In an age where technology permeates every aspect of our lives, cyber threats loom larger than ever before. Thus, it’s necessary we all take the time to educate ourselves on cyber threats and utilize tools to prevent them. In this episode of The Agent of Wealth Podcast, host Marc Bautis is joined by Mikhail Itenberg. Mikhail has been working in and managing internal IT departments for 15+ years. He is the owner of Zaks Technologies, a technology services provider for businesses, which includes onsite and remote tech support, proactive monitoring, technology consulting, and outsourced IT support services. Tune in to discover how you can safeguard your digital world!
In this episode, you will learn:
- The most common types of cyber security threats.
- Practical steps you can take to protect your personal information online.
- How to create secure passwords, utilizing password managers and multi-factor authentication.
- How to identify phishing emails to avoid falling victim to scams.
- Precautions to take when conducting financial transactions online.
- And more!
Disclosure: The transcript below has been lightly edited for clarity and content. It is not a direct transcription of the full conversation, which can be listened to above.
Welcome back to The Agent of Wealth Podcast, this is your host Marc Bautis. In today’s episode, we’ll be talking about the crucial topic of how to protect yourself from cyber threats.
With the increasing reliance on technology and the interconnectedness of our lives, it’s critical to safeguard our online presence and personal information. The first step to do so is to be aware of the threats out there.
To shed light on this subject, I’m joined by our guest, Mikhail Itenberg. Mikhail has been working in and managing internal IT departments for 15+ years. He is the owner of Zaks Technologies, a technology services provider for businesses, which includes onsite and remote tech support, proactive monitoring, technology consulting, and outsourced IT support services.
I’m thrilled to have him join us today. Mikhail, welcome to the show.
Thanks, Marc. Happy to be here.
Before we dive into a conversation about cyber threats and security, can you briefly introduce yourself and explain some of your background?
I got into IT when I did a co-op in college, at Stevens Institute of Technology. Out of college, I started working for big companies. Then, I realized I didn’t like working for big companies, so I went smaller – places where I was the sole IT person, managed a small team and kind of took over a lot of the operations. I managed IT service providers for these companies. Sometimes we got rid of them, sometimes we kept them on as a partner, and I really realized that their goals and how their business works doesn’t really align with the business and what a business needs from them. That’s where the idea came up to go out on my own and really align the two goals, and try to do it better than it’s been done.
Great, thank you. Now, let’s get into some of the details… What are some of the most common types of cyber threats?
The Most Common Types of Cyber Security Threats
So they’ve been consistent over the years. But obviously, as technology advances, the threats and cybercriminals advance with them.
Malicious Software (Malware)
Definition: Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
Malicious software (malware) is a big one. These are the viruses, worms, Trojans or ransomware that you get on your computer. It could even be something like spyware… most of these can be annoying to remove or get rid of.
Definition: The fraudulent practice of sending messaging purporting to be from a reputable source in order to induce individuals to reveal personal information.
There is also phishing, which is primarily used to get your passwords and/or to send money or gift cards.
Definition: The use of deception to manipulate individuals into divulging confidential or personal information, then used for fraudulent purposes.
Social engineering attacks are another one – they play a part in phishing. Because everyone is connected on social media, these attacks have become more frequent.
Yeah, I’ve heard of all three. Now, I know some of these cyber attacks are a nuisance, but other times, they can really be damaging. Going back to the topic of malware… I think a lot of people are under the assumption that they only have to worry about these attacks on their computer, and that their phones are safe. Is it possible for malware, or viruses, to attack phones as well?
It’s much less common, but they can definitely hit phones as well.
Okay, I thought so. So, with all of these threats, what are some of the practical steps people can take to protect themselves?
Practical Steps You Can Take to Protect Your Personal Information Online
When talking about security… A lot of people think it’s one step they need to take – like installing a security software. But that’s not the case. Security is layers of controls stacked one on top of the other, and the more layers you have, the better off you are.
Here’s what I recommend:
- Have really secure passwords for all of your systems.
- Use two-factor authentication.
- Update your software on time.
- Have secure networks.
- Have an antivirus software.
- Backup your data.
These are just a few of the many things that you could do.
Related: How to Create Super Secure Passwords
How to Manage Passwords Securely
So, starting with passwords. Do you recommend using a password manager?
100%. I use one myself, and I recommend using them to everyone, including my clients. Passwords are the first step in for cybercriminals. If you have unsecured passwords, you’re toast, even if you have the most advanced antivirus on your computer.
And how do these password managers work?
