Cybersecurity Best Practices
The following is a list of best practices designed to keep individuals and their data safe when connected to the internet.
Avoid opening emails, downloading attachments, or clicking on suspicious links sent from unknown or untrusted sources.
Verify unexpected attachments or links from known senders by contacting them via another method of communication.
Avoid providing your email address, phone number, or other personal information to unknown sources.
Avoid providing sensitive information to anyone via email. If you must, be sure to encrypt it before sending.
Be skeptical of emails written with a sense of urgency and requesting an immediate response, such as those stating your account will be closed if you do not click on an embedded link or provide the sender with sensitive information.
Beware of emails with poor design, grammar, or spelling.
Ensure an email’s “sender name” corresponds to the correct email address to identify common email spoofing tactics.
Never open spam emails; report them as spam, and/or delete them. Do not respond to spam emails or use included “Unsubscribe” links as this only confirms to the spammer that your email address is active and may exacerbate the problem.
PASSWORDS AND MULTI-FACTOR AUTHENTICATION
Use strong passwords on all of your accounts.
Long, complex passwords make you less susceptible to brute-force attacks.
Use a combination of upper and lowercase letters, numbers, and special characters.
Avoid easy-to-guess elements like pets’ names, children’s names, birthdays, etc.
To reduce the risk of account compromise, account holders should:
Avoid using the same password across multiple accounts or platforms.
Never share their password with anyone, leave passwords out in the open for others to read, or store them in an unsecured, plaintext file on computers or mobile devices.
Consider using long acronyms or passphrases to increase the length of your password.
Enable two-factor authentication (2FA) or multi-factor authentication (MFA) on all accounts that offer it. This will help prevent unauthorized access in the event of credential compromise.
ON THE WEB
Ensure any websites requesting the insertion of account credentials and those used to conduct transactions online are encrypted with a valid digital certificate to ensure your data is secure. These website addresses will have a green padlock displayed in the URL field and will begin with https.
Avoid saving account information, such as passwords or credit card information, in web browsers or browser extensions.
Avoid using public computers and public Wi-Fi connections to log into accounts and access sensitive information.
Consider using ad-blocking, script-blocking, and coin-blocking browser extensions to protect systems against malicious advertising attacks and scripts designed to launch malware or mine cryptocurrency.
Sign out of accounts and shut down computers and mobile devices when not in use. Program systems and devices to automatically lock the active session after a set period of inactivity.
Keep all hardware and software updated with the latest, patched version.
Run reputable antivirus or anti-malware applications on all devices and keep them updated with the latest version.
Create multiple, redundant backups of all critical and sensitive data and keep them stored off the network in the event of a ransomware infection or other destructive malware incident. This will allow you to recover lost files, if needed.
New resource guide. Take a look at DHS’ new resource guide, Security of Soft Targets and Crowded Places. It’s essentially a one-stop table of contents for DHS’s free materials, including links for help on identifying suspicious activity, access control and screening, active assailants (they’re not just shooters anymore) and bomb threats. Follow the supplied links for an introduction to facility security that can serve as a good first step for houses of worship, schools and other soft targets. Resources include fact sheets, guidance, and online training and education courses.
Mail screening poster. Thanks to the world’s leading geopolitical intelligence platform, Stratfor, for its timely reminder about mail and package screening after an attempted bombing.
- While many questions remain in the case of a parcel bomb sent to a Mexican senator, the largest is why the mail of such a high-level official was not screened.
- While politicians and large corporations clearly must take significant measures to screen their mail, even ordinary people (and Jewish organizations) should open their mail cautiously.
- Simple steps can help everyone from the largest entities to the average citizen.
Note that Cesar Sayoc, 57, admitted in court to having mailed 16 explosive devices to a variety of officials and to CNN’s offices in October 2018. He allegedly said he would “eradicate the Jews” if he had the power to, along with lesbians, black people and Hispanic people.
We urge you to download the tips found on the Stratfor graphic and share it with your staff and others.
Deputy Commissioner for Intelligence & Counterterrorism
May 23, 2019
The Celebrate Israel Parade is an important, annual event in New York City. The NYPD and our law enforcement partners work with the parade’s producer, the Jewish Community Relations Council, to try to ensure that every participant and spectator will be safe. There will be a large detail of NYPD officers protecting the participants and spectators, supported by an array of counterterrorism tools and measures designed to ensure everyone’s safety.
The NYPD works with the FBI and has over a hundred detectives assigned to the Joint Terrorism Task Force (JTTF). The NYPD closely monitored the progress of the Jonathan Xie investigation, culminating with his arrest Wednesday in New Jersey. I can add that as of this time, there are no known, specific, or credible threats to New York City, the parade, or the Jewish community.
From NY DHSES
- FY 2019 NSGP Request for Applications Updated
- FEMA Clarification on Contracted Security Personnel New
- FY 2019 NSGP Investment Justification
- Vendor Responsibility Questionnaire (pdf / doc)
- FY 2019 NSGP E-Grants Tutorial
- AEL List
- NSGP FAQs – Updated
Click here for the JCRC-NY updated Investment Justification tutorial.
From the NY DHSES FAQ’s
Question: What makes a strong Investment Justification?
- Clearly identified risks, vulnerabilities and consequences;
Description of findings from a previously conducted vulnerability assessment;
- Details of any incident(s) including description, dates, etc.;
- A brief description of any supporting documentation (such as police reports or photographs) that is submitted as part of the application, if applicable;
- Explanation of how the investments proposed will mitigate or address the vulnerabilities identified from a vulnerability assessment;
- Establish a clear linkage with investment(s) and core capabilities (See National Preparedness Goal); see http://www.fema.gov/national-preparedness-goal for information on core capabilities;
- All activities proposed in the application are allowable costs per the FY 2019 NSGP RFA;Realistic milestones that consider the Environmental Planning and Historic Preservation (EHP) review process, if applicable; and
- Description of the project manager or managers’ level of experience.
Qualifying New York City nonpublic elementary and secondary schools with an enrollment of more than 300 can be reimbursed for the cost of certain security guard services (see the Final Adopted Rules for the program). They must “prequalify” online using the HHS Accelerator. Eligible schools should have already received a notice from NYC.
Note: The NPS Program 2019-2020 application filing period is open as of March 1, 2019 and will close on May 15, 2019.
New! Worried about cash flow? Interest-free financing is available for NYC-area projects/expenses covered by security grants, including this program. These loans are are intended to ensure that cash flow timing issues do not prevent qualified organizations from applying for security grants. For more information, see: https://hfls.org/loan-
Do not delay. After completing the HHS Accelerator you will be contacted about signing a Memorandum of Understanding (MOU). A qualified nonpublic school will not be eligible to apply for reimbursement for any security services until an MOU has been signed by the school and registered with the Comptroller. Only expenses incurred after the signing of the MOU will be reimburseable.
Please reach out to the DCAS Nonpublic School Security Reimbursement Program at 212-386-0040 or ContactDCAS@dcas.nyc.gov if you have any questions.
New York City Department of Citywide Administrative Services
Attn: Nonpublic School Security Reimbursement Program
1 Centre Street, 17th Floor North
New York, NY 10007
Security Vendors: 212-386-0428
Fax #: 646-500-7142
You can email the Nonpublic School Security Reimbursement Program for more information.