Subscribe
Share
Share
Embed
As a business and community focused bank working all day, every day with business leaders, we discuss what's effective in highly successful businesses today. Each episode features an interview discussing business practices on topics such as: company culture, fraud prevention, change management, economic data, wealth management tips, and more.
You can find more content like this on our website: https://www.nw.bank/newsroom/education/podcasts
Northwest Bank. Equal Housing Lender. Member FDIC.
Welcome back for another episode of the Northwest Bank podcast. I'm your host, Luther Lampert, director of digital banking strategies with Northwest Bank. On the show today, we're gonna be talking about ways and best practices to safeguard yourself and your information when you're online. I had the chance to sit down and chat with Matt Nickel. Matt is an information security analyst with Northwest Bank.
Luther Lampert:Matt has his master's degree in cybersecurity from Dakota State University, and he has been working for Northwest Bank for nearly fifteen years. Matt's gonna discuss some different ways to protect your devices prior to even getting online, and also talk through some password hygiene tips and tricks to keep yourself safe when you're surfing the web. Matt, thanks for joining me today.
Matt Nikkel:Hey, thanks, Luther. Happy to be here.
Luther Lampert:With so many different cybersecurity threats out there, Matt, I think sometimes it can seem a little daunting to somebody who doesn't know everything that's going on and what to look out for to even get started and feel like they're protecting themselves online. So from your point of view, what are just a few basic measures that anyone listening can take to protect themselves when they're online?
Matt Nikkel:Yeah. That's a really good question and one that I get a lot. You know, there's as I was thinking through this, there's I would probably separate this into a couple of categories before we even start browsing or thinking of that threat. One that I would really want to maybe put some focus on is securing your equipment first in your home network. A lot of people don't even think about this.
Matt Nikkel:Right? There's you know, if you're running a a Windows computer, is your Windows patched and up to date? Is your Android and iPhone up to date or your your Mac OS up to date, etcetera? Like, those are critical things. A lot of the the data breaches that happen are tied to unpatched vulnerabilities, and a lot of them aren't even necessarily that new or recent.
Matt Nikkel:And so that's just having good hygiene around patching your your software and your operating systems and keeping those up to date is a pretty big deal. In fact, Windows 10 just went end of life in October, and so if you're on Windows 10, that's not good. You you wanna get updated as soon as possible to Windows 11 if you can. You know, other other things to consider even on that front are are the third party applications, we call them, that are installed on your computer. This could be like Adobe Reader, your web browsers, you know, your Zoom app, things of that nature.
Matt Nikkel:Just the software that you have, are you keeping those up to date? And then kind of another one is just your system drivers. Whatever manufacturer you have of a computer, for instance, like a Dell or HP, a lot of times they'll have a little application you can run that will will go and check for driver updates, and it's just good to keep everything updated, your operating system, your software, your drivers, etcetera. You know, kind of another thing to another way to keep your home network secure and safe is, you know, we a lot of us have Internet of Things devices on our home network these days. Right?
Matt Nikkel:I think five years ago, people thought that would never really happen, and now it's way too convenient to not have them. But a lot of times those types of devices don't get patched. They're totally insecure out of the box and have default passwords, you know, communicating with countries that you might not be aware of, etcetera. And it's hard to keep on top of it. Like, how, you know, how can we patch everything?
Matt Nikkel:It is very difficult. So probably one recommendation I would make for people in their homes at least is if they have a way to separate out, you know, the devices that they use like their computers and phones, etcetera, from kind of those more dangerous devices. By dangerous, I just mean they're not patched regularly. The Internet of Things devices, you know, your anything that will automate your home functionality. Right?
Matt Nikkel:There's tons of them. If you can separate those out, that will give you a good safeguard there. And every home router and firewall is different, but a lot of them have, like, a guest network functionality. So I just recommend putting those types of devices on your guest network. That'll keep that traffic separate from, you know, the the types of devices you have that are going out to sensitive sites like, you know, your social media or your email or online banking, etcetera.
Matt Nikkel:So that's another thing. And making sure that your firewall and routers are are up to date and upgraded. You know, a lot of those, we turn on once and we set it up and never touch it again or think about it again. And some of those devices will run for years without being updated or patched, and you you have no way of knowing if they're actually still supported or secured. And so I would definitely check on those and limit.
Matt Nikkel:Another thing with those is limit the management to be on your network and not publicly manageable is another thing too.
Luther Lampert:So Matt, along with that, you know, how what can somebody do to make sure that their devices are are patched or their software is up to date? Are are there best practices there? Is it is it just can it be as simple as turning on an auto update feature? Or how do you stay on top of all the different versions on all your different devices?
