Jessica Quindlen: [00:00:00] Welcome back to the Sound Cents podcast. I'm Jessica Quindlen. October is Cybersecurity Awareness Month, and I have with us two of our information security people.
I have Caleb Cole, our Manager of Information Security. Hello, Caleb.
Caleb Cole: Hello.
Jessica Quindlen: And Daniel Gowing, our Information Security Analyst.
Hello, Daniel.
Daniel Gowing: Hello.
Jessica Quindlen: All right. So, let's just dive right in. What is the significance of Cybersecurity Awareness Month, especially for financial institutions like credit unions?
Caleb Cole: You know that's a really interesting question.
It's a really important thing in our world because it has everything to do with the reason why we are here, and we like people to understand the reason why we're here. Cybersecurity Awareness Month is a crucial annual observance that plays a significant role in promoting cybersecurity education and awareness.
That's one of our main programs that we run out of our department is ensuring that all of our staff, as well as you know, our members, because we do have some member-facing content that we provide as well, are aware [00:01:00] of the things that they need to be looking at and concerned with when it comes to cybersecurity, you know, whether it's their accounts, their access, their passwords, social engineering and phishing that occurs on a near daily basis for most individuals. We really want to make sure people understand what they really need to do to protect themselves better from these types of things.
Daniel Gowing: While it's important year-round to look at these things, we just like to take the time at least once a year for a month to really deep dive and provide deeper trainings than we normally do.
Caleb Cole: And it's not just us, right? This is National Cybersecurity Month.
Jessica Quindlen: Right, we didn't name this, right?
Caleb Cole: No, we didn't. Exactly. So, there's a couple of really big security organizations in the country that really champion and spearhead these efforts. One of them is the Cybersecurity and Infrastructure Security Agency (CISA), which is basically the big government infrastructure security group.
And then there's the National Security Association that we partner with [00:02:00] actually. Ent is a National Cybersecurity Month champion through that group and we get some extra content and resources from them for doing that. But it also shows our commitment to providing this type of awareness and education.
Jessica Quindlen: That's fantastic. I love that. What are some practical tips that our listeners can take to protect their information?
Caleb Cole: Well... Right now, I think the biggest bang for anyone's buck across the board is wherever you can, whatever application or system or whatever it is, if you've got multi-factor or two-factor authentication available to you, enable it and use it.
Daniel Gowing: It's one of those things that seems like an extra hassle. You know, you have to get a text every single time. I mean, if you have an authentication app, it's way easier but that small step every now and then is a huge deterrent for almost any digital fraud.
Jessica Quindlen: So, I'm unfamiliar with the app. I do have text messages. Can you talk more about that? Are there specific apps [00:03:00] you use or does everyone allow this?
Daniel Gowing: So, it really depends on what service you're doing authentication through. For example, internally we have the Microsoft authentication app. So that way, instead of getting a text or a phone call for any time you authenticate through our Microsoft Active Directory service you can just get a push notification.
It just requires your finger and then you're done. And it can go through a variety of devices at that point.
Caleb Cole: Yeah. And more broadly, for especially external applications and websites and things, usually they allow you to kind of pick the one. So, Microsoft Authenticator is one of the more ubiquitous ones.
Google has an authenticator called Google authenticator. These are just apps that you install on your phone, and you open it up, you link accounts to it. It gives you either a random generated key that you can enter, or you can do a push notification. There are various ways to use them. There's, a couple of more out there, but I think Microsoft and Google's are probably the most ubiquitous ones.
RSA, the [00:04:00] SecurID has one. I think Okta, they're a federated identity provider that's out in the security world. But since they do identity management for lots of organizations, they have an authenticator as well.
And then there's a few other ones here and there.
Jessica Quindlen: Cool, I love that. So outside of two-factor authentication, what are some other ways we can protect our information online?
Caleb Cole: You know, really the next thing after two-factor authentication is strong passwords. At the end of the day the weaker your password is, the easier it is to bypass.
And unfortunately, they are way easier than most people realize. At this stage of the game, given the type of technology that exists in the world today, that the attackers commonly use, I wouldn't go with anything shorter than a 12-character password. And that's only for the least secure types of things I would do.
If I'm [00:05:00] doing anything that I want to be protected at all, I would say a minimum of 16. If you can, and this kind of goes into the next thing that I would offer, is find a good password manager. Because at the end of the day, you've got so many of these accounts that you're trying to manage, all these different usernames, all these different websites.
One of the worst things anyone can do is reuse the same password across, because if one site gets breached, that password goes into the dark web. People have it. They can link it. It can be used across multiple sites to gain access to things and that's definitely something we want to avoid. So, password managers are great for that.
