Cyber Security 101

Cyber security is a critical, yet often overlooked, aspect of your strategy. Understanding what your organisation can do to protect your online and off-line systems and networks will help protect your data from theft and damage. In this article we’ll explore:

1. What is Cyber Security?
2. Defending yourself against Phishing
3. Protecting against Malware
4. Creating and managing strong passwords
5. A guide to multi-factor authentication
6. Portable devices and removable media
7. Dealing with a security incident

1. What is Cyber Security?

Cyber security protects you and your data from digital attacks by safeguarding the networks and devices you use.

Why is understanding cyber security important?

Generally, when using computers and browsing the internet, we all collect, and store highly sensitive data and this data can be exploited and even stolen by criminals.

In this article, you’ll learn the basics of keeping your digital information safe, the types of cybercrime you might encounter and practices you can adopt to better protect your data online.

The three most common types of cyber-attacks are:

• Phishing attacks – these are carried out through digital media such as fake emails and text messages. They may seem legitimate on the surface, however they’re designed to get you to reveal personal information, such as credit card or bank account details.
• Malware – this is malicious software that is delivered through unsecured links and files. Once installed on your computer, malicious software provides an attacker with the means to steal or destroy your data and conduct other criminal acts.
• Denial-of-service attacks (DoS) – they flood an organisation’s server with bogus traffic. The goal of this type of attack is to interrupt services and prevent employees from conducting necessary activities. On a wider scale, a distributed denial of service attack (DDoS) uses multiple devices to target an entire sector’s digital infrastructure and resources.

What are the risks of cyber-crime?

Failure to put adequate safety measures in place can result in some harmful outcomes.

• Fraud – Cyber attackers who steal your financial data can make purchases without you knowing. The potential impact is evident – monetary loss and damage to your business.
• Loss of company data – Loss of data can take many forms, from personal communications that can be used against you to confidential company information. For example, if sensitive internal data has been compromised, a hacker could leak details to undermine the company.
• Identity theft -When hackers steal personal data, they can use the information to commit identity fraud. Catfishing, the act of posing as someone else on social media is a well-documented example of identity theft and can be used for financial gain, abuse, and harassment.

2. Defending yourself against Phishing

Phishing is the act of impersonating a person or entity that the victim trusts to gain access to sensitive or personal information. In general, phishing tactics aim to trick users into performing specific actions while online, such as:

• Clicking on a malicious link
• Downloading an attachment embedded with malware
• Disclosing account information such as your username or password
• Sending money to an account owned by criminals

How can you spot a phishing email?

Knowing how to spot a fraudulent email is an essential first step to avoid getting phished. The sample email below highlights the most common characteristics of phishing emails:

1. A sense of urgency
2. Unfamiliar recipients
3. Generic greeting
4. Request for personal information
5. Deceptive links
6. Typos and mistakes
7. Threatening language

Phishing attacks rely on unsuspecting users clicking without thinking. To avoid becoming the next victim of a phishing scam, here are some simple pointers to help you avoid typical phishing tactics:

• Take your time: Examine links and downloads carefully. Trust your gut and don’t act if something feels “off”.
• Stay informed: Be aware of current phishing techniques so you can spot a suspect message.
• Use common-sense security practices: Using antivirus software and regularly updating software on your devices is a simple and highly effective way to help protect yourself online.

3. Protecting against Malware

Malware is a combination of the words –  malicious and software. Criminals use malware to exploit devices to access information, damage programs, or steal personal data for financial gain. Malware doesn’t just impact individuals. An employee who unwittingly installs malware on a company owned device can put their entire organisation at risk. Malware is most often downloaded when an unsuspecting user clicks on a malicious link, file, or attachment.

Below are examples of three types of malware and what they can do:

• Viruses – A virus inserts harmful code into software programs. This malware can delete files and make devices inoperable. Viruses can replicate, making them extremely difficult to get rid of once embedded in your device.
• Ransomware – In a ransomware attack, a hacker threatens to publish sensitive information or block you from essential accounts unless you pay them.
• Spyware – Downloaded spyware secretly tracks a victim’s activity to steal their information. For example, a hacker might use spyware to steal your login credentials and passwords.

How you can prevent malware attacks

There are many kinds of malware and malware attacks can have serious implications. Here are a few tips for reducing the risk of exposure to malware:

• Do you regularly update your operating system? Set updates to run automatically to keep your operating system current because software updates often include fixes to help protect you if you inadvertently download malware. While you’re at it, it’s a good idea to back up your files too.
• Do you examine email attachments? Email file attachments are a common way to spread malware. Never download an attachment unless you know what it is and who sent it to you.
• Do you look for the padlock symbol on your browser? When you open a new website on your browser, always check the left side of the address bar for a padlock icon. If the website doesn’t display that symbol, it’s not encrypted and your data is not safe.
• Can you recognise the warning signs? If something doesn’t seem right with your device, it may be infected with malware. Here are some common signs:
  • Repeated freezing, crashing, and slow loading times
  • Changes to the appearance of your browser
  • Increased pop-up ads
  • Reduced storage space

Can you trust this link?

Messages from seemingly reputable sources can be exploited to send malware to unsuspecting recipients. If tricked into clicking a malicious link, you could become a victim.

How to minimise the damage of malware

If you have accidentally downloaded malware, here are some tips for how to minimise the damage.

• Have you disconnected your device? Immediately disconnect from the internet if you suspect you have downloaded malware.
• Have you changed your password? If you suspect your passwords have been exposed, you should change them as soon as possible.
• Have you contacted your IT department? If you work within an organisation that has an IT department, contact them as soon as you become aware that something is not right, even if you’re unsure or feel embarrassed.
• Watch for fraud – If you deal with finances, keep a close eye on your financial reports. Check if any fraud alerts are available to notify you if anyone attempts to use your financial data.