Matt Nikkel:Yeah. That that's a great question. I think, you know, in the Windows world, when you configure a home device, there's definitely an opportune opportunity to select auto update, and it should it should do that. One thing it might not do is update the operating system, you know, automatically. So if you have Windows 10, you might just need to tell it to upgrade to Windows 11.
Matt Nikkel:So this might be as simple as, you know, clicking on the Windows icon, going to your settings, checking for updates, and seeing what's available. For your, mobile devices, you know, there are automatic updates available. I found that on some of those, it doesn't actually ring true. And so it's still a good thing to check frequently, for sure. You know, however you may, but there's not an easy answer, Luther, and I would probably recommend just setting a reminder to check things, you know, on some sort of cadence.
Matt Nikkel:And when it comes to, like, software on your computer, that's another one too. Some of the some of the web browsers do a good job of letting you know, like, you're the kind of person that rarely shuts off your computer or closes your web browser, you you'll usually see an indication in in the web browser that an update is available and you need to close it in order to get that update. And in other programs, if they don't auto update, you know, there's usually a menu bar option, like click on the help tab, you know, check for updates, or, you know, find out about your web browser or whatever other software that you're running. So I would say there's not the easy button, but there are some ways to automate it. And, honestly, you just there just needs to be some diligence in in checking for those things on some sort of a cadence.
Matt Nikkel:And the older I get, the more reminders I get myself to check things like that.
Luther Lampert:So once you feel like you've got your arms around, you know, your hardware and your software that they're patched and ready, once you get online, what are some different ways that you can go about protecting yourself?
Matt Nikkel:Yeah. Yeah. Good question. There there's the heart of the question too. Right?
Matt Nikkel:Yeah. I I think everything I addressed so far was just making sure you're you're starting out at the starting line and not way behind. Right? Once all those things are updated, patched, you're good to go. There's, you know, a few key things I would probably recommend.
Matt Nikkel:Number one, make sure your browser is updated. We talked about that one already. You know, another one that I see probably when talking with friends and family that have some problems with having clicked on something. I would say 80% of the time, it's the result of searching for a topic and clicking on the result kind of blindly without really knowing what website it's taking you to. A lot of those underlying sites can be you know, could have been compromised or maybe there's an ad on it that you know, an advertisement that would maybe try to install something malicious or take you somewhere else.
Matt Nikkel:It's just tough to know. You know, you can kinda hover your mouse over those results to see where it's gonna take you, but I would probably my number one recommendation is if there are websites that you know you want to go to, just type that address in the address bar of the web browser instead of googling and clicking to go to it. And, you know, a lot of times, I think we've all heard of those pop ups, like, from Microsoft, quote unquote, Microsoft support, right, that want you to call in because they found something on your system and and those things just don't happen. Microsoft doesn't work that way, but a lot of people don't understand how that works and are susceptible to those kinds of attacks. So in that case, your system might not even be compromised, but just this pop up happened to come up.
Matt Nikkel:And usually it's from, you know, Google searching and just clicking on results kind of blindly. So that that's one way. You know, another thing that you could do, a lot of websites will track the people that go to their sites in various ways with tracking cookies, etcetera. And so there are ways that you can kind of privatize your browsing as much as possible. Every web browser has a private mode or incognito mode, and and what that does, it'll typically, lock or clear out things like trackers and and cookies and browsing history once you close the browser.
Matt Nikkel:So it's a little bit of better protection. There's also ways to kind of anonymize your traffic through web browser extensions that might block some of those ads and just the kind of the bloat that comes with the web traffic that you get, things like uBlock Origin or Privacy Badger, etcetera. Another one, Luther, I would probably recommend, and this one's a little not controversial, but it's kind of a a love it or hate it kind of thing is a personal VPN, a virtual private network. I feel like we hear them advertised all of the time, and it's not the end all security solution, but it definitely is beneficial, especially if you're in a public Wi Fi scenario, like if you're ever staying at a hotel or at a coffee shop, somewhere where it's not your wireless controlled by you. You know, you don't really know who's configuring it, how's, you know, safe and secure it is, whether there's anyone on the same wireless network that might, you know, be up to a little bit of no good.
Matt Nikkel:In those cases, a a private VPN or personal VPN can help out. You know, it does kind of anonymize some of your traffic so that your local Internet service provider can't really market that. It also kind of adds an additional layer of encryption to your traffic. So those are some good measures. But one of the main ways to secure your traffic online is also to make sure you have a good endpoint security program or software on your computer.
