By George Leposky, editor
What’s that? An example of a foolproof way to keep a password safe from cyberthieves.
Cybersecurity has been a perennial topic at Timeshare Board Members Association meetings through the years. Regular attendees have heard multiple speakers advise against passwords using or based on birthdays, home addresses, street names, pets’ names, mother’s maiden names, and similar information that is easy to remember—and easy to steal.
So how do you devise a secure password? At the spring 2017 TBMA meeting, attendees learned a foolproof technique from Anurag Sharma, a principal in the WithumSmith+Brown accounting firm’s cybersecurity consulting and service organization control practices. “A password should be long and complex, easy to remember, and different for each website or application,” Sharma said.
To achieve these goals, pick a song. Don’t announce it to the world (which means don’t use this precise example).
Now sing to yourself the first line or two of the song, and write down the first letter of each word—your base password. In this case, it’s oscysbtdel—O say can you see, by the dawn’s early light. Yes, it’s The Star Spangled Banner. Next, choose a site-specific prefix of capital letters. This prefix, NA, stands for national anthem. Also, choose a suffix consisting of a number and a special character. The 4 you’ll remember because it represents July 4th, Independence Day. The * is for the star in The Star Spangled Banner.
Now you don’t have to remember that password—just what it stands for. For each additional password, simply change the prefix and suffix to something else with site-specific relevance. NAoscysbtdel4* is a very secure password. According to howsecureismypassword.net, a test website, a computer would require about 204 million years to crack it.
Phishing, ransomware, etc.
Sharma offered these other cybersecurity tips:
- Don’t answer security questions correctly. Use a fake answer for everything, so you can remember it without giving cyberthieves clues about other aspects of your life.
- Don’t click on a link or attachment you didn’t expect to receive.
- Think before you click. Don’t become a victim of phishing, in which a scammer masquerades as someone you trust in an effort to acquire sensitive information or steal money. Be cautious of mimicked e-mail addresses. If in doubt, pick up the phone and verify that the email came from legitimate business partners.
- • To minimize the impact of a ransomware attack, back up your computer daily (or at least weekly, depending on how much data you can afford to lose). Then unplug the backup device. If you leave it connected to the computer all the time, it will be attacked, too. Ideally, you should also store a backup offsite. If you’re attacked, just reformat your compromised computer and reload the data.
- Enable “automated installation” of “Important updates” from Microsoft.
- If you don’t trust the source of a USB drive, don’t plug it in. Better yet, disable and don’t use USB ports.
- Never leave your webcam uncovered when you aren’t using it (unless it’s unplugged).
Scope of the problem
Companies collect and store large amounts of valuable data on a regular basis, and every day more than 4.5 million records are lost or stolen, Sharma reported. Nearly 80 percent of computer security breaches occur in North America. Malicious outsiders are responsible for 69 percent of incidents, and 64 percent involve identity theft.
Although the hospitality sector has been the least affected major industry, he said, it has experienced “a steep increase in incidents in the past two years,” from only one in 2015 to 26 in 2016. Hotel chains affected have included Hilton, Hyatt, InterContinental, Omni, Starwood, and Trump. The average total cost of a data breach is $4 million, up 29 percent since 2013, Sharma said. The average cost per record breached is $158.
Although major data breaches at large companies capture the headlines, Sharma emphasized that small and medium-sized businesses are equally or more at risk. “It’s the data that makes a business attractive, not the size. It’s easier to rob a house than a museum,” he declared.
Sharma offered these “key takeaways” to the audience:
- It is not a question of if but when.
- Know and test for your weaknesses. He suggests sending a phishing email to all of a company’s employees, and giving gift cards to employees who don’t click on it.
- Strengthen your “human firewall.” Make all employees aware of the latest threats and teach them safe computing techniques. “The first and most important line of defense against a cyberattack is employee training,” he said.
- Prepare for the worst. Have a response plan to recover from a cyberattack.
- Consider a cyber insurance policy.
- Invest now or pay more later.
This article is from Timesharing Today issue #155, Sept/Oct 2017. If you enjoyed reading this article, become a member today!