by Mike Harvey
Sat Sep 17, 2016
Whether you are an individual protecting your identity, small business with some intellectual property to protect, or a large political organization with zillions of secrets you don't want to get out, if you do the following three things, you will be in the upper 2% in terms of security.
It's not a question of "if". It's a question of "when". Many small and even mid-sized organizations assume that they are immune to the rising number of cyber threats that permeate the global landscape, especially those whose core business is not in the technology space. As these organizations take advantage of ever-increasing number of cloud service offerings, their potential for exposure to cyber threats increases as well.
Cyber-attacks against small organizations have increased dramatically because cybercriminals know that these targets have less resources to prevent and combat attacks. The recent email scandals plaguing Hillary Clinton, the DNC, and high profile individuals like Colin Powell underline the proliferation of email hacking, which for cybercriminals is the rolled-up garage door to your information.
What makes email hacking so dangerous is the assumption that email is secure. Email, like any information repository, is only as secure as the practices in place to secure it. For example according to TownHall.com, immediately following the DNC email hack, DNC staff proceeded to send out new passwords to the users. And how did they do that? You guessed it - by EMAIL over an already compromised mail system. Granted, I would not categorize the DNC as a small organization, but the recent examples stated above depict the laziness and sheer ignorance of the potential threat even by mid-sized and larger organzations.
Whether you are an indivudual protecting your identity, small business with some intellectual property to protect, or a large political organzation with zillions of secrets you don't want to get out, if you do the following three things, you will be in the upper 2% in terms of security.
Whether you organization's applications such as email and application accounts enforce password expiration, make sure you reset your passwords a few times a year at minimum. The more sensitive the information, the more often you should reset it. I reccomend email passwords for individuals be reset every 6 months at minimum. For individuals who want to protect thier identity this one is also especially important.
This is a simple one, but is one of the most common causes of unwanted email exposure. Remember, every email sent AND received is available in a hacked account. That means it only takes one account breach in a system for all information available to that account to be exposed. If you need to communicate passwords, do it over the phone or use a one-time communication service like Onetimesecret.com to deliver them using a shared key known only to you and the receiver.
Two-factor Authentication is based on the concept of ensuring that you are who you say you are not only by what you know (your password), but also by what you have (for example a code on your mobile device that expires every 30 seconds). This way, hackers would need both your password and you mobile device to access your applications.
This one is not always under your control. But as an individual, you can decide to only use services that support two factor authentication. If your organization does not secure it applications using two-factor authentication, show them your security savvy by suggesting that they do so.
When communicating digitally via email, text/SMS, and chat, assume the information you are sharing is public. My father used to say, "Don't do anything you wouldn't want on the cover of the NY Times." If you feel the need to communicate potentially dicey stuff, do it in person out of earshot of cell phones unless you want it on Youtube. Don't commit to posterity unless you really want it on your tombstone.
Whether you organization's applications such as email and application accounts enforce strong password policies, make sure your own passwords are strong. Simply by mixing cases, numbers, and special characters and making your passwords longer will make them harder to crack. For individuals who want to protect thier identity this one is especially important.
This obviously does not apply if your organzation has data retention policies that require you to retain information for a prescribed period of time. But if you're an individual like Colin Powell (thanks Colin for being such a great example of what not to do), you should have downloaded your GMail to your local machine, or archived it offline, and removed it from the server. This way, when your account was compromised, the hacker would not have had access to all your emails for the past several years.
Many newer desktops and mobile devices offer biometric authentication. If your device has these features, use them. Doing so will prevent exposure of your information in the event that your device is lost or stolen. You'll also look really cool to your nerdy friends.
The suggestions above are by no means an exhaustive list of things you can do to protect yourself and your information from the escalating threats of the information age. There are many other things you can do like montitoring your identity, limiting the information you share on social media, and more to reduce your exposure as well.
You also may be thinking that these things are a real pain to do. In fact, security is a mindset, and a matter of habit. We all acknowledge that security isn't convenient, but make no mistake that in today's world it is necessary. The fact is that due largely to the boom of social media, the days of "security through obscurity" are over. No one want's to have to do these things. And if your're still not convinced, I have one more suggestion - Sell your stuff, buy a fake mustache and dark sunglasses, and go live off the grid. That's really your only option.