I wear a fitness and sleep tracker, the Oura ring. The other day it prompted me to update its firmware. I can’t set this device to auto-update, so when this happens it’s always a good news-bad news moment. The good news is that Oura developers are watching out for me, because I know most of these “patches” are created to close known security gaps. The bad news is that the creeps—often called “bad actors” by those in the security business—are out there too, profoundly misapplying their smarts and resources to scam and thieve.
Not only are they motivated and rewarded for these slimy efforts, but they are getting a lot of help. The barrier to entry is so low that they can go on online and buy services and supplies to help them out.
I recently attended an excellent cybersecurity webinar for financial advisors who custody their client accounts at Schwab. Under the category of “If you can’t be a good example, then you’ll just have to be a horrible warning” (Catherine Aird), Schwab security experts told stories of well-intentioned, smart, and careful advisors who have been victims of cybercrimes.
One of the first decisions I made when I started my own business was to hire an IT consultant. Every month when we go over my “Monthly Health Report,” my gratitude for them grows. My consultant covers every piece of advice Schwab recommends, from patching, anti-virus, third party patching, phishing threat monitoring, device encryption and email security.
What are biggest security threats? And what are the minimum steps to take to protect yourself? Here are the “must do’s”—
Start skeptical, trust slowly and verify. Do not let your desire to be efficient or get a task done allow you to override this rule. Nowhere is it truer than in cybersecurity that “Trust is earned over time and disappears in an instant.” An example of this happened yesterday as I scanned a QR code to pay for parking. I was in a rush and when the screen popped up to move on to payment I hit “proceed,” but my brain had registered something, and I canceled out and started over. I went more slowly and realized the button below the one I’d clicked was “do not sell my personal information.” I clicked that and the next screen didn’t load—I guess what they wanted was my information more than my parking fee, so I moved on and scanned a different sign.
The #1 attack is email. We are prone to respond too easily and open attachments or respond to requests for sensitive information. Schwab’s advice: “Treat every email you get as guilty unless it’s proven innocent.” Scammers prey upon our sense of urgency and desire to get through our inbox as quickly as possible.
Your email habits probably need to change. The general rule is don’t click on links in emails. If you get an email with a link embedded in it, do not open it. Go to your browser and type it there. Move advertising to Junk or Spam. Use caution when opening attachments. If you don’t know the sender, it’s a hard no. If you do, don’t open it if there is anything suspicious about it. I recently got an email from my sister that said, “thought of you when I saw these pictures from 1972.” Because the style of writing and lack of context seemed off, I checked first. The email and attachment weren’t from her.
Practice good password hygiene. Don’t reuse passwords. Make passwords longer (12-15 characters). Turn on and use multifactor or two-factor authentication whenever it is available. Use a password manager and make sure the password to access it is very strong. The most popular password managers are LastPass, Dashlane, and 1Password. You want to pay for this technology—don’t use a free one.
Wi-Fi and Device tips. Especially when accessing sensitive data or transacting business over the Internet, use cellular or a VPN and not public Wi-Fi. Set devices on auto-update.
As Sgt. Phil Esterhaus used to say on Hill Street Blues, “Let’s be careful out there.”