Password managers are a piece of software on your computer and/or your phone where you can store your passwords. If you are a business owner, you can store passwords for your whole team. Their biggest advantage is they can create completely random passwords for you, which you can copy and paste into a login. That completely random, 20-something character password will then be saved on all of your devices.
Some password managers even have browser plugins, which allows it to auto enter the password to the website you’re using.
They can also store your security questions and MFA recovery codes.
Bitwarden is really good, and the password manager I personally use. One password is good, though, in my experience, it’s best fitted for Apple. There’s also LastPass and Dashlane.
Yes, I use LastPass. One thing I’ve noticed when logging into websites, is that the browser – whether it’s Safari or Chrome – has an option to save the password for autofill. Is that another form of a password manager? Are those safe?
In my experience, they are getting better, but they’re not as good as password managers. Password managers have a lot of compliance behind them. They encrypt their passwords stronger. You can go device to device, browser to browser, and it’s all there.
Yeah, and you didn’t mention this, but I assume people should have different passwords for each account, correct?
Yes, you should have different passwords for everything. They should be random and long – at least 12 characters, but more if you can. Again, it’s a lot easier to keep track of your passwords with a password manager.
Whenever I have this conversation, I always bring up this website: haveibeenpwned.com. When you visit that website, you can type in your personal email to see if your personal information, such as username and password, has been compromised in various hacks over the past decades.
For example, when I type in my personal email, I can see dozens of data breaches, from the LinkedIn hack to the Chegg one when I was in college. If your email was a part of a data breach, and you’re still using that password, it’s very easy for someone to hack you.
That’s interesting, we’ll link to that in the show notes. I’m sure people see the data breach on, say, LinkedIn… But they don’t care about their LinkedIn account per se. Well, if they’re using that same password for something more important like their bank, they should definitely change it. That’s how hackers get you – when you use the same password for multiple accounts.
Yes. A funny tidbit is there was a presidential candidate in our lifetime whose Twitter was hacked as a result of the LinkedIn hack.
Oh, that’s funny. Earlier, you mentioned two-factor authentication. Can you explain what that is, and how someone can go about setting it up?
Two-Factor Authentication for Online Security
Two-factor authentication is associated with account logins, and it deals with the factors that you can authenticate. So, there are various factors you can have:
- Something you know: Your password, pin, security question, etc.
- Something you have: Your phone, a backup email, RSA security tokens, etc.
- Something you are: Your biometrics, like an eye scan or fingerprint scan.
- Something you do: Some advanced systems will recognize you keystrokes or how you move the mouse.
- Somewhere you are: Your ability to login for some applications are limited to your location.
In general, a second factor adds a layer of security in the event that someone were to get your password.
I’ll share the most common factors with you in the order of good, better and best.
Good: Using a numeric code texted to your cell phone. This is better than not having a second factor of authentication, but it is possible to spoof your phone number.
Better: Using an authenticator app on your phone. Google Authenticator is a big one, but if you go to the App Store, whether you’re on Android or iPhone, you can search “authenticator” to find others. With these, you scan the QR code on the screen, which changes every 30 or 60 seconds.
Best: Using an UB key. I don’t suggest this for many people, because it’s not available on that many systems, but it is on Bitwarden. UB keys are little keys that could be USBC or regular USB. You plug them into a computer, and you can only get into those systems if you’re logged in there. A word of warning with them, though, is to make sure you have a backup. Because if you lose it, you’re out of luck.
What about antivirus software? Do operating systems come with their own antivirus software, or is it still necessary to install something like McAfee?
How to Protect Yourself Using Antivirus & Endpoint Detection
Operating systems do come with some level of antivirus. Now, there’s actually two types.
There’s traditional antivirus, and the way that works is every program has a signature to it or a hash. Whenever something is found to be malicious, it gets added to a big database of signatures for it. Antiviruses scan all of your programs to see if any of the signatures match up, and then warn you before deleting them. Obviously, the issue there is that it has to have been known or discovered already.
The new age of antivirus is what is called endpoint detection and response. Beyond looking for signatures, these programs look for characteristics of how your computer’s working. So if a lot of files start getting encrypted, it will be flagged. Or if you have internet messages going to a foreign nation, they shut it down.
Although a lot of operating systems come with antivirus, businesses should look into endpoint detection if they are storing very important files on their technology. Examples are SentinelOne or Sophos. I would stay away from software like McAfees and Symantecs – they aren’t as effective, and are borderline spyware, in my opinion.
