Privacy and security may seem unattainable. Every day, we learn of some new hack, some new incidence of a trusted partner or service exposing or selling our information.
Securing your business and personal information — the focus of Data Privacy Day that happened on Jan. 28 — takes diligence, consistency, and maintenance. The results may not be perfect. But ask yourself if you shouldn’t bother locking your front door because — after all — someone can break a window and get in. No? Then don’t just be a victim. Do something.
Here are five risks and how to better guard against them for both businesses and individuals.
- The biggest risk to any business is an authenticated employee. That’s the chink in the armor that opened the door to every major data breach so far, including ones at Equifax, Sony, and South Carolina’s Department of Revenue. Employees, regardless of their level of authority, need training to help them identify ever-more-authentic-appearing phishing and whaling emails. And you need a mechanism for reporting and publicizing attempted breaches to other employees. We’ve talked about this before, but it is still the biggest issue for your business.
- Keep your data inside your business where your internal network security can best protect it. To do that, businesses need to stop employees from taking sensitive info outside the office. Several large breaches have involved theft of shadow databases on a company laptop or USB. Block USBs and external drives on desktops, but establish secure, alternative ways for employees to access data remotely. Start by limiting data access to people who really need it; then implement a secure VPN for remote access. That will also do double-duty by protecting your employees from the risks of using public Wi-Fi while on the road.
- Do former employees still have access to your network and data? There’s about a 50 percent chance they do, according to researchers at the identity management company OneLogin. The company surveyed 500 CIOs and found that nearly half of them knew that former employees still had access. (Don’t get me started on why they aren’t doing something about it.) Start the year off right by getting IT and HR together to compare current employees with authorized users, as well as look at whether their access levels still match their jobs.
- Don’t keep what you don’t need. That’s a keystone of security. If your business doesn’t have an email retention policy, it needs one. Employees cannot be left to their own devices on this. But make sure you think outside the desktop as you develop it. In the mobile-device age, employees get email on multiple devices. Once on a nonwork device, email is sort of out of your control. Employees can send it to someone else, save it to another file location, or move it to an online service separate from a work resource. So even if that email is deleted from their work accounts, it may live on in many other places outside your control and, more worryingly, potentially more vulnerable to exposure. Never send sensitive info (like credit card numbers, Social Security numbers, passwords) or copies of databases containing client or company proprietary information through email — because you just don’t know where it will end up.
- Got a website? Then you’ve got a possibly overlooked security issue. Chances are another company maintains it, which means they should be regularly installing security updates and security fixes and patches for widgets, and reviewing analytics that can identify potential exploits or nuisance spammers of your website. Ask them to report the status of these items. Your site is particularly vulnerable if you have public-facing forms (like contact forms) or accept credit cards.
The three most dangerous words ever voiced — at least as far as your security is concerned — were “plug and play.”
Personal users have been led to believe that someone else is taking care of their interests. It’s not the case, and with each new technology leap, from smartphones to internet-connected devices to driverless cars, users become more exposed.
Here are five of the biggest risks most users have at home or in their pockets and specific remedies to tighten things up.
- Your router. The average user may know very little about the hardware that provides internet access in your home. But that alone is a big problem. You probably have two devices in your home that your internet provider installed: a modem that receives the broadband signal, and a router that distributes it to your wireless devices. The network name you see on your smartphone is the identifier of your router. The vast majority of users (and internet providers) have never changed the administrator account logins and passwords to these routers. They are widely available in user manuals readily accessible on the internet. Do three things: 1. Contact your internet provider and have them walk you through accessing the management console of your router through a browser. 2. Change the administrator password. 3. Uncheck the box for DISPLAY SSID. This will stop broadcasting your network name. What a hacker can’t see, he can’t hack.
- Ransomware gets the most publicity when it hits a city (like Atlanta last year), a major industry (like Sony), or local schools and police departments. But, in fact, ransomware is a pretty effective tool for hackers who just want a cheap income scheme with everyday personal users — like you — as the victims. Ransomware holds your computer hostage until you pay. If time expires, the hackers wipe out your hard drive. Make sure you’ve got a backup of all your files offsite, preferably through an online service like Mozy Pro, Carbonite, iCloud (Mac), or OneDrive (Microsoft). Make sure that backup includes all your files, including photos. Most current computers have the operating system installed on a recovery partition, so if your drive is wiped out, the recovery area would be able to reinstall the OS. Keep a list of all the software you use and make sure you have your license keys in case you have to reinstall. Having these bases covered will make you less vulnerable to the threat, but it will still be a day of work to get your PC back to normal.
- Passwords. Yes, I hear you groaning. “OMG, doesn’t everyone know that by now?” Well, you’d like to think so, but if they do, they still aren’t taking it seriously. Real security on your computer, phone, or tablet is three-pronged: something you know (your password), something you have (your phone), and something you are (a fingerprint or retinal scan). Wherever it is offered, use two-factor authentication (TFA). Generally, a site will ask you to log in, then send you a code to enter to complete the authentication process; you receive the code on your phone that requires your fingerprint to unlock. TFA significantly increases the security of all your accounts and devices.
- By now we should all be well-aware of the dangers of being hacked or exposed on social media. Most sites allow users to manage their own security settings, but they don’t necessarily make it easy. Additionally, updates and changes to security systems on these sites often change your settings without your knowledge. Stay Safe Online, a program of the National Cyber Security Alliance, has a webpage with links to security-setting information for every major social media site and online service. It will be time well-spent to find the sites you use and check on how well you have secured your personal information.