This is What Keeps Your CIO Up at Night

October is Cyber Security Awareness Month.  It’s time for IT departments to remind us all about the dangers lurking in the dark corners of the Internet, and to provide useful tips for avoiding hackers and scammers right before the on-line holiday shopping season. Cyber security is critically important to our personal and organization’s wellbeing, so this is important stuff.

For many of us, Cyber Security Awareness Month takes on an eerie resemblance to our Netflix feeds in the lead up to Halloween.  For 30 days we are immersed in horror stories and magical tales about phishing attacks, ransomware, and the importance of changing your password.  The stories unleash our primal fears (can you imagine having your identity stolen!); but the dangers also sometimes seem just a little too fantastical to be truly believable (do I really need to change my password every 90 days?!?).

As the Chief Information Officer of a non-profit organization and the leader of a Cyber Protection Team in the United States Army Reserve, I have a pretty decent understanding of how to defend an organization against cyber threats.  What I have realized though, is that me and my kind (i.e. technology nerds) are not necessarily the best to convey those dangers to others.  To make Cyber Security Awareness Month truly successful, the expert technologists in an organization must enlist the support of that organization’s expert communicators to craft an understandable and compelling message.  Non-profit organizations hire some of the best people uniquely talented with convincing strangers to believe in their cause and take action.  Imagine if just one or two of those hundreds of expertly crafted messages sent out a year were sent internally to the staff to keep everyone’s privacy and data safe.

Having learned from watching my colleagues in my own organization’s development team, I know the importance of zeroing in on very small number of impactful calls to action.  Although there’s lots that people can do to keep themselves and their organizations safe, here are the top three, simple actions to take:

1. Proof Read the E-mail You RECEIVE – The biggest indicators of fraudulent e-mail are poor grammar, erroneous capitalization, and bad punctuation. There are many unimportant reasons why scammers do not write with good grammar; what is important is that people who reach out to you for legitimate reasons will ensure that they are sending a well-crafted e-mail.  Hackers often care less about such things.  Proofreading also extends beyond just the text.  If the logo looks off, it is not that an organization changed their color palette.  The e-mail is fake.  If the signatory suddenly changed his name from Billy to William, he is not experimenting with a new persona.  The e-mail is fake.  If the e-mail address shows your colleagues name with some weird e-mail address, it’s not a problem with the server.  The e-mail is fake.  Proofread the e-mails you receive, and you will be taking the most important step to practicing good cyber security.
2. Don’t Reuse Passwords – I was guilty of this myself. I had found the perfect string of eight letters, numbers and special characters and convinced myself was unbreakable but totally memorable.  I used this magical string of characters everywhere from my Evite account from the early 2000s to my WashingtonPost.com subscription to my Strateva account during those 3 weeks that I trained for a marathon (before I found something better to do with my time).  Then one day I found in my Chrome browser under Settings, I could see which passwords had been compromised.  If hackers could see that the same e-mail password combination was used for more than one account, then they could reasonably assume that the same combination was for other accounts as well.  This is how some hackers operate.  They look for patterns in your behavior and then make an educated guess on how to exploit that pattern for their benefit.  Once a hacker is in your account, then they can try to get you to re-enter your credit card information and earn a payday.  Making passwords is still one of my least favorite things to do, and coming up with unique strings has gotten more difficult as I’ve cycled through more and more pneumonic devices.  I’m currently using pass-phrases like “IGotMarriedOn05042010!” and “My2ndDaughterIs4YearsOld!” and those are working pretty well for me.
3. Restart Your Computer Once A Week – Your computer is constantly receiving updates. They come from the hardware manufacturer, from the operating system, and from each of the software packages you have installed. These updates are designed to fix discovered bugs and patch identified security flaws. Some of these patches only take effect after you restart your computer.  Closing the lid on your laptop is not the same thing as restarting it.  To restart your laptop you have to press the power button.  It’s the difference between walking around with a COVID mask in your pocket and wearing it on your face.  Until you actually apply the update by restarting your computer, it is as if it is not even there.  If you can get in the habit of giving your computer Friday night off, both you and your laptop will be significantly better off.

Here is my challenge to you.  This Cyber Security Awareness Month, see if you can help out your IT team in building out an awareness campaign.  An organization where everyone proofreads the emails they receive, does not reuse old passwords, and restarts their computers once a week is significantly more secure than 90% of the organizations out there.  It could be a fun internal project and definitely a useful one.  Let me know how it goes.

Rich Kostro (rkostro@strength.org) is the Senior Vice President and Chief Information Officer at Share Our Strength.    

Author: Rich Kostro

Rich Kostro is the Senior Vice President and Chief Information Officer at Share Our Strength.  He is also a member of The Nonprofit Alliance Foundation Board of Directors.