As the threats of hacking and cyber attacks continue, and as Jews and the Jewish state increasingly become targets, how can you navigate the internet without exposing yourself to attack?
Shlomi Adar, an Israeli information security specialist, has released eight simple instructions to avoid the common mistakes that allow hackers to target employees working at organizations.
1. Custom Permissions according to Position and Necessity – Adar began his list by calling to use organized permission definitions in having organization supervise employees' computer activities.
"People install various applications that come from many sources and often it is not possible to tell if they are safe, and each such installation may become an opening for hacking and a substantial threat over the organization's information security," warned Adar.
He recommended the limitation of installation permissions according to employee's positions, allowing the installation of applications needed for that position.
2. Surfing the Internet – the specialist warned against visiting websites not used for work, particularly free game sites which often have spyware or tracking software, as well as sports sites and online chats.
"We recommend installing systems designated to monitor the websites employees are able to enter, and block the access to sites that are considered problematic," Adar wrote. "These systems are used as filters and can mark the 'rebellious' employee who is not following the guidelines, by tracking employees' surfing habits."
3. Using a Laptop – Adar warned against having employees carry a laptop between their work and home environment, noting the home network is less secure than an organizational connection.
He called to separate work and home connections and not allow children and other users to access the work laptop.
4. Loss or Theft of Laptops – laptops, tablets and smartphones are more prone to loss or theft given their portability, noted Adar, who called to encrypt mobile devices and install a system that can locate and erase information remotely if needed.
"This way, if there is a risk of information and content theft, the laptop becomes just like any other laptop and the damage caused to the organization is merely the value of the lost or stolen equipment, which is negligible in comparison to the value of data it contained. The systems sometimes enable tracking the thief and returning what was lost or stolen."
5. E-Mail – the most common cyber threat has become "phishing," or sending messages or e-mails to bait employees to click on links and then gaining access to sensitive information.
Hackers often disguise links to look as if they are from reputable sites like PayPal, banks, Gmail, Facebook and others, "and a single click on such links may implant a virus in the computer or make the users update their personal information in a dummy imposter site, and that is how they actually give away extremely sensitive details to the hacker, including passwords, unknowingly."
Adar advised against opening e-mails from unknown sources, and against clicking on unidentified links. He warned against clicking on links appearing to be from an identified source, "since they are mostly sent from a known organization, but such that the user has never contacted before, and this, of course, is a significant 'red flag.'"
6. Setting Passwords – Adar recommended opting for complex passwords with upper case and lower case letters along with numbers and special characters to block automatic password cracking software.
He also warned against using birth dates, children's names, or other information that can be reasonably guessed, and suggested changing passwords relatively often without reusing similar passwords.
7. Physical Security – information security is not just in the realm of the internet; it also requires physically making sure that visitors to an organization's offices are closely escorted and have to identify themselves, and documenting their arrival and departure.
"External people can manually implant something in the computers or copy data and content using a disk on key. Sometimes, even a seemingly innocent and random visitor like 'fundraisers' or a person who claims to be lost, turn out to be hackers or sent by malicious competitors."
Adar added, "there were even several cases of fictitious candidates for a position who were actually 'industrial spies' or ones who were planted in Human Resources companies that provide external services such as office cleaning (and make sure the office is 'cleaned out' of the sensitive information it holds)."
8. IT Department – no organization would be complete - or secure - without an IT department, which should be assigned on the organizational level with managing information security, control and monitoring.
"The current standard is hiring an IT man at the rate of 1:8 for every employee the organization employs," wrote Adar. "A well functioning IT department can prevent information security breaches and minimize threats using work procedures, assimilating a clear policy and providing limited authorizations according to necessity and position."
The IT department likewise is tasked with implementing procedures to prevent human error.
"Also, the organization has to hire external advisers (specialists) to fill in the needs the IT department is not expected to answer, such as handling emergency incidents and events or general unusual occurrences relating to information security."