Invest in Knowledge

Savvy Cybersecurity: Protect Yourself Now

October 01, 2021 John Gigliello, CFP® Season 1 Episode 1
Invest in Knowledge
Savvy Cybersecurity: Protect Yourself Now
Show Notes Transcript

Two seconds…

That’s how often someone becomes a victim of identity theft. Last year, there were more than 14 million victims of identity theft and fraud. 

Are you one of those 14 million? Has your personal information been exposed in a data breach or hack?

The statistics say, “Most likely.” 
New threats are exposed every day. Even as we sit here now, a vast array of cyberattacks are pounding at the walls of security networks built to protect you and your digital persona on the Internet. 

And what I’m going to say next sounds a bit dramatic, but it’s completely true: 

A world of dark forces and criminal networks conspire day and night to steal your username and password, obtain your Social Security number, open credit cards in your name, drain your bank accounts, and seize your computer to hold it for ransom.

The authors of the book Cybersecurity and Cyberwar contend that a cyber world war is underway. And we’re all involved.

Two seconds…

That’s how often someone becomes a victim of identity theft. Last year, there were more than 14 million victims of identity theft and fraud. 

Are you one of those 14 million? Has your personal information been exposed in a data breach or hack?

The statistics say, “Most likely.” 

This is John Gigliello, a CERTIFIED FINANCIAL PLANNER™ with the Albany Financial Group, and you are listening to Invest in Knowledge, a podcast about all things financial. 

As a financial planner, my goal is to educate clients and listeners of this podcast, so that you can take control of your financial futures. One of the most important ways you can control your finances is to protect them.

That’s why in today’s episode I am going to talk about Cybersecurity and what you can do to protect your digital information.

The past few years have given us record-breaking breaches.  For example:

·        The Marriot hotel chain exposed data on 500 million guests in a recent breach. 

·        The credit reporting agency, Equifax suffered a massive breach that affected 143 million Americans. 

·        Yahoo took first place for the biggest breach in history with news of a hack that affected every single Yahoo account– that’s 3 BILLION users. 

And these are only some of the breaches that occurred in the last few years. Given those statistics, it’s likely that your personal information has landed in the hands of a hacker. 

In addition, new threats are exposed every day. Even as we sit here now, a vast array of cyberattacks are pounding at the walls of security networks built to protect you and your digital persona on the Internet. 

And what I’m going to say next sounds a bit dramatic, but it’s completely true: 

A world of dark forces and criminal networks conspire day and night to steal your username and password, obtain your Social Security number, open credit cards in your name, drain your bank accounts, and seize your computer to hold it for ransom.

The authors of the book Cybersecurity and Cyberwar contend that a cyber world war is underway. And we’re all involved.

Our biggest problem, they say, is that we face a “Cybersecurity Knowledge Gap.” 

And that’s why I’m here today. 

I’m worried for all of us—myself, my family, my clients, and the community.  

It’s a serious, growing problem. But I don’t think it’s a reason for despair. 

Most people don’t realize how vulnerable they are or what they can do to maximize their security.

By the end of this episode, I believe you will be better prepared to protect yourself, your family, and your business from the quietly raging cyber wars targeting us all.

We have a lot to cover so let’s jump right in.

I believe you can develop three cybersecurity mindsets to strengthen and maintain your cybersecurity so that staying safe is a simple.  This is a little different way of thinking, so stay with me here.  

The three mindsets cover various parts of your life and overlap to form a sweet spot of actions that will boost your cybersecurity. Each mindset alone provides greater security. But the combination of the three really makes you secure. 

The mindsets are Secrecy, Omniscience, and Mindfulness. 

Each mindset contains a group of actions for people to take called the New Cybersecurity Rules. I’m going to explain all three mindsets and the associated rules. Let’s take a look at the first mindset and Key Idea #1

Adopting a new level of secrecy can boost your security and cyber-confidence. 

We all need more secrecy in our lives.

The secrecy mindset entails keeping your personal and private data private. With all the massive amounts of data breaches suffered by corporations and governments, we need to act as if our personal data already exists in the hands of cybercriminals—because it likely does.

If you’ve ever seen the movie, “Meet the Parents,” then you know of Jack’s Circle of Trust.  Well, we all need to draw a tighter ring of security around our personal data. And that starts with your email. 

Our email address is the key to our digital lives. We share it with countless businesses, organizations, and people. If you've used the Internet for any amount of time, you have entered your email address at a host of online accounts for shopping, traveling, exercising, gaming, dating, and more. We don't think twice. 

