fall for such attacks and need security training.
Taking these seemingly simple precautions will lead to a much safer cyber new year at the personal and business levels.
Anurag Sharma is a Principal of Withum’s Cyber & Information Security Services Group.
Certified in risk and information systems controls and as an information systems auditor and security professional, he has over 16 years of experience with specialization in the government, healthcare, life sciences, manufacturing/distribution/logistics, real estate, technology and telecommunications industries. Sharma is a graduate of the Symbiosis Center for Management & Human Resource Development (India), where he received his MBA in Information Systems, and is a member of the Information Systems Audit and Control Association and International Information systems Security Certification Consortium.