Matt Nikkel:And and there are different levels of endpoint protection out there for sure. But some of them include the ability to, like, help protect your Internet traffic or block sites that are known to be bad just through that company's own threat intelligence. And so there's kind of there are some suite of endpoint security applications that can help kinda do all of those things, and those are worth looking into for sure. And then probably one of the final things I would say, and I know we'll get into this topic later, is just good password hygiene and management. And some of those all in one suites will even include their own password manager too.
Matt Nikkel:But that's why I would say, you know, it's it's really making sure your stuff is update updated and and secure, making sure that you're you're giving some, you know, critical thinking to the websites you're visiting and not just blindly clicking on things, protecting your your traffic, you know, through anonymizing some of that as applicable and then just having end point software.
Luther Lampert:And Matt, at the end there, you mentioned, you know, strong password hygiene. As you know, think everywhere that I log into, it seems like password requirements are getting longer and longer with more special characters and things like that. So what, one, what makes a strong password? And two, do we actually see a difference in the level of protection gained by having these longer, more complex passwords?
Matt Nikkel:Yeah. That's that's a a really interesting topic. That's changed a lot, you know, in the last five to ten years too. It used to be, you know, that an eight character, quote, unquote, complex password was all you needed. And by complex, you know, some definitions of that just mean you're including things like uppercase and lowercase letters, numbers, and symbols, etcetera.
Matt Nikkel:But really, I guess, just so people understand, when we talk about having a strong password, the goal is that it can't be cracked quickly. And by cracked, meaning guess. There are programs out there that will try to guess different passwords. And so, yeah, the shorter the length of the password, the easier it is to crack or the less amount of time it takes to crack it. I would say from what I read from things like NEST, they will recommend probably 12 to 15 characters, and that's probably not a bad recommendation.
Matt Nikkel:And you also want some of those complexity markers. But the other thing to think about is it can meet those qualifications and not really be complex. Right? If your password is Fall2025ExclamationExclamationMark, you've hit all the indicators. Right?
Matt Nikkel:You have the uppercase letter, lowercase number, and symbol, and you might have even, you know, hit a 10 character mark or more, but some of those are still easily cracked or guessed, and that's because some attackers use what's called word lists. And so it's just a list of already generated passwords or passwords based off of common words, and so those are still gonna be easy to crack. So I guess to get back to your question, it's it's really complexity and length. Yeah. And a lot of the current recommendations are around pass phrases.
Matt Nikkel:So not just, like, a word and number and symbol, but, like, several words involved because as you do increase the length of the password, you know, if you think of that software that an attacker might be using to crack a password, it becomes infinitely longer in time that's required to crack a password as it gets to be 20 characters, for instance. And so passphrases can be things just like a combination of words that don't make sense but are easy to remember. You know, I think I saw online. There there's an online tool by Bitwarden that you can go and enter in a potential password, and it'll tell you how long it takes to crack it. And it and it's making a guess for sure, but it's probably a good indicator of password strength.
Matt Nikkel:And if you had something like the example I saw online was BlueElephantDances at midnight. Right? That one takes centuries to crack. But if, you know, if you only had half of that password, it might be a year or less. Right?
Matt Nikkel:So the complexity matters. The link matters a lot. In fact, probably the most. And there's other ways to kind of obscure a password. Some people will will substitute symbols for or numbers and symbols for different letters, know, the vowels and and things of that nature, but I would say making it complex and, you know, 12 to 15 characters is a great start.
Matt Nikkel:The other thing is you don't wanna use a password that's already been compromised. And so this goes back into another topic of data breaches. And so credentials that have already been compromised, and those are usually published, and you don't wanna use a password that that's already part of one of those lists because then it's been it's one of the tools that an attacker might use to try to guess your password. And so there's, a website we can link in the show notes, haveibeenpwned.com, which you can either enter your email address and it will search to see if your email address is part of any data breach, which is useful information. And the other thing you can do is you can search by password.
Matt Nikkel:So you could say, is this password part of any past data breaches? If not, it might be a good contender for something to use. So, I don't know. And at the end of the day, I think passwords are a tough topic because the recommendation is to make them long, complex, and they should all be different. And how on earth are we supposed to remember all these passwords?
Matt Nikkel:And that's where really a great answer is to have a tool such as a password vault or password manager that can manage those for you. And some of these are are a paid type of program, some are free, but I just always caution people, know, you get what you pay for. So, but the idea here is you come up with one really good password to unlock the password vault. And then at that point, use that vault or manager to create all the other passwords for you and have them be unique and different from each other. And you can choose the length to be 20 characters and complex or whatever and they're all different and that's a really good methodology to have with your accounts because I think of this scenario too, Let's say your email address and password for some online account was compromised.