But having your email addresses in so many databases puts you at a significant risk. Hackers routinely breach the security networks of many organizations that hold your primary email address. That stolen personal data, paired with poor email security, leads to disaster. 

Robert Siciliano, CEO of IdentityTheftSecurity.com and a security writer explains, "It has been said that if you own a person's email, you own the person. This means that once your email is hacked, pretty much your entire digital life is up for grabs. So even if you've done your due diligence to have all your passwords be different, if your email is hacked and it's associated with your other online accounts, the hacker could simply use a reset password and get access to all your other accounts.”

Take the story of Professor and software security expert, Herbert Thompson. Thompson bet a friend of his that he could hack into her bank account. With her permission, he began. He first simply googled her name and stumbled upon her blog and an old resume. From the blog, he got her personal email address and her old college email address from her resume. Now he was on his way.

Thompson was able to use the forgot my password feature on her college email account to get in using the personal information listed on her resume. Once he reset that password, he was able to reset her current email address having the link sent to her college email. 

Once he was in her personal email, he could reset her online banking password.

Now, you may not care if someone hacks into your Food Network or Yelp account, but you certainly don't want your online banking exposed in the same way. This is why you need to create a separate, secret email for your financial accounts. This email address should be unidentifiable—don’t use your first name, last name, initials, or other identifying information. It should also be protected by a strong and unique password. 

A separate email address reduces your digital footprint and if your primary, non-financial email address is exposed in a hack, it will not be connected to your financial accounts. 

This is a key step in boosting your security. 

And our email addresses need to be protected by good, strong passwords. But we all face something called the password paradox—easy-to-remember passwords are easy to break. Hard-to-break passwords are hard to remember. 

Many passwords we use are child’s play for hackers. Computer power gets stronger with each passing year. That means the bad guys can figure out your password in no time flat. 

How long does it take for a computer to crack 1,000 weak passwords? Just 17 minutes.

One reason for this is that people choose passwords that have less than six characters or they use names, dictionary words, or other common passwords like “password” or “123456.”

Creative director Mauricio Estrella took the password paradox head-on. Following his divorce, Estrella wanted to focus on the positive aspects of his life. Instead of being annoyed when he had to change his password every 30 days for work, Estrella decided to make a challenge. Every 30 days he would choose a new goal and turn that into his password. For example, his first password was “Forgive@h3r” and was directed to his ex-wife. After 30 days, Estrella changed his password to Quitsmoking4ver- and he did! Estrella found a way to take the ordinary password and improve his life.

There are other ways to think about passwords.

You could create a mnemonic phrase with numbers or symbols thrown in.

For instance, a woman I know takes the first line of a prayer she says every day and uses the first letter of each of the first 10 words of the prayer. 

She adds some numbers and symbols and has a very strong password.  Or you could use a poem, song lyrics, or phrase.

Or you could try this…

You create a password that embodies a goal you’re trying to reach such as exercising, quitting smoking, or saving money. 

This is especially good when you need to change your password every six months.

Each time you type your password—instead of it being a negative drag on your brain—it will positively reinforce your specific goal. 

You can get as creative as you like. Remember to dropout some letters and replace them with symbols to boost your password strength. 

By the way, if you contact my office, we will send you a Savvy Cybersecurity Reference Guide and on the back, there’s a letter to symbol conversion chart to help you with this.

Another technique is called the Diceware method. Here, you roll a die five times and recording each number. Repeat that process four more times so you have five five-digit numbers. Then go to www.diceware.com and match your five-digit numbers to the list of 7,776-word list. Those random five words become your password. 

You may be thinking - How will I remember all of that? We all know the number of passwords we have is growing. It’s nearly impossible to remember a unique and strong password for all of our accounts. Which is why I recommend using a password manager. 

A password manager stores all of your passwords in an encrypted file stored on your computer or in the cloud. The file is protected with a “master password,” the only password you’ll have to remember. Of course, you’ll want that password to be as strong as possible.

Creating strong passwords is just the first step in your account protection plan. We need to put another layer of security on our all-important accounts such as email, online banking, social media and more. 

That extra layer is a relatively new trend in online security called two-step verification or sometimes two-factor authentication. It should be added to any account you have that supports the technology. 

With this approach, when you start to log in to an account online, you’re sent a short-lived, one-time passcode. You must use that code to finish logging in. You can receive this code via text message, or something called an Authenticator App. The Authenticator App is the most secure option as it is more difficult for hackers to compromise. Some popular Authenticator Apps are Google Authenticator and Microsoft Authenticator. 