Daniel Gowing: To that, I don't know anyone that can remember more than 12 passwords at a time. And so it becomes impossible and you have to start using the same password over and over again across sites unless you're using a password manager.
Jessica Quindlen: What about the suggested passwords? How do we feel about that?
Caleb Cole: It depends. I don't personally trust the Chrome [00:06:00] application itself. The password, the randomness of it is fine. I absolutely recommend random generated passwords. But using a tool like your computer's application to store them can be dangerous.
There are types of attacks that can attack your browser and get into your browser's stored information, including those passwords. I typically recommend people don't ever set up their web browsers to remember usernames and passwords. If you have a good third-party password manager, usually you can get a browser plug in that will, once you log into it, it will recognize the URL that you're on and say, “Hey, you've got a username and password for this. Do you want to use it?”
Jessica Quindlen: So effectively does the same thing the browser would do, but safer?
Caleb Cole: But it doesn't store it in the browser and it's not susceptible to browser attacks.
Jessica Quindlen: Alright, good to know. Anything else that members can do? We have strong passwords, we have two-factor authentication. What else?
Daniel Gowing: I was going to go with being aware of social engineering and phishing attacks. Just awareness in general goes a long [00:07:00] way. I mean, I know I tell my grandparents all the time how to be aware of phishing attacks because they are highly susceptible to them right now.
Caleb Cole: Yeah. And they just get more sophisticated every couple of months. And with new tools out there right now like the large language model, generative AI, kind of natural language, ChatGPT is a great example of that. It's really, really easy to craft really well-written natural language text as opposed to some of the previously used language translators that a lot of the bad guys have tried.
You can't see my air quotes. I just made them. I'm not on camera. So you missed it.
Jessica Quindlen: I love it. What about software updates?
Caleb Cole: You know, updating is one of the most crucial things that you can do. Preferably set up automatic updates wherever possible. If it's your laptop, if it's your desktop computer, your iPhone, your Android, your tablet, whatever flavor that is, pretty much every device out [00:08:00] there supports it. And it's almost always worthwhile to turn it on.
Setting up automatic updates is really beneficial because, you know, even, just last week Apple pushed out basically an emergency security update. There were some new vulnerabilities that were identified and could be easily exploitable.
So they very quickly put together a patch, and pushed it out. And if you don't have your automatic updates on, then now your phone is vulnerable. And susceptible to whatever exploit might be possible with that.
Jessica Quindlen: Alright. I love that. And then finally, Wi-Fi. Wi-Fi networks, secure networks. How do we feel? Because, you know, we've all been in coffee shops or something. We hook up to Wi-Fi.
Daniel Gowing: My favorite is airport Wi-Fi. And then seeing how many near name Wi-Fis there are like “Denver Airport Wi-Fi Free,” “Denver Airport Wi-Fi.”
Jessica Quindlen: Is this what you do for fun when you're traveling and you're like, let's check it out?
Daniel Gowing: I have before. I've set up a hotspot and seen how many people will connect to it. Just with no security [00:09:00] in place. And then you can just...
Jessica Quindlen: And I guess, yeah. I mean, if I saw “Denver Airport Wi-Fi Free,” I wouldn't bat an eye.
Daniel Gowing: And it's really easy to get people to click on those. So strongly recommend use of a VPN, virtualized private network, essentially makes a tunnel.
So that way you can access the internet, and no one can see in. Or very few people, your VPN provider being one of them, can see in. It's a way to do that. Even still, don't recommend connecting to unsecure networks or if you're at a coffee shop, for example, always go and ask or look for the little sign and make sure it's an employee that's pointing at the sign for what the actual Wi-Fi is called.
Caleb Cole: Or just stop for a moment and ask yourself, “Do I really need to get on Wi-Fi right now, right? Can I not just wait till I get to where I'm going?”
Jessica Quindlen: Valid, can I just use data?
Caleb Cole: Yeah.
Daniel Gowing: Yeah, cell phone hot spotting is wonderful.
Caleb Cole: Yeah actually, I would say if you have a need [00:10:00] for connecting something like a laptop or a tablet that maybe doesn't have you know a cellular type of connection.
If you have unlimited data and your phone supports a hotspot, just use that. It's way more secure.
Jessica Quindlen: Oh, interesting. Okay. Good to know.
That brings us to the end of our show. Be sure to tune in next week for part two of our cyber security conversation. Also be sure to follow us as well as rate and review us. I'm Jessica Quindlen. I'll see you next week. Same time, same place.