As we move through the holiday season, new challenges that people and organizations face include the heightened risk and probability of “bad actors”–people with criminal intention, organized crime groups, and state-sponsored groups–seeking to compromise people and organizations’ mobile phones, tablets, and systems to gain access to data and information. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published this alert on December 15, 2021. The risk has always been present–with our attention on holiday celebrations, our personal and professional guard and resources can be down. It’s easy to be distracted by the phishing email or the phone call asking you to click on a link, or to provide personal information that can allow a bad actor to gain access to data and systems. After that happens, there are fewer people and more challenges to identify, respond to, and repair any damage carried out by cyberattacks and cybercrimes.
You may think that community-based organizations aren’t targets. However in 2021, three Area Agencies on Aging (AAAs) and associated service providers experienced cyberattacks, resulting in loss of data about the organizations and the people they serve. There may well be other community-based organizations that experienced cyberattacks about which we don’t know. As providers of services that CISA and others consider part of the National Critical Functions, AAAs, Centers for Independent Living, and state and local adult protective service agencies, among others in our aging and disability networks, all are potential critical infrastructure targets.
What can we do to prepare for and protect against cyberattacks and cybercrime? The first–and most important–way to prevent cybersecurity issues is to be aware. CISA offers this advice on "How to Recognize and Prevent Cybercrime."
Recognize the Risk of Cybercrime:
Identity theft is the illegal use of someone else's personal information in order to obtain money or credit. How do you know if you’ve been a victim of identity theft? You might get bills for products or services you did not purchase. Your bank account might have withdrawals you didn’t expect or unauthorized charges.
Phishing attacks use email to collect personal and financial information or infect your machine with malware and viruses. Cybercriminals use legitimate-looking emails that encourage people to click on a link or open an attachment. The email they send can look like it is from an authentic financial institution, e-commerce site, government agency, or any other service or business.
Imposter scams happen when you receive an email or call seemingly from a government official, family member, friend, or other trusted source requesting that you wire them money to pay taxes or fees, or to help someone you care about. Cybercriminals use legitimate looking emails that encourage people to send them money or personal information.
Prevent or Reduce the Impact of Cybercrime:
Keep a clean machine. Update the security software and operating system on your computer and mobile devices. Keeping the software on your devices up to date will prevent attackers from taking advantage of known vulnerabilities.
When in doubt, throw it out. Stop and think before you open attachments or click links in emails. Links in email, instant message, and online posts are often the way cybercriminals compromise your computer. If it looks suspicious, it’s best to delete it.
Use stronger authentication. Always opt to enable stronger authentication when available, especially for accounts with sensitive information, including your email or bank accounts. A stronger authentication helps verify a user has authorized access to an online account. Visit www.lockdownyourlogin.com for more information on stronger authentication. <Editor's note: The previously mentioned site is no longer available. An alternative link for similar information is: Protect Your Personal Information and Data | Consumer Advice (ftc.gov) >
Preparation for cybercrimes and cyberattacks is the second step. As the Chief Information Officer for ACL, I’m often told by my colleagues that they don’t know or understand cybersecurity. My answer always is: as a manager or executive, your organization should have plans for minimizing and managing the risks of cyberattacks and cybersecurity that:
- Increase organizational vigilance by ensuring there are no gaps in Information Technology (IT)/Operational Technology (OT) security personnel coverage and that staff provides continual monitoring for all types of irregular behavior. Security coverage is particularly important during the winter holiday season when organizations typically have lower staffing.
- Prepare your organization for rapid response by adopting a state of heightened awareness. Create, update, or review your cyber incident response procedures and ensure your personnel are familiar with the key steps they need to take during and following an incident. Have staff check reporting processes and exercise continuity of operations plans to test your ability to operate key functions in an IT-constrained or otherwise degraded environment. Consider your organization’s cross-sector dependencies and the impact that a potential incident at your organization may have on other sectors, as well as how an incident could affect your organization.
- Ensure your network defenders implement cybersecurity best practices. Enforce multi-factor authentication and strong passwords, install software updates (prioritizing known exploited vulnerabilities), and secure accounts and credentials.
- Stay informed about current cybersecurity threats and malicious techniques. Encourage your IT/OT security staff to subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.
- Lower the threshold for threat and information sharing. Immediately report cybersecurity incidents and irregular activity to CISA and/or the FBI. Sharing your data and experience may help other people and organizations prepare for, respond to, and reduce the impact of cyberattacks and cybercrimes. (Adapted from CISA’s “Preparing for and Mitigating Potential Cyber Threats.”)
Our partners at DHS and CISA, and at the National Institute of Standards and Technology (NIST) have good, effective guidance and technical assistance for building resilience to cyberattacks and cybercrimes. It may seem overwhelming at first, but having even a simple plan about how to respond to a data breach or a cyberattack compromising a system supporting your organization will let you act more quickly, and with greater confidence, than if you had none.
Preparing for and preventing cyberattacks and cybercrimes should become part of our personal and professional lives. Changing our behavior means staying aware of emerging cybersecurity issues. We can do this by:
- Taking note of articles about new and existing cyberthreats in the popular and professional media.
- Paying attention to software and device updates for our personal devices and our organizations’ mobile phones, laptops, and servers.
- Including assessing and managing the risk of cyberattacks and cybercrime as a regular and ongoing part of our management and governance practice.
Make planning for and managing cyber risk part of your personal and professional practices to ensure your personal security, and the security and privacy of the people we serve.