By Andrew J. Cohen
The attacker knew the target’s occupancy patterns precisely. He knew when the building was staffed and when it was empty. He knew when the students crowded in for Shabbat, and when staff arrived and departed each day. He knew all this because the building’s security cameras offered a clear view of its public spaces, hallways and doorways. The attacker had surreptitiously accessed the building’s security system and monitored the footage closely as he planned his assault. All the while, the staff were unaware they were being watched.
Thankfully, the above scenario is fiction. To my knowledge, no Jewish organization’s security system has ever been hacked in this manner. But these types of breaches have occurred elsewhere. Last year, multiple American families discovered that their baby monitors were monitoring them. Parents were shocked to hear a hacker’s voice coming out of the baby monitor, describing what he was seeing in their homes.
The hacker gained access to the baby monitors because the parents had set up the device with passwords they had used on other websites, which had been compromised months, or even years, earlier. Those passwords were now available on the “dark web” for purchase.
We live in a world where physical security and cybersecurity are converging. A growing “Internet of Things” opens up new threats that haven’t occurred to most of us. Meanwhile, employees at Jewish organizations have often lapsed into bad habits and are not prepared to guard against these risks.
The potential consequences are dire. A recent Anti-Defamation League report said that 2018 was the third-highest year on record for assault, harassment and vandalism against Jews. We are under a daily assault by anti-Semites and criminals seeking to damage our reputation, capture our personal information, steal our money or do us physical harm.
With that in mind, here are five critical steps Jewish organizations must take now to increase their cybersecurity:
1. Provide Password Managers to Your Entire Staff
For years, system administrators have hectored their users to create strong passwords and change them often. Users responded by creating a few memorable but weak passwords that they used for nearly everything. Consequently, much of the planet is using the same password for both Facebook and their bank. Hackers know this, and they have already uncovered your users’ “strong” password when they hacked Yahoo years ago. We discovered that one staffer used the same password on her work email that she used for over 100 websites she had visited. People should never reuse passwords because you don’t know where it’s been.
To cultivate better habits, give a password manager to every one of your users. Train them on how to use it. Insist that the passwords must be unique to each website or service. Mandate that passwords be at least 12 characters in length, if not longer. Insist that the passwords be randomly generated. And, most importantly, have them securely store each password in the password manager.
At Hillel International, we have provided free 1Password accounts to all employees and their families, so they can be safe whenever they use the internet. Some users were wary of them at first, but adoption ticked up when we announced that we would only be sharing our building’s Wi-Fi password via the manager. We found 1Password to be the best mix of security, features and usability. It allows our users to securely share passwords when needed (e.g. for our social media accounts). It also securely synchronizes users’ passwords across every device they carry. Other trusted password managers include KeePass, Dashlane and LastPass.
2. Mandate Multi–Factor Authentication
Because even the strongest passwords can leak, every login needs a second layer of defense. Therefore, require multi-factor authentication (MFA) for all services. MFA is particularly critical for your users’ email accounts because that’s where many breaches begin.
At Hillel International, we now require that all users provide a randomly generated code when logging into Microsoft, Google and other major services. This additional step was new to our staff, and there was some initial resistance. To smooth the transition, we held an individual meeting with every staffer to implement MFA and ensure that all of their accounts were set up correctly. In addition, every new professional gets a personal onboarding session with our department that includes an MFA setup. It has not only improved our security posture, but it has strengthened our relationship with our users.
3. Educate and Test Your Users
Users are their own worst enemy, and it’s not their fault. Thanks to social media and large-scale breaches of various online services over the years, hackers know a lot about them. At this point, you must assume that hackers know your staff members’ birthdays, Social Security numbers, mothers’ maiden names, boss’ name and perhaps even the make of their first car. Hackers use this information against them. They will send them authentically looking messages that attempt to trick them into entering their passwords into a bogus site (known as phishing) or trick them into sending money.
Educate your users about these threats. First, baseline your users’ security knowledge and behaviors. Test them on their knowledge by conducting fake phishing-reply campaigns using vendors such as KnowBe4, Phishme and Proofpoint. (Hillel International currently uses KnowBe4). Follow this baseline testing with mandatory training modules to help them understand and recognize risks. Then, test them again a few months later to track their progress. Rinse and repeat annually and require all new staff to complete the training. In our testing, 37% of users fell for our baseline phishing test. The failure rate dropped to 13% following our cybersecurity awareness training.
4. Secure Personally Identifiable Information
Jewish organizations’ most valuable asset is the trust of their supporters, partners and program participants. When you engage with them, you naturally collect Personally Identifiable Information (PII). PII is any data that could potentially identify a specific individual, including birthdates, contact information, account numbers and even full-face photos. A significant breach of your constituents’ PII could be a death sentence for your organization.
Therefore, ensure that your staff know how to handle PII. This is a complex topic, but start by insisting that PII is never, ever shared via email attachments. Use Box, OneDrive or Google Drive to store (and share) your spreadsheets containing your people’s data. Next, be sure that access to your CRM and other databases are limited to those who really need them. Finally, educate your staff regarding the regulations that affect your operations. It’s an alphabet soup of international requirements: FERPA, HIPAA, GDPR and others. Write up clear operational procedures.
While you’re at it, be sure to safeguard your staff’s own personal information. Sadly, we decided to remove our staff directory from the Hillel website earlier this year because too often our email list was being used to send anti-Semitic messages to our entire staff. Fortunately, we have a private intranet for our staff and affiliates. All contact information is now safely shared there instead.
5. Patch Software to Close Vulnerabilities
Every software program has vulnerabilities. Fortunately, there are thousands of trusted security professionals dedicated to exposing them and reporting them to the software publishers for remediation. But it’s on us to ensure that, once exposed, these vulnerabilities are closed before hackers exploit them.
Thus, it’s important that you keep up with software updates for everything from your browser to your operating systems and server software. I recommend installing remote monitoring software on every computer so that you can push software updates as needed. Device management is a complicated topic, and there are dozens of products available. If you don’t have internal resources available to monitor and maintain the software running within your organization, hire or contract that expertise right away.
In the end, even the best planning can’t eliminate all risks. But by implementing the preceding steps, you will significantly reduce your organization’s exposure and help keep your people safe.
Andrew J. Cohen is vice president for technology strategy & operations at Hillel International.