Makes sense. Now, one of the most common cyber attacks I hear about is phishing. Phishing has definitely evolved, as the scammers have gotten harder to detect. How can someone identify phishing emails to avoid falling victim to these scams?
How to Identify Phishing Emails to Avoid Falling Victim to Scams
To identify phishing emails, look for the following indications and techniques:
Emails with Poor Grammar and Spelling Mistakes
Poor grammar and spelling mistakes are becoming less common, but they are still an indication of a phishing scam, as most companies and browser-based email applications have spell-checking tools or autocorrect.
Emails Demanding Urgent Action
Urgency and pressure tactics are typically always used in phishing scams. Attackers often use this approach to rush people into action before they have had the opportunity to study the email for potential flaws or inconsistencies.
Inconsistencies in Email Addresses, Links & Domain Names
Another way to spot phishing is by finding inconsistencies in email addresses, links and domain names. If the email comes from an organization that is corresponded with often, check the sender’s address against previous emails from the same organization.
As much as possible, you should avoid clicking on links in emails. Instead, check to see if a link is legitimate by hovering the mouse pointer over the link to see the actual URL. Does that URL look legitimate? Are you expecting that link over email? If not, do not click it.
Be wary of attachments, especially if they have an unfamiliar extension or one commonly associated with malware (.zip, .exe, .scr, .etc.) If you’re not expecting an attachment from someone you know, but you do receive one, contact them separately to see if they sent the email.
Emails Requesting Personal Information
Emails that come unexpectedly or from an unfamiliar sender that requests login credentials, payment information, or other sensitive data should always be treated with caution. No bank or financial institution will require you to enter personal information over an email.
At a previous job of mine, a person who was in charge of organizing security awareness training – including phishing training – actually fell victim to one of the phishing emails used for training purposes. That just goes to show that it can happen to anyone, even those who are intelligent and technical.
Absolutely, you’re right. What about when conducting financial transactions? Years ago, everyone walked around with physical cash. Now, almost all of our financial transactions are done online. What can people to to protect their financial information?
Precautions to Take When Conducting Financial Transactions Online
Obviously, all the above tips I share apply. But there are a few other suggestions I can make.
First, transmit files securely, especially if the files contain your social security number or banking information. Make sure your financial professionals – accountant, financial advisor, mortgage broker, etc. – have a secure vault set up to share files. Never send financial documents in regular attachments.
Second, freeze your credit if you’re not filling out any credit-related application. If you get a credit card stolen, it’s a headache. But if you get your identity stolen, that could be years of pain and hardship.
To do this, you contact the three credit bureaus and request to freeze your credit. Then, if you ever need to do something with your credit, you unfreeze it, do the application, and then freeze it again.
Yes, I always recommend that to clients. Are there any other emerging trends or evolving cyber threats that we should be aware of?
Well, AI is one. Now that ChatGPT is available and AI is booming, cyber attacks are becoming more sophisticated. Just as we might use AI to make some of our everyday life easier, so are the cybercriminals.
Deepfakes is a big one. If your voice is on the internet – in audio or video – it can be used to create a deepfake (a synthetic media digitally manipulated to replace one person’s likeness convincingly with that of another).
Because remote work is more popular, people are spending more time on less secure networks in their home. So, those attacks are more frequent. It used to be that if you got your data encrypted, you were safe – when hackers would request money, most people had backups. But now, they can also steal your data and sell it.
With that comes increased regulation. I feel like all businesses – especially those that deal with people’s personal information – are going to be under increased regulatory scrutiny.
Yeah. I’m hearing that some companies are banning their employees from using ChatGPT, because they don’t want to risk the machines from learning any private, sensitive information. And the deepfake stuff is concerning, too.
For sure, and the growth in AI is only accelerating.
Exactly. Well, Mikhail, that sums up all the questions I had for you today. Thank you for your time and expertise. Before we close out, I know that cybersecurity is just one aspect of the work you do. How best can a listener learn more about you, and more about the services offered through Zaks Technologies?
Your listeners can go to my website, zakstechnologies.com. If you want to learn more about my business, there is a Contact Us form there. I’d be happy to discuss cybersecurity, as well as the other services. I’m also on LinkedIn.
Great. We’ll link to all the resources discussed in the show notes. Thank you again, Mikhail, and thank you everyone who tuned in today. Don’t forget to follow The Agent of Wealth on the platform you listen from and leave us a review of the show. We are currently accepting new clients, if you’d like to schedule a 1-on-1 consultation with our advisors, please do so below.