Cybersecurity and public-health practices aren’t really all that different, so this Thanksgiving, you may want to talk to your family about passwords as well as physical distancing, cybersecurity experts say.
Tracy Dallaire, the new director of information-security services at McMaster University, in Hamilton, says that protecting your devices and communications keeps others safe from cybercriminals much in the same way that keeping your body virus-free shields others from getting sick. “You are interacting with many other people,” she says, comparing good cyber hygiene to wearing a mask and using hand sanitizer to limit the spread of COVID-19. “You want to put something in place that you're always detecting and watching, and then you want to be able to respond if something does happen. It's very, very similar in that way — if we think about it as our cyber health and wellness — to our personal health and wellness.”
With more people working and learning at home and socializing online due to the pandemic, opportunities for cybercriminals to attack have increased, says Tony Anscombe, chief security evangelist at cybersecurity company ESET. People are spending more time online and on personal devices and networks — away from professional security systems. That’s one reason, Anscombe says, that cybersecurity-awareness training “needs to be run far more frequently” and focus more on remote workers.
Stay up to date!
Get Current Affairs & Documentaries email updates in your inbox every morning.
In Canada, October is Cybersecurity Month — or, as Dallaire calls it, cybersecurity specialists’ “favourite time of the year.” At post-secondary schools, including McMaster and Niagara College, students and staff are receiving training and resources to learn about online safety. “We really believe education is key to being cyber-safe,” Dallaire says. John Levay, chief technology officer at Niagara College, adds, “There are so many opportunities to have both your personal information, as well as your financial information, compromised in this current environment. I think most people need to be very aware of what's going on; most people don't understand even how to protect their privacy.”
Levay says that Niagara College is taking tips from the Canadian Centre for Cybersecurity’s website and highlighting five themes: devices, phones, computers, networks, and smart devices. At McMaster, the focus is on passwords and phishing (both Dallaire and Levay say the latter is a big concern). Phishing is when someone attempts to solicit personal information (often through email or text) by pretending to be someone else or by redirecting a user to a malicious website. Such attempts have become more sophisticated, Levay says, so, as part of this month’s campaign at Niagara College, his team is test-phishing staff: those who fall for the fake emails will need to take remedial training.
“I always say that, whatever the technology you have, often the human action is what exposes us,” Dallaire says, adding that it’s common for people to click on a spam link or use a weak password. Anscombe says that cybercriminals have increased their phishing attempts since the pandemic started — and that he suspects people are more likely to click links when they’re not in a formal work environment. “When you're in the office and somebody sends you that funny video, you don't click it in the office,” he says. “Would you click it at home? Maybe.”
Aaron Mauro, assistant professor of digital media at Brock University’s Centre for Digital Humanities, suggests that users open only links and files that they’ve been expecting to receive and that they check hyperlinks carefully before clicking them. “If you are asked to enter in your credentials, it's best to navigate to the site yourself through your own channels, rather than using a link provided to you by email or on a messaging service,” he says. Mauro advises using the tool Virustotal to verify whether links and files are safe.
Both Levay and Dallaire say they have not seen a big increase in attacks at their respective institutions during the pandemic. McMaster and Niagara College are both part of a higher-education cybersecurity consortium that coordinates with the Canadian Centre for Cybersecurity to share information about threats and prepare responses. “I think that collective wisdom has really helped us out,” Levay says. Still, one can’t be too careful, he adds: “You're only one attack away from getting compromised.”
Levay is concerned that students, who can’t always afford new tech, may be using outdated — and therefore insecure — technology. To get around this, he says, institutions and businesses should bring remote users into their systems using such tools as virtual private networks and remote desktop protocol (which allows users to access computers remotely): “We can't really protect their devices on their end, but we can try to protect them if they are connected to us, as well as provide them with at least as much guidance as we possibly can around staying cyber-safe — and that is pretty difficult to do.”
Like Dallaire, Mauro uses a public-health metaphor when discussing online safety. “Good practices, such as learning to wash our hands and wear a mask, goes along with using a password manager and multi-factor authentication,” he says. “It’s just part of being responsible when you're working from home.” He also recommends checking in with relatives who may not be computer-savvy to make sure their devices are up to date.
Experts emphasize the importance of selecting strong, unique passwords for each account. Video-call passwords, Anscombe says, should be shared in a channel separate from the call link, because that makes it more difficult for people to hijack calls in the sort of “Zoom bombing” incidents seen early in the pandemic.
Another tip from Mauro: use multi-factor authentication, a system in which both a secondary code (provided through an app, text, or email only you have access to) and a password are needed to log into an account. It’s “probably one of the single best things that people can do,” he says. “That second layer of authentication, it really ensures that you're doing your due diligence. It's not that it's a guarantee, but, for most individuals, the effort required to break that kind of security is just far too difficult.”
“It's really pretty simple at the end of the day,” Mauro says. “It's just a new version of all the responsible things that we do every year. We put on our snow tires, and we update our operating systems, and we make sure everything is ready to go.”
Ontario Hubs are made possible by the Barry and Laurie Green Family Charitable Trust & Goldie Feldman.