This method stops your accounts from getting hacked because it requires two separate things: something you know, your password, and something you have, the temporary code. So even if a hacker has your password, he won’t gain access, and you’ll be alerted if someone is trying to break into your account. If you get a code and you haven’t tried to log-in—you know something is up. At that point, you’ll want to change your password.

And you don’t have to worry about entering a code every time you log into your account from your device. On many sites, you can designate “safe devices” where you only need to enter the verification code every 30 days when logging on from that device. 

Now that we know how to lock down our passwords, it’s time to talk about when it is safe to log into those accounts. 

It’s certainly true that we all love free Internet access when we are out and about and want to be connected. But that free connection can end up being very costly.

These free networks are completely open, and hackers can gain access to anything you do while connected—your email, your credit card number, your bank account—you see the pattern here. It could be very bad. 

When connected to free, public Wi-Fi, avoid making financial transactions or checking your email. 

Instead, you can use your smartphone as a hot spot. When you do, you’ll be using your data which provides a private connection rather than the public wireless network. 

If you need to connect regularly on–the-go, a VPN (Virtual Private Network) would be a good option. This device allows you to create your own private Wi-Fi network anywhere you go. 

But what about your home Wi-Fi network? 

Your home wireless network can open the doors to you and your family’s digital life if your router is not properly protected. There are four main things you must do to lock down your router and Wi-Fi network from the hackers. 

Now, I'll warn you…these are some of the more technical actions you'll have to take. Don't be discouraged if it sounds difficult to you. If you are confused, I advise you to contact the tech-person in your life for help. To do these steps, you’ll have to log in to your router’s IP address. If you do not know your router's IP address you can find it in your user manual or by searching the make and model of your router online. 

•        First, you need to change the default username and password. Hackers know these and will use them to try to break into your network. Pick a strong password.

•        Encrypt your router. Be sure to select the strongest encryption setting for your router- WPA2 or WPA3. WEP is no longer considered secure and you should replace your router if your only option is WEP.

•        Disable Wi-Fi Protected Setup (WPS). This feature allows others to quickly connect to your network with a short passcode rather than having to type the whole password. But it can lead to strangers gaining access. If you don’t have the option to fully disable this feature, see if you can limit the number of attempts a person can make to log in. 

•        Update your router firmware (a fancy word for software). The majority of routers come with outdated software which leaves your network vulnerable to attacks. Updating your firmware sounds like a daunting task but it's not that bad. Follow the instructions in your user manual for detailed instructions.

 

Key Idea 2: Completing certain actions can help you achieve financial cyber omniscience and thwart fraud.

Achieving omniscience—and what I mean by that is financial omniscience, or All-Knowingness, will put you at the center of your financial life. And that starts with using technology so you’re totally aware of what funds are leaving your accounts or being charged to your accounts at all times. 

How would you feel to discover that hackers had plundered your debit card for nearly $1,000on Christmas Eve? Grinched?

That’s exactly what happened to Leslie Frederickson. 

It all started about one month earlier on Black Friday. Like many people, Frederickson shopped at her local Target and nabbed a few money-saving Christmas deals. 

All seemed well. Then a week before Christmas, news broke of the Target data breach. Frederickson, like many, hoped it didn’t involve her.

A few days before Christmas, Frederickson’s bank told her she had overdrawn her account by $100. She quickly learned that someone else had used her debit card four times, charging nearly $1,000. Her card was now useless, and the bank told her it would be weeks before she could get a new one. 

Frederickson’s Christmas was ruined, she had to borrow money to pay for her holiday dinner and January’s rent. If only she had been alerted about the fraudulent charges earlier…

It’s not hopeless. You can protect your payment cards from the swarm of hackers and data breaches.

Sign up for alert notifications with your bank and credit card companies. By doing so, you'll get a text or email alert every time a charge or withdrawal is made. 

The banks know instantly when charges are made to our accounts. Why shouldn't we?

Signing up for instant alerts will bring you closer to achieving the omniscience mindset.  

This is absolutely critical to everyone’s cybersecurity. Let’s see what I mean:

Now here’s something most people don’t quite understand about their credit files. 

By default, our credit files are open. That means anyone with enough information to impersonate you may be able to open a new line of credit in your name. It happens all the time and is a major source of identity theft. And when you consider how many private and public organizations have been hacked—institutions we’ve trusted with our SSNs, employment history, and other details about our financial lives—you need to be worried about the state of your credit file at the big three agencies.