4. Creating and managing strong passwords

Passwords are the first line of defence against fraud and identity theft. They protect our devices, online accounts, and personal information from unauthorised access.

Many of us still use weak passwords, or worse, the same passwords across multiple accounts. By doing so, we are increasing the risk of getting hacked by cyber criminals – all in the name of convenience. Luckily, there are simple steps you can take to strengthen your password security.

• Use three random words – Make the words as random and unrelated as possible and avoid commonly known words and phrases, for example, ‘Redsquarequeen’. Read more about this technique and why it’s effective at the NCSC Blog.
• Password managers – Password managers are applications that generate and store all of your passwords in one place. They create unique passwords for every site you visit and keep them encrypted and safe. Reviews of well-known password manager applications can be found on Tech Radar.
• Make it more than eight characters – The longer the password, the stronger it will be. For added security, try a combination of letters, numbers, and symbols.

Next time you create a password, use these password tips to make it easy to remember and difficult to hack. If your existing passwords don’t meet the criteria for strong passwords, think about changing them. And remember, never reveal, or share your password with others!

5. A guide to Multi-Factor Authentication (MFA)

What is multi-factor authentication (MFA)?

MFA is a method of identity verification that requires evidence of a user’s identity from two or more factors before admitting them to an account, application, or website. It’s far more difficult for hackers to crack MFA than is to crack single-factor authentication. Think of it like locking up your bike with two locks – it makes it far less appealing to a criminal who’s looking to steal a bike. Depending on the platform, the evidence a user must produce to verify they are an account’s true owner can include:

• Something you KNOW – Any information that you can remember and repeat falls into this category. Examples of this include security questions that ask you to recall the ‘name of your first pet’ or ‘model of your first car’.
• Something you HAVE – Having a one-time password (OTP) sent to an existing account held by the owner (e.g. in a text message) is one example of ‘something you have’. This method can help users who may have forgotten or lost another authentication factor, like a password.
• Something you ARE – Otherwise known as biometric data, these are any physical or behavioural characteristics that can be used for identification. Fingerprints are the most common type of biometric currently used. Other examples include facial recognition or voice identification.

Have you enabled MFA?

Many online accounts offer MFA as an added layer of security. It is now common for accounts to prompt you to turn on MFA when you first sign up, such as the 2-step-verification method used when logging into online accounts after a period of inactivity. Often, however, MFA is disabled by default and requires the account holder to manually turn it on. You’ll normally find the option to enable and configure authentication tools in the application’s account settings.

Have you considered using an authenticator app?

Authenticator apps connect to accounts that support MFA and randomly generate secondary login codes. When logging into to an account a single use authentication code is sent to you through the app, making the process time sensitive and very difficult for scammers to crack. There’s a wide range of trusted authenticator apps available, most of which are free. Find out more about authenticator apps in this article by Tech Radar.

6. Portable devices and removable media

What are portable devices and removeable media?

• Portable Devices – Battery-powered portable devices are small enough to carry. They contain computing and storage capabilities and can connect to the internet. Examples include mobile phone, laptops, and tablets.
• Removable Storage Devices – Removable media is used primarily for storing and sharing files. It isn’t internet-capable and doesn’t have a user interface. Examples include USB drives and external hard drives.

What are the risks of using portable technology?

The same factors that make portable devices and removeable media so convenient also make them a cyber security risk. Here are some of the security risks associated with these devices:

• Easily lost, stolen or damaged
• Higher risk to malware attacks, especially when exposed to unsecure Wi-Fi connections
• Potentially full of sensitive information

How to use portable devices safely

Although convenient to use, portable devices and removable storage can hold lots of private information and sensitive data in one place, so don’t overlook their security. Remember these key take-aways to keep yourself protected:

• Take time to enable and install as many layers of security as possible to keep your device safe.
• Know the risks associated with using these smaller devices, particularly their tendency to get lost or stolen.
• Regularly delete data on your portable devices once information has been transferred or shared. Practicing smart security with all your devices is the best defence against your data falling into the wrong hands.

7. Dealing with a cyber security incident at work

Cyber security incidents at work can be difficult to spot. Decisive action may stop attempted attacks before they become full-scale disasters. Here are steps you can take to minimise the impact if you think you’ve been exposed to an online attack at work:

1. Closely follow existing security processes and policies.
2. If the device involved in an attack is in your possession, disconnect it from the network and Wi-Fi as soon as possible. Do not shut it down, as this could lead to data loss!
3. Contact your IT department immediately, providing as much detail as possible.
4. Even if you’re not sure, ask for support if something feels suspicious or unusual.

8. Summary

While cyber security measures continue to evolve and improve, one thing is certain; there will always be criminals out there trying to hack into accounts. Practicing smart security with all your devices is the best defence against the darks arts and sensitive information falling into the wrong hands.

Here are some key takeaways and remember, it’s not SAD to be safe!

Stay informed about the latest techniques and scams criminals are using.

Act quickly if you think you or your organisation have been exposed to criminal activity. The sooner you report an incident, the quicker it can be resolved and the less damage it will cause.

Do not act if something feels “off”. Criminals pray on unsuspecting users, so stay alert to potential threats and keep those trigger fingers under control.

What’s next?

The Digital Culture Network is here to support you and your organisation. Our Tech Champions can provide free 1-2-1 support to all arts and cultural organisations who are in receipt of, or eligible for, Arts Council England funding. If you need help or would like to chat with us about any of the advice we have covered above, please get in touch. Sign up to our newsletter below and follow us on Twitter @ace_dcn for the latest updates.