Here’s a little secret when it comes to cybersecurity. (Don’t tell anyone I told you - I’m trying my best to be a good security manager.) The secret is this: It’s impossible to completely secure anything.
So, there you have it - let’s all move on with life and spend more time thinking about not-boring things like music, skiing, our next paycheck, and oversharing on social media (ok, whoa there buddy). Seriously though, there’s a legitimate reason our eyes glaze over or we have a freak out when we think about security and all the things we might have to do to achieve it in our digital lives. Secure all the things! If I’m not a hacking super-nerd, those words are enough to make me give up and run for the hills. When you don’t know what you don’t know, it’s easier for us humans to throw up our hands and just hope for the best, rather than struggling to find our way and take meaningful action to improve our position.
But here’s the other half of that little secret: It’s all about the big wins. If you’re an information security professional, you already know that it’s about reducing risk, not securing all the things. And risk is something we can all understand. If you ride a motorcycle without a helmet, you’re asking for it. If you regularly toss and catch whole grapes in your mouth, you’ll probably choke one day, you daredevil. If you consider letting your 2-year-old child navigate that busy crosswalk themselves … I think we’ve illustrated the point. We humans know about risk, and we take steps to reduce risk in our lives every day. So let’s identify some easy, Big Wins that we can achieve day-to-day to reduce the risk in our digital lives.
Update All The Things
Ah, the dreaded red dot in your iPhone settings. That notification bubble on your Windows desktop from your favorite app. Update available! Now, some of us salivate at the thought of getting those new bug fixes and features (it’s a completionist thing) but the rest of society collectively groans because that update is not only going to take a chunk out of our morning, it could also “fix what’s not broken”. So we Skip For Now.
Here’s the reality though - over 80% of the nasty vulnerabilities being taken advantage of on our devices already have an update available that will patch them. Keeping our hardware and apps updated, ladies and gentlemen, is what’s known as a Big Win when it comes to reducing risk. Putting yourself on a 30-day schedule to update everything is a great (and reasonable!) plan. And not just your computer … don’t forget to update all those internet-connected gadgets in your house, like your Sonos speaker, Google Home devices, Nest thermostat, and yes, even that smart fridge. Better yet, if the devices support it, have them auto-update for you. 80% risk reduction is fantastic.
Kill Those Passwords
Passwords … another collective groan. I believe I have about 70 passwords to remember across all of the websites and services I use (and I’m a minimalist). That “create new password” field triggers thoughts like “Should I use an exclamation mark for my symbol?” or “I’ll just use the same one I use everywhere else”. Let’s get real folks … passwords are horrible, remembering them is even more horrible, and our brains are just not built to 37U-rr!@thf.
Unfortunately, passwords are still the gateway to most of the data in our lives, so we need to keep the keys to the kingdom safe. This is why password managers are great. Whether you’re a Google, Apple or Microsoft enthusiast, there’s a password manager that will create, remember, and protect all of your passwords in one place. I don’t know any of the 70 passwords in my life - I only know my Apple ID password. It’s a strong one, and it gives me access to Apple Keychain, which stores all the others. I can look them up anytime on my iPhone, and have them created/inserted for me in apps and websites I browse within Safari. Bring me a martini, please.
If you’re relying on your brain to remember all of your passwords, you’ll naturally drift towards using bad practices that put you at risk. Embrace freedom, and start using a password manager. Here’s some great choices - pick one that works best for you.
- iCloud Keychain (for Apple fans)
- Google Password Manager (for Google/Android enthusiasts)
- LastPass (for flexibility on any device or operating system)
- Do a Google search for “best password manager” and try one out
If your password manager of choice also supports multi-factor authentication (MFA) and you turn it on, that’s another Big Win. Validating your login through an app on your smartphone will keep you safe even if one of your passwords is stolen. All of the options listed above have MFA available, so check them out.
Privacy Checkup Time
An Apple a day doesn’t really keep Facebook or Google from collecting all the personal data they can get their hands on. Many companies make their millions and billions by harvesting your data - what you search for, where you browse, where you travel, what you buy, who you hang out with … it’s all being tracked and leveraged in some way. Even if all this stalking... I mean data gathering, doesn’t bother you, it’s still a good idea to keep tabs on the data trail you’re creating online.
Thanks to increasing privacy regulation, many online services are required to have a section of their website or app dedicated to telling you about your privacy options, and letting you choose the settings you want. This includes the big 3: Google, Facebook and Microsoft. Don’t just give up all your valuable data for free - dial things in to a level you’re comfortable with. Own your data. Give these sites below a visit to get started.
And while you’re at it, do a periodic review of the privacy settings on your smartphone too. You carry that little beast everywhere, and it knows more about you than you do. Limit its powers.
Click Slowly (or Not At All)
The concept of internet security hasn’t been around that long. The commercial internet as we know it is only about 25 years old. Personal computing devices aren’t much older than that. But you know what’s been around much longer? Con-artists. Scammers. Those folks we like to call “social engineers”. Even though these nefarious individuals are constantly updating the technology tactics they use to steal your data and money, social engineering still boils down to a person-vs-person level. It’s still about leveraging you, a squishy biological humanoid, to do something that will benefit them (no matter what tools are being used to do it).
That’s a good concept to keep in mind when it comes to protecting yourself on the internet. Social engineering attacks are designed to target you and your brain first, before they even get to your device or data. A skeptical attitude will help you avoid many threats like phishing, credentials harvesting, or believing that 70% off is really saving you money (that last one is a tough one).
Here’s some basic knowledge to navigate the minefield safely.
- Phishing can happen through email, through a web link, and even through a text message on your smartphone. Don’t trust a link that seems even a little off, no matter where you see it.
- Phishing scams often appear to come from a person or a service that you know and trust. An email from your bank. A subscription notice from Netflix. A text from the CEO at work begging you to help with a favor. To see if a request is real, go around it rather than interacting with it. Go directly to your bank’s website or call them. Drop your CEO a separate email or Slack message. Don’t click … sanity-check first.
- A reliable way to verify whether an email or a website login is real is to take the time to look at the From: field, or to check the web address at the top of your browser.
- Your CEO won’t email you from firstname.lastname@example.org.
- A website address using accounts.google.com (real) is much different than googlelogin.secureyep.com (fake).
Check the source, my friend.
What Happens on the Internet …
At the end of the day your personal data is yours, but unfortunately, the online places where it’s being stored are not yours. I post to Twitter, and decide that my politically-charged statement may have been overzealous. I delete my tweet. But it’s already been screencapped, shared 100 times, dropped on Instagram, re-posted by Uncle Bob on Facebook, and transformed into a meme that’s already past its prime and downtrending on Reddit.
Think (and think hard) before you share anything on this tangled mass of wires and boxes we call the Internet. Because once you hit that return key or click that send button, you never know where that bit of information will go. And if we’ve learned anything from watching the political scene these past few years, we know that nothing on the web ever really goes away. If I’m going to go looking for sensitive data about you to fuel my social engineering campaign … don’t let me find it.