Best Practices for Online Security
A series of email scams have cost more than a handful of galleries in the UK quite a bit of money. Social engineering and simple hacking tactics allowed unauthorized access to email systems and money was transferred from art buyers into hackers' accounts instead of the galleries'.
As a technology company operating in the art world, we are often approached about the subject of online security. The art world tends to move slowly in the way of technology and we have found that there is a general aversion overall to new technologies in general.
Once a new tech component has been added to the repertoire of an art institution, such as online invoicing, money transfers, or even email, it tends to stick without much change over the next few years. Comfortability sets in. The assumption being that a once secure program is always a secure program.
Technology is constantly evolving and measures need to be taken as this happens to ensure your information is safe and secure online.
Often all that is needed is a re-education on security best practices and, with help from our co-founder Jeff, we are here to give it to you. Jeff's 16 years of IT experience includes a strong background in security from desktop systems to complicated cloud-based architectures.
Change your password frequently. The rule of thumb is every 90 days for maximum security. If that seems like too much to handle, at least make changing your password a yearly habit. Set a calendar reminder. Find a password tool that sets reminders for you.
Make it a good password, at least eight characters. Choose upper and lower case letters, special characters and numbers. Studies have shown that a long phrase vs a word or two is safer as it's easier for the user to remember and harder for an unauthorized person to guess. Jeff likes to use nonsensical phrases that are easy to remember but impossible to guess, for example, ImavampirethatlovesthebeachinDecember.
Don't write it on a sticky note or keep it written somewhere easily accessed by someone walking past your desk or computer.
Turn on two-factor authentication for your email and other online accounts when possible.
Don't open links from unknown sources and always question your sources, even if they appear to come from someone familiar. In the case of the email scams in the UK, the email accounts were infiltrated and new accounts that appeared identical to the originals were used to request the transfer of funds. Ask yourself, "does this look like an email my superior, co-worker, gallery rep, etc. would send?"
Practice two-factor authentication and verification all the time. If you receive an email or message asking for sensitive information or money, question it. Contact the sender in a method that is not the way you received the original message. Verbal confirmation is best.
Always validate all financial requests verbally.
Don't download and install applications when they are unsolicited, especially from an unknown source. This is another situation where you should question the content. For example, is it normal for someone in your contacts to send you a zip file without mentioning it first?
Don't share your personal information. If someone asks for your Social Insurance/Security Number, birth date, home address, etc. through email it should be an automatic red flag.
Enable security access on your mobile devices with a thumbprint, code, or facial recognition.
Regularly audit your social media privacy settings. This data can be used for phishing. Social media sites like Facebook change the settings occasionally, so make it a habit to double check from time-to-time.
Keep anti-virus up to date. Yes, even if you have a Mac. For a Windows computer, we suggest McAfee, Norton, and Bitdefender. For a Mac, Bitdefender Anti-Virus for Mac and AVG for Mac.
A hacker will always use the easiest method to obtain the information they are after.
Social engineering or obtaining your username and password are the quickest way for them to achieve their goals and are the tactics implemented most often. Following these guidelines will help force most hackers to move on to a weaker target.
Phish: to try to obtain financial or other confidential information from Internet users, typically by sending an email that looks as if it is from a legitimate organization, usually a financial institution, but contains a link to a fake website that replicates the real one. (dictionary.com)
Two-Factor/Multi-Factor Authentication: a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). (wikipedia.org)
Social Engineering: in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.The term "social engineering" as an act of psychological manipulation of a human, is also associated with the social sciences, but its usage has caught on among computer and information security professionals (wikipedia.org)