We need to take back control of our credit through a credit freeze

A credit freeze locks your credit file with a PIN at each of the credit bureaus. No new credit can be issued in your name unless you lift the freeze with your special PIN. 

You will have to contact each of the credit bureaus separately. I’ll tell you who they are in a minute.  As of September 21, 2018, credit freezes are free in every state thanks to a new federal law. Previously, the cost varied per state and could be up to $10 per action. 

A credit freeze puts you in control. It is way more secure than credit monitoring or a fraud alert, both of which will alert you after credit has been issued in your name. With a credit freeze, you can prevent identity theft from happening instead of cleaning up after your identity theft nightmare. 

But it’s not just your credit that you need to be concerned about…

Experts say that 500,000 children suffer from identity theft every year. Why? Their clean records are attractive to thieves looking to open new accounts without any issues and the theft can go unnoticed for years as parents and guardians often don’t think to check their children’s records. 

But childhood identity theft can lead to a lifetime of fraud and ruined credit. The first step in protecting your children is ensuring they have NO credit report by contacting all three of the credit bureaus (Equifax, Experian, and TransUnion).

Parents should send a letter including copies of their child's birth certificate listing them as the parent, their driver's license, and proof of address to all three of the credit reporting agencies and ask for a manual search of their child's Social Security number.

If no report is found, you’re in luck. You should still periodically check on your child’s status, however. If a report is found, it’s usually a sign your child has been victimized. Ask the credit bureaus to immediately place a credit freeze on your child’s record and investigate further. 

You can now request a credit freeze for your child in every state. Previously, it was dependent on your state of residence but now it is a federal law. You will again have to contact all three of the bureaus individually.

Key Idea #3: Achieving a sense of mindfulness when it comes to cybersecurity allows you to stay alert without becoming fatigued

What does that mean? We need to be in a state of relaxed alertness when dealing with cybersecurity. Fighter pilots have an acronym for this state called "OODA." It stands for observation, orientation, decision, and action. Zen masters use the phrase "mindfulness." When Google completed their own analysis of worldwide cybersecurity practices, they also recommended “Mindfulness” as a key part of cybersecurity.

Mindfulness relates to your day-to-day cybersecurity practices. 

Nine out of ten security experts say running updated software is necessary for strong security. Out-of-date software allows hackers to plant viruses and malicious software on your devices.

Yet, 40% of computer users don’t update their software in a timely fashion. And security experts say 75 to 80% of the computer hacks they see relate to outdated software. 

Hackers exploit security holes in unpatched software which allows them to install malware and viruses on your unprotected devices. This malware could record everything you do or kidnap your computer for ransom.

So, you want to be sure that all the software and programs on all of your devices are up to date. That includes your operating system, your browsers, Microsoft Office, Adobe programs, and more. 

Many programs allow you to enable auto-updates. You should enable this on all your programs that allow it.  A good place to start to see if a program will auto-update is the Security or Settings tab. You can also always google the name of the program and auto-update. 

It’s also a good idea to install a good antivirus program on your computer. You’ll want to make sure that is always up-to-date as well.

And periodically go through the programs on your devices and uninstall anything you don’t use. The fewer programs you have, the fewer holes for hackers to attack. 

One type of malware I mentioned previously kidnaps your computer and holds it for ransom. This is called ransomware and is one of the biggest threats today. In this attack, hackers infect your device with malware that encrypts everything on your computer—you can no longer access any of your files. In order to get your files back, you must pay the hackers a bitcoin ransom. 

In order to avoid paying ransom to cyber crooks, you need to follow the “Rule of Three” meaning you need to back up all your files in data in three different places. The first is on your computer or device. Next, you need to save a copy of your files and data to a physical backup device—something like an external hard drive. Lastly, you need to save your data to a cloud service like Dropbox, iCloud, or OneDrive. The “cloud” is an Internet-connected server that syncs with your device. 

Ransomware attacks are normally spread through a method called “phishing.” Phishing messages are emails that impersonate a legitimate company or person and are designed to steal your personal information or install malware on your machine through a malicious link. Hackers are sending out 94 billion of these messages every day. Most get caught in your spam filter, but some find their way to your inbox…

Let’s look at the story straight out of the White House. The wife of John P. Holdren, assistant to former-President Obama and former director of the White House Office of Science and Technology received an email which she believed to be from her husband. It asked for the password to their Xfinity phone and Internet account. Mrs. Holdren sent the password and went about her day.  

