Federal cybersecurity advisor: These four steps can help protect your data and financial operations

“We have to get it right as cyber defenders every single day,” Wood said. :The adversaries just have to get it right once.”

And while cybercrimes against a business are typically executed by outside actors, missteps by people within your organization often open the door for those hackers.

That’s why KeyBank invited Wood and Michael Gerfin, a supervisory special agent for the FBI overseeing the Cleveland Division's Criminal Cyber squad, to join our expert panel and discuss the latest threats posed by insiders and nation-state hackers such as Russia and China.

In case you missed the webinar, you can view a full replay of “The Next Big Breach Has a Badge” below:

During the event, Wood shared four steps organizations can take today to help protect their critical data and financial operations against insider threats and outside hackers alike.

Step 1: Use strong passwords

Yes, this seems like a simple, obvious step, but it’s often disregarded. According to Wood, employees should only use passwords that are:

• Long — At least 16 characters long.
• Random — A string of mixed-case letters, numbers and symbols, or a passphrase of 5-7 random words.
• Unique — Used for one and only one account.

“Don't reuse passwords,” Wood stressed. “If you use the same password for your bank that you happen to use for Uber, and Uber gets compromised, it's very common for adversaries to say, ‘Well, that password that Spencer used for Uber will work for his bank account.’ Maybe it would, maybe it wouldn't.”

Wood acknowledged how difficult it can be to create and keep track of multiple lengthy passwords, which is why CISA’s website recommends companies provide an enterprise-level password manager that creates, stores, and fills in passwords automatically. This means employees are required to remember just one strong password for the password manager.

Read more: FBI agent details how insider threats led to federal cybercrime cases

Step 2: Use multifactor authentication (MFA)

While a long, unique password is a great first step in protecting your accounts, it’s not impossible for a hacker to crack that code. That’s where multifactor authentication (MFA) comes into play. 

MFA requires an extra step to log in to an account, such as entering a code texted to your phone to verify your identity. 

“Every single account that you have in both your personal and your business life needs to have multifactor authentication,” Wood said. “And multifactor authentication is, at the end of the day, making sure that there's an additional barrier to getting access to this system.” 

Step 3: Develop employee training programs

Threats and attacks stemming from insider missteps are often chalked up to being honest mistakes or pure negligence on the part of the employee. That can be anything from not understanding the value of MFA to clicking a malicious link in a phishing email.

That’s why Wood and CISA implore organizations to develop and require recurring training programs for employees to better detect and protect themselves from criminal activity.

“We want to educate users not only on what phishing looks like, what cybercrimes look like, but what are the indicators of compromise that you need to be cautious about,” Wood said. “A lot of times, cybersecurity awareness training is drawing upon the new trends that we are seeing in industry. For example, scanning a QR code is now a thing where QR codes cannot be picked up by virus scanners very easily.

“So, it's not uncommon for users now to get an email that has a QR code in it, and that link embedded in that QR is fraudulent.”

Wood suggested companies make their annual training efforts fun to encourage employee participation.

“We're always going to advocate for employee trainings that are non-punitive,” he said. “For example, at a past organization, instead of making everyone go through another training class because they clicked on too many links, we actually did the opposite, which we did a phishing derby.

“We made a game out of it and there were prizes if you didn't click on so many phishing attempts that we sent you on purpose.”

Step 4: Routinely update business software

We’re all familiar with those pesky software update reminders that emerge seemingly daily. As inconvenient as they may be, those updates often contain critical security patches that help protect your network and data, and an “I’ll worry about it latter” approach could prove costly. 

“We're getting updates for our computers all the time that we have to apply. They always come at the most inopportune time,” Wood said. “You're working on that big presentation. You're working on that big spreadsheet. You have end-of-quarter results you have to pull together and your computer will pop up and say, ‘Your computer will reboot in the next 30 minutes unless you say no.’ 

“And what do we do? We always hit the 'no' button and we keep on pushing it, and the next thing you know, you haven’t updated your devices with the most critical security updates for weeks.” 

Wood said hackers need as few as 15 days to take advantage of a vulnerability in your software, meaning continuous postponement of updates could expose your workplace and personal life to potential issues.

One of the simplest ways to ensure you have the most recent patches on your software, Wood said, is to reboot your computer each night so updates are applied automatically.

Learn more about CISA and the fight against cybercrime

CISA is an operational component of the Department of Homeland Security that works to understand, manage, and mitigate risk to the nation's cyber and physical infrastructure in the public and private sector, according to its website.

CISA offers several resources and services to help your organization develop a cyber defense and response plan.  

At KeyBank, we’re committed to helping your business grow and stay safe with ongoing education opportunities, including our annual cybersecurity webinar, which keeps you ahead of the curve on trending fraud and cyber topics. 

KeyBank also offers a suite of products and solutions dedicated to helping fight both check and electronic payment fraud. For any questions about KeyBank's efforts and products to help you protect your business, please contact a payments advisor.