The holiday season brings out the best in people, and the worst in cyber scams. Starting with Halloween, there is a significant rise in phishing attacks, playing on human nature to watch a cool video, participate in an outrageous costume contest, or shop the pre-holiday sales you can expect from your favorite retailers.
If you simply search holiday phishing scams, you will find claims that up to 80% of individuals fall for phishing attacks during the holiday season. It is just human nature to want to believe in something good, but also fall for something bad. And, Halloween is where it all starts.
A blog posted by the Better Business Bureau highlights this problem and attempts to raise general awareness of phishing attacks, malware, and “click bait” used in modern attacks. The blog is a year old, but remains relevant today whether at home, for our children, or with phishing attacks at work praying on a cyber trick or threat treat.
As we consider the risks, let’s outline three basic cybersecurity hygiene steps that can help mitigate the impact of these threats--even if you should happen to fall victim.
1. Make your everyday computing account a standard user account
By default, when you set up a new Windows or MacOS device, the first account you create is an administrator account. Most consumers use that account every day for email and for surfing the Internet. Most businesses, however, deny access to that account and create a domain account with limited privileges (i.e. a standard user) for you in order to better control your behavior and limit the exposure of threats and accidents. For businesses that still allow local users to have administrative rights, and for consumers still using the default administrative account, consider creating a new account and assigning it standard user rights to logon.
Why? Because 80% of malware requires administrative rights in order to infect a system. If the malware does not have privileges, it cannot contaminate the computer, and thus, the threat is mitigated. That new standard user account – and not the default administrator account – is what you should use every day for routine computing. This alone can save you a world of pain, should you make a mistake and fall for an attack.
2. Ensure security patches and updates are applied often
Both Microsoft and Apple have gone to great lengths to ensure that security updates are applied almost every month. Let them automatically patch and update your operating system as needed. In addition, Adobe, Java, Google, and many other vendor apps have auto-update capabilities. Make sure they are turned on so that security patches will be applied when necessary.
Why? Modern phishing attacks can also prey on vulnerabilities. If the link, file, or browser plugin has a vulnerability that can be exploited, then your system can be compromised as well. Keep your system patched at home and at work—do not ignore the pop ups requesting to apply an update. The patch alone may stop a threat in its tracks, should you make a mistake and fall for a phishing attack.
3. Back up your files
I know this sounds simple – and it really is! If you store files locally, consider using a file-based cloud service like Office 365, iCloud, or Google Drive to back up your files. For your business, you can use a corporate backup program or a business-based cloud file share system too.
Why? In the unlikely chance you do fall victim to a phishing attack that contains ransomware, a data backup will help you recover your files, without having to pay a potentially an outrageous ransom. In addition, if you do back up your files, make sure your backups are secured as well. Sensitive data on a USB drive that is physically not secured opens up an entirely different set of threats and potential data governance issues—especially at work.
If you welcome these three tips as your cybersecurity treats, you might just avoid a cybersecurity trick this Halloween and holiday season!
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.