But she hadn’t sent the password to her husband. Rather she sent it to a political hacking group who with the password, redirected all of the Holdren’s phone calls to the Free Palestine Movement line. The Holdren’s joined a long list of victims including CIA director John Brennan and Director of National Intelligence James Clapper. 

Had Holdren’s wife known the 10-Second EMAIL Rule I’m about to teach you, she may not have fallen for the scam.

There's a ten-second cybersecurity rule that will help you fend off the phishers. The acronym is E.M.A.I.L. and it stands for Examine Message and Inspect Links.

Let's take it one step at a time. The first half of the acronym, Examine Message, starts with the subject line. Phishers try to get us to react quickly to an urgent situation. Often, they will make the subject line something frightening such as: Warning, Account Closed, or Security Alert.

Some are more subtle, but still require you take action. For example:  Mail Delivery Failed: Return Message to Sender or Incoming Fax Received. 

Subject lines like this should alert us that this may be a phishing attack.

Next, we need to discover the true sender of the email. Phishers can spoof the from line to appear to be a legitimate business or organization. You can determine the true sender by hovering your mouse over the display name. A small box will appear with the true email address. 

Other suspicious things to look for include, greetings that refer to you as “customer” or “sir” or “madam” instead of your name, poor grammar, or a vague signature line with false contact information.

You should also be suspicious of unsolicited emails with attachments. Never click to open an unsolicited attachment. What presents itself as a resume, receipt or payment could be a .exe file that plants a virus on your computer or seizes it for ransom.

The second part of the 10-second EMAIL rule has to do with the links in the message…

British journalist Jane Corbin was less than an hour away from an important deadline for a documentary she was working on. Doing multiple things at once, she suddenly spotted an email from Yahoo. It told her to confirm her account details immediately or her account would be shut down. Under pressure and needing important documents in her email, Corbin clicked on the link and filled in personal information.

Immediately, her screen went blank. She had been phished. The phishers then attacked their new targets: Corbin’s email contacts. More than 1,000 people in her email address book received an email from Corbin’s account saying she was robbed at a hotel in Spain and needed money. 

Corbin was locked out of her computer and was forced to close her banking accounts. 

If Corbin had waited 10 seconds and examined the Yahoo message more closely, she could have prevented the attack and saved herself the stress, embarrassment, and lost time that comes with suffering a phishing attack.

The second half of E.M.A.I.L. requires you to inspect links within the message. Like you did with the sender, hover your mouse over any link or hyperlinked text. Be sure that the link is truly directing you to the correct website.

If it looks phishy, delete the email. You can always contact the organization directly to ask if they sent you the email. 

This is an action that needs to become part of your daily cybersecurity practices. Make it a habit so you can thwart off phishers without thinking about it. 

We’ve learned a lot today and now it’s time to take action. Research shows we’re more likely to do something if we write it down. So when you are done listening, I encourage you to contact my office for a copy of the Savvy Cybersecurity Reference Card. You can find all of my contact information, as well other cybersecurity resources, on my website – www.jgigliello.com

Once you receive the checklist, write down three actions that you plan on taking immediately. Sign and date your Action Plan commitment.  

On our website, you can also request a 30-minute one-on-one Cybersecurity checkup with me or someone on my staff, just use the online scheduling tool. 

It’s a totally free, no-obligation service we offer to the community. We’re glad to guide you in this matter.

Now you have the core knowledge to create your own personal cybersecurity plan.

I hope you’ve found our presentation to be helpful and informative in terms of your thinking and commitment to cybersecurity. 

It’s totally within your power to be safer and more alert on the Internet.  

Stay tuned for our next Invest in Knowledge podcast coming soon.  Thank you for listening. Have a great day.

 

The anecdotes, facts and statistics related to cybersecurity threats referenced in this episode were compiled by Horsesmouth, LLC, 2021.

The opinions voiced in this material are for general information only and are not intended to provide specific advice or recommendations for any individual. All performance referenced is historical and is no guarantee of future results. All indices are unmanaged and may not be invested into directly. The economic forecasts set forth in this material may not develop as predicted and there can be no guarantee that strategies promoted will be successful. This is a hypothetical example and is not representative of any specific situation. Your results will vary. The hypothetical rates of return used do not reflect the deduction of fees and charges inherent to investing.
Securities are offered through LPL Financial, member
FINRA/SIPC. Investment advice offered through Private Advisor Group, a registered investment advisor. Private Advisor Group and Albany Financial Group are separate entities from LPL Financial.