When you consider a list of your most valuable assets—the items that you value the most and have taken steps to insure and protect—you’re probably thinking of your art collection, cherished jewelry, your latest exotic car and, of course, your loved ones. But think again, and ask yourself: What are you doing to protect your less visible assets that are both valuable to you and to others—those with self-serving and malicious intent?
I’m talking about data. If you look at recent headlines about hacking events that have led to the theft of private information, you’ll start to see a pattern: Almost always, the hackers were able to make off with the data because its original owners didn’t value it enough to protect it. The lesson is that you need to be thinking about what others value, not just about what you value, and protect accordingly.
Today’s IT systems, if managed by trained and well resourced individuals, provide a good defense against data thieves. So good, in fact, that hackers frustrated by these defenses have adopted new strategies to convince individuals to simply give them access to the data. The latest headlines about the apparent information compromises perpetrated by Russian hackers who targeted the Democratic National Committee and Chinese hackers who profited off insider information purloined from New York City law firms are prime examples of the social engineering technique known as phishing.
A common hacking technique, phishing, involves an adversary crafting an email, text message or social media message that is written to compel the recipient to click a hyperlink or open an attachment. The next step typically involves you entering your authentication details to access a bank account, email account, social media account or other online service. The part of human nature that compels us to click and open anything sent our way has made phishing the most widely used technique to get people to give up their access credentials.
There are a few actions you can take to help ensure that you, your business and your family members are not easy targets.
- Stop reusing passwords. I know: This a challenging request. We’re expected to log in to multiple websites every day, with each one requiring you to authenticate yourself with a username and password. To save you from having to remember hundreds—at last count, I have over 800—of username and password combinations, use a reputable password manager such as Password Safe.
- Enable multi-factor authentication (also called strong authentication or two-factor authentication) on all accounts that accept it. Essentially, this is a step beyond the username/password combination. The multifactor aspect can be a text message sent to your phone, an email sent to the address you have on file with a service provider, a challenge request from an authenticator app (such as DUO or Google Authenticator), a voice call to a phone number on record or some other way to verify that you are actually the one trying to gain access to your account. For instructions on how to enable strong authentication across multiple services, take a look at the 2FA tutorials site. Another strong option is to use your fingerprint as your means of access, which you can do with an increasing number of apps.
- Verify that the person or organization that sends you an email, text or social media message with a link or attachment to click is the real sender. You can call them or go directly to their website—don’t click the link and assume that the website it takes you to is authentic. For example, if you receive an email from your bank or email provider asking you to reset or verify your password, open a new browser page and type the main service provider site address yourself and then login to see if indeed they need you to take any action. One general caveat: Most reputable businesses and organizations don’t send you emails requesting you to reset your password unless you’ve already told them that you’ve forgotten it. So if you receive such an email, chances are good that it’s a fake.
Be aware, stay vigilant and fight your basic instinct to click and open anything sent to you. Make these changes, and you will enhance the security posture of your family, your business and your data. After all, you don’t want to be the next headline.