6 simple rules of thumb to help protect your information and privacy online
Sep 14, 2011 2:40pm
By Tracy Hulver, Verizon
Millions of dollars are spent each year trying to protect business and government assets and networks from cyber attacks. Time and resources are expended planning and implementing security policies, monitoring for malware and attacks, and developing contingency plans. All of this is to help ensure that only the correct people and resources can access and manage authorized systems and data. Yet, with all of this effort, unauthorized access and compromises still occur at an alarming rate. Attacks are becoming more sophisticated and are increasingly surgical in their precision. So if governments and corporations can’t stop breaches and theft of information, how can an ordinary person protect their identity and private information?
That is a question that can have many answers. The most surefire way to prevent cyber attacks against you and your information is to totally unplug from the grid. If you have no connections and have no information on yourself in electronic form, then all you have to worry about is the old-fashioned mugging. Two problems with that approach: first, in today’s society and economy the ability to prevent any information about you from being online is virtually impossible. Second, even if you don’t share information about yourself, companies or organizations you do business with are storing electronic information on you. Even if you are vigilant and take measures to reduce risks that you can control, you are still at the mercy of someone else to protect your personal information.
That being said, what are some steps you can take to lower risks to your personal information and your privacy?
1. Keep your computer protected with the basics. Rule of thumb: install anti-malware protection and keep it updated. Malware still poses one of the biggest risks to you and your information. While most people have some sort of anti-virus program installed on their computers, there are still an alarming number of people who do not keep their anti-virus software current.
Just as we need new flu shots each year to protect against new strains, computers need up-to-date protection against new viruses, worms, Trojans, spyware, and other nefarious stuff. And, as malware becomes increasingly sophisticated, keeping your computer “inoculated” is the minimum level of defense you need.
2. Choose wisely whom you share information with while online. Rule of thumb: if the website you’re using is the online presence of a company you would do business with in person, then your risk is relatively low. If the online business doesn’t have brick-and-mortal stores, then rely on its reputation and name recognition. And always look for https:// at the beginning of the web address when you reach the point of entering personal or financial information. When using boutique or specialty websites, see if there is a customer service number and try to call it prior to making an online purchase.
3. If given the choice, never allow an online business to store your financial information. Rule of thumb: forego the “ease-of-use” temptation of allowing an e-commerce site to store your financial information. Often, under the auspices of convenience, companies will offer to store your information for future transactions. This information may be stored at the servers of the business, their cloud provider, or hidden on your system somewhere. Although any data you enter is somewhat at risk, data that is entered once and then transmitted is less likely to be compromised than stored data.
4. Don’t use the same user ID and password combinations across all systems and websites. Rule of thumb: try and match the user ID and or the password to a specific application. Passwords are the primary way businesses and organizations grant access and by extension, prevent unauthorized access. However, passwords can also be the weakest link in the chain. And if you’re like most people, to make remembering passwords easier, you use the same one across all systems. The problem with this is obvious; if a hacker can gain access to one of your passwords, chances are he/she can then access most if not all of your logins.
One way to make this manageable and offer a certain level of increased protection is to combine an easy-to-remember password with a specific application or service. Let’s use online banking as an example. Many of us have a user ID and password to access our accounts online. If I use my dog’s name as a common password, combine that the word with “bank” or “money.” So instead of someone going to Facebook and seeing pictures of you and Fluffy and then hacking into your account by using “fluffy” as your password, a cyber criminal would probably have a much more difficult time figuring out “bankfluffy” or “fluffymoney.” You can apply that same approach to all your accounts and still have some ease of remembering your passwords such as “booksfluffy” or “winefluffy.” To increase the strength of the password even further, throw in a numeric value at the end of those passwords such as bankfluffy01. The passwords become stronger yet still maintain a level of manageability.
5. Start using second-factor authentication (don’t worry, I’m going to explain it). Rule of thumb: combining something you know with something you have increases the security exponentially. User ID and passwords are referred to as single-factor authentication. Your password is the primary way to access applications.
Combining that password with something else you have is called second-factor authentication. This method of access greatly decreases the likelihood that a hacker can get into your accounts by using simple tools as social engineering or password guessing. An example of second-factor authentication is using a one-time password generator on your mobile phone. For instance, when I access a system that supports second-factor authentication, after I enter my user ID and password, I am prompted to enter a one-time password that only I have access to via my smart phone. Only when both the password I previously created (fluffy01, for instance) and the one-time password is entered in combination will I be given access. Many businesses already use these tools in the form of tokens.
6. Be careful of social engineering attacks. Rule of thumb: never give personal information out if you have any doubts. Typical social engineering requests appear via email. These emails will appear to be legitimate and can sometimes fool even the security conscious. Never respond via email with personal information such as social security number, bank numbers, or other highly sensitive information. On many occasions these “phishing” attacks will embed a link that asks you to click the link and follow the instructions. The website that appears when you click the link may also look legitimate; however, it’s merely another ploy to get information about you that can be used by criminals.
If you are unsure of an email requesting information, access the website directly from your browser, not the link embedded in the email. And if you’re still unsure, you can always use the old-fashioned method of calling the organization and asking if they did indeed send the email and verify its authenticity. Remember; your bank and most other organizations will never ask you to confirm your account number in this manner.
These are by no means the only security rules to follow, but they should help. It’s all about risk reduction and protecting yourself. By layering these defenses, you at least raise your own awareness of the threats out there in cyberspace and you now have some tools to reduce that threat.
Tracy Hulver drives the strategy and delivery of Verizon Enterprise Identity Services and helps the company manage millions of identities around the globe. He is responsible for helping Verizon customers reduce the risks of identity fraud through better protection of their online credentials. Additionally, Hulver is a member of the Computer Security Institute (CSI), the Armed Forces Communications and Electronics Association, the Information Systems Security Association, and the Cloud Security Alliance. Verizon is a board member for the National Cyber Security Alliance.