Journal of Employee Assistance Vol. 48 no. 2 - 2nd Quarter 2018
Cybersecurity for Employee Assistance Professionals
By Marina London, LCSW, CEAP
CNET (www.cnet.com) is one of the most reliable sites providing hardware and software reviews, as well as important articles about trends in technology. In November 2017, they published an informative article, “How to give your parents the security talk this Thanksgiving.” My experience has been that, just like senior citizens, most employee assistance professionals lack expertise in the fundamentals of cybersecurity, so I have repurposed, summarized, and added to the CNET article for JEA readers.
Bear in mind that I almost fell prey to an online scam. Today’s highly sophisticated scammers are capable of generating email correspondence that looks completely authentic, nearly fooling even me. I have received correspondence from Apple, Chase Bank, and other major corporations asking me to verify transactions, or alerting me that my account has been suspended. Only by comparing these emails to actual letters from Apple, etc. could I notice even the tiniest difference between the fake message and the real one.
Let’s begin by talking about phishing, in other words, a scammer pretends to be somebody else in an attempt to steal your information, regardless of whether it’s a credit card number, login password, or any data that can be used in an attack. Phishing attacks often come in the form of an email that contains a link taking you to a website designed to trick you. The easiest way to avoid getting phished is simply to not click on any links in emails. If an email coming from Netflix says your account is going to be canceled, go directly to Netflix's website to check it out – don’t do it from the link in the email.
Tips for spotting a phishing email:
Grammar: Bad grammar is a tell-tale sign of an online scam.
Check the source: The address the email came from is often a thinly veiled disguise (coming from facebookk.com instead of facebook.com, for example).
Weird links: You can hover your mouse over links and see pictures to determine where they’ll lead you. If an email claiming to be from your bank is actually going to a suspicious website, that’s a good sign it's a scam.
My comment: As I wrote earlier, phishers have increasing expertise at sending emails that look official. Many of these emails report that something is being canceled. Automatically be wary of any such email.
Password managers: It is a pain to have to remember different passwords, but it is also a must. Fortunately, there are free services out there that will keep all your passwords in one place.
With password managers, you just have to remember one password for the manager. Just log into that service, and the managers sync across your browsers and devices, bringing both security and convenience. Find out more here: https://www.cnet.com/how-to/how-to-save-and-sync-your-passwords-lastpass-for-free/.
HTTPS and SSL: Every time you go on a website, you should check to see if there’s a green lock icon next to the URL. That symbol shows you’re on a page protected by HTTPS, which stands for Hypertext Transfer Protocol Secure.
The green lock tells you the website has Secure Sockets Layer (SSL) enabled, meaning there’s a certificate to prove that the website is secure and that your sensitive information can’t be stolen or spied on when you visit that site. Think of it as a virtual Good Housekeeping seal of approval that your secrets are safe.
Sometimes going on a non-secure site can’t be avoided. You should be careful about entering sensitive information on public Wi-Fi if you have to go on non-HTTPS pages.
Ransomware: This is a type of virus that locks up your important files and sometimes your entire computer, unless you pay a ransom.
You should back up your files regularly in case you ever get hit with ransomware – my favorite utility for this is Carbonite. I connected to it in 2009 and still use it. In computer years, that is a long time. If my laptop crashes and dies, I can buy a replacement, and download all of my files from Carbonite. Now that’s insurance! Plus, they have great tech support.
CNET has an entire guide on whether you should pay a ransom. The short answer is – DON’T. Smaller companies and health care organizations such as hospitals are especially vulnerable to attack.
Patching: Companies like Microsoft and Apple aren’t sending frequent updates just to annoy you. Most of the time these updates come with patches to fix security flaws that were recently discovered. Yes it may be time consuming, but do it – update all of your devices when necessary.
Two-factor authentication: This is an extra layer of security on top of your password.
This type of authentication is around you everywhere you go already: swiping your debit card and then entering your PIN code, or writing a check and showing a driver’s license along with it. The factors are often a combination of something you know (a password, a PIN, answers to a question) with something you have (a thumbprint, a card, a phone).
The most common version of two-factor authentication is a code texted to your phone after you enter your password. Warning – this can be more complicated and annoying than it sounds. But understand this process is there to protect you from identity theft.
Identity theft: Consider purchasing identity theft protection from companies like Lifelock and ID Shield, which protects you from data breaches even when these occur through no fault of your own. My accountant’s firm was compromised (!) a number of months ago, and my ATM account was hacked last week. A useful article, https://www.identitytheftlabs.com compares the major players.
Unfortunately, cybersecurity issues are here to stay. It behooves us to stay one step ahead of pirates and hackers.
Marina London is Manager of Web Services for EAPA and author of iWebU, (http://www.iwebu.info,) a weekly blog for mental health and EA professionals who are challenged by social media and Internet technologies. She previously served as an executive for several national EAP and managed mental health care firms. She can be reached at firstname.lastname@example.org.