Columbus, Ohio — Cyber security maven John Prost laid out a sobering portrait of hackers — and not just computer hackers, but thieves who use the telephone, too — at the Environmental Health and Safety Summit July 18-19, sponsored by the Manufacturers Association for Plastics Processors.
"A determined hacker can hack almost anyone or any company," said Prost, the director of information technology at Mueller Prost LC, a St. Louis accounting and business adviser firm. Even with more than 20 years of IT experience, he said he works hard to stay informed about cyber security since the bad guys are smart and always trying new things.
He gave the advice you always hear: Create strong passwords and don't use the same password for multiple sites. Prost said he has colleagues who write down their passwords on sticky notes and post them on their computer; don't do that! Don't use your children's names. Or your own name. Even as part of a complicated password. "People who are targeting you, that's the first thing they will try," he said.
Prost also recommended two-factor authentication on every account, even social media.
"Yes, it's a pain. But security is a pain, but it's necessary," he said. Security breaches by big companies and retail chains are more common, another argument for different passwords across all your accounts.
Passwords should be at least eight characters long and have upper and lowercase letters, as well as numbers, he said. You can sign up for encrypted password managers that will save all your passwords and automatically change them when you do that.
Hackers have dictionary-based computer systems that can run a huge amount of possible passwords and figure them out, Prost said.
"If they have your password, they have everything," he said.
Hacking by phone, where a hacker creates a fictional persona to get information, is common, Prost said. It's known as "vishing," the telephone version of "phishing." The hacker will find out as much information as possible from social media, such as names and titles of employees, charitable work or hobbies. They will call multiple people in the company. Auto-reply emails notifying that a key person is on vacation give the hacker valuable knowledge.
"You do not want your Facebook account to get hacked because that is a cybercriminal's gold mine. You'll have your kids' names, your pictures, friends. Everything you'd ever need to mount an attack," Prost said, encouraging the use of two-factor authentication.
Prost said one common scam is to call, identify yourself as a company executive, and ask an employee to make a wire transfer of money, saying, "I'm in a meeting. I can't talk now, just wire the money now. We need to get this done."
Telephone scams have been around since before the computer age and they are still commonly done today, Prost said.
"These guys are smart. They do their homework," he said.
The IT specialist also talked about ransomware and malware and a few safety conference attendees told stories about how their companies got hit. Employees need to be cautious about opening unfamiliar emails, especially those with attachments or zip files, Prost said.
"Never open a zip file," he said.
A company can use good security, but the employees are the weakest link, he said.