Matt Nikkel:You know, if I'm an attacker and I have access to that information, you can guarantee I'm gonna hit every personal email provider out there, every, social media provider and test those credentials to see if you use the same password at multiple sites. That's not some of you might be squirming in your seats right now. That's not a good practice to have. So you wanna have different credentials for different sites that are unique for sure.
Luther Lampert:Well, I'm glad to hear you recommend the use of those keepers, those password storing softwares because, you know, trying to think of all the different all the different logins that I use in a given day, whether that be just on my phone or once I get to work, think by the time I sit down and I'm logged into everything at work, I've logged into 15 different places on any given day. So to try and remember all those and keep that straight daunting task. So that's why I think a lot of us or some of us maybe I might be speaking for myself more than others, you know, have struggled to expand their password pool. And that's why multifactor authentication is being talked about a lot lately because it can offer some more security on top of your password. What are your thoughts on MFA, and and do you feel it's important and why?
Matt Nikkel:Yeah. Yep. Good question. And and I guess even back to what you were saying about managing all those passwords, security is usually not convenient. Right?
Matt Nikkel:And but there are ways to to make it more convenient for you. And if you use a password vault, you know, you might be logging into things on your computer and your phone or multiple computers. There's ways to kind of share those those password vaults and managers in different browsers on different systems to try to make that process as smooth as possible. But, yeah, it's it's we it always comes at the cost of convenience. But when it comes to multifactor authentication, this is probably the number one recommendation I can give to people for any of your online accounts is to set up multifactor or sometimes they're called two factor authentication.
Matt Nikkel:And what this means is if you go to sign in to a a website, you enter your your username, might be your email or your and your password, and then it requires an additional piece of information. And that additional piece of information comes at just that time on a device that's known to be yours. So it might be an SMS text to your phone with a six digit code or something like that, although SMS is really not a a great multifactor authentication mechanism to use today. But there is things like, you know, a lot of companies are kind of automating this too where you go to sign into a website and instead of the password, they might just send you two factor code to your email address that you have on file. Or there's authenticator apps, right, like Microsoft Authenticator, Google Authenticator.
Matt Nikkel:But at the end of the day, let's say you have a credential that's been compromised, part of a data breach, and some attacker has this list and they're just trying all sorts of things and they have tools to automate this. So it's not a big, you know, time sync for them. You're set up to require MFA and they don't have access to your MFA, then even though they have your password, you're still protected. And sometimes you might have a situation, I don't know if you have it Luther, I have, where I have a, you know, an entry in my authenticator app that prompts me all of a sudden because some of those have push notifications where you can just say, yes, this is me. I might get one of those prompts when I did not try to log in to the site.
Matt Nikkel:That's kind of scary. Right? I mean, somebody was trying to log in to your account as you and had your password, and the only thing missing was that multifactor push notification or the, you know, the thirty second rotating code that you would have to enter into a site. So is it critical? Absolutely.
Matt Nikkel:Anything any online account that you can set it up with, I would strongly recommend for sure.
Luther Lampert:Some great information there from Matt Nickel, information security analyst with Northwest Bank. That was just the first part of my conversation with Matt. Join us for another episode. We will be talking about phishing attacks and business email compromises and ways to protect yourselves from those sorts of attacks. Everything Matt talked about, great suggestions, best tips, and practices, but is by no means an exhaustive list.
Luther Lampert:There is no silver bullet to cybersecurity. So take all of this and make it part of your security routine. Make sure you have other resources and you're incorporating other best practices to make sure you're keeping yourself safe. We have a plethora of articles and other podcast episodes on our website that talk about cybersecurity. We had a few episodes where I talked with our fraud department manager, Sarah Harvey.
Luther Lampert:You can find those online at nw.bank. We also have a series of articles in our resources section. Head to the newsroom and check out our security and fraud articles. Most recently, we've posted about how to keep yourself safe here as we get into holiday season and all the payments that you're making online. There's also, some new information about different fraud and scam schemes that we're seeing in our area.
Luther Lampert:So check that out. You can find those articles and more on the website nw.bank, then click on resources and go to our security and fraud news. Thank you for listening. Keep checking our website for more episodes of the podcast. You can also find us on YouTube, Spotify, Google, and Apple podcasts.
Luther Lampert:Make sure you subscribe to get notifications every time we release a new episode. Thanks again for listening.