The site that stores your personal and professional files, was hacked. Your PSN account, was hacked. The place you go to find an affair, was hacked. And despite the latest patches and updates, your iPhone and Android are both, hopelessly vulnerable to being hacked. You know none of your accounts are safe, you’ve seen all the hack headlines, and that scares you. Or maybe you don’t see the glass as half empty, but rather see it as half ¯\_(ツ)_/¯ . You read about hacks every day: nothing is safe and there’s no point worrying or paying much attention to them. But there is a third option for business owners: be pragmatic, stay informed, and take everything a step at a time.
Unless you live as a hermit and completely off the grid, you’re never going to be safe from potential attacks. At the same time, I don’t want you to ignore attacks simply because you’re buried under a constant barrage of security stats such as that 73 percent of companies have been hit by some form of an attack, 89 percent of healthcare organizations experienced security breaches, and 97 percent of banks will suffer an attack next year. OK, so that last statistic isn’t true, but I bet you didn’t question it because you’d tune this sort of info out anyway.
In this article I’ve put together some quick tips that will should help keep your digital personal and professional life a bit more secure.
Use Haveibeenpwned (or something like it)
Let’s imagine there’s been a big hack on a site that you regularly use and log into. How would you know if your email address and credentials were affected? Microsoft regional director Troy Hunt wanted to tackle that problem and created haveibeenpwned.com, which takes your email address and compares it against a list of stolen credentials, often being shopped around on black markets. If it spots a match between your email and a name on the database, it will send you an email to notify you that you’ve been “pwned.”
One thing to note: sometimes these sites will notify you of a hack that happened a few years ago such as the Dropbox hack. The reason it took so long is because Dropbox only recently confirmed the hack. Back when the hack happened in 2012, Dropbox made its customers change their passwords, but didn’t give a reason as to why. Now, four years later, Dropbox finally confirmed it.
If you visit Haveibeenpwned you can enter in your email address and see if that email has already been flagged by some other hacks. But using one email for all your accounts is dangerous, so…
Don’t use the same email address for everything
Would you use the same key for your car as your house? Putting aside the rise of connected devices, such as a smartphone that can unlock virtually anything, you probably would want to keep a few different keys. The same is to be said regarding your email, both personal and business.
Let’s imagine again that you primarily use one email address for your business. You use it to log into your business Facebook page, email account, Google Drive, and bank account. Let’s also say you use a few good practices like not reusing the same password and two-step verification. The first place someone might target would be your email account because it’s likely the master key to your online identity. If someone couldn’t get into your Facebook account, they’ll likely request to reset the password which would inevitably be sent to your email address.
At 10:31 am, someone called @verizon impersonating me and successfully changed my SIM & unsuccessfully attempted to change my phone number.
— deray mckesson (@deray) June 10, 2016
Two factor authentication, an extra step (e.g. a message sent to your phone with a code) in the login process, is meant to deter hackers and provides a reasonable defense but it is by no means bulletproof. Wired covered the story of Black Lives Matter activist, Deray McKesson, who despite having two-factor verification, still had has account compromised. Someone called Verizon whilst pretending to be McKesson and changed his SIM. By changing his SIM, they were able to receive the two-step verification login message on their phone.
So what can you do? Some ideas:
- Don’t reuse the same email address for every login and instead strategies such as creating throwaway (or “burner”) email addresses for services you don’t plan on using for long or using a master email account that is linked to any specific service, but receives forwarded email from all your related accounts
- Consider using a password manager
- Go old school, keeping some passwords written down on paper and store them somewhere safe
- Monitor your web history and email login activity
Make sure your software is patched
I’ve written about this before, so I won’t go into deep detail here. But essentially keeping your software patched is like maintaining your car. Would you drive your car 100,000 miles without ever getting an oil change? The same can (more or less) be said about software. If you aren’t familiar, a patch is an update to a piece of software. You’ve probably received messages from Microsoft Office that warn you to update your software due to critical vulnerabilities. That warning and prompt, is Microsoft asking you to patch up Office.
Not all programs auto-update or auto-install patches to software, others require you to manually find it and install it yourself. And it’s important to remember that patches don’t just apply to programs or suites like Microsoft Office, but also include:
- Hardware, such as routers and printers
- Your operating system (OS) such as Windows 10 or Mac’s OS X
- Adobe Flash (although lots of folks are pushing for an end to Flash)
- Any connected or smart device
Finding out more info on how to patch your software is easy as a Google search, but just remember that whether you’re prompted or not, keep up on your patches.
Additionally, Security expert Brian Krebs recommends (see Further reading, below) that if you aren’t using a piece of software, remove it. A program you installed on your computer a couple years ago may no longer being developed or patched, which could lead to a vulnerability. Removing software keeps your system running lean and takes care of the risk of an exploitation.
Take a deep breath
At the end of the day, there’s only so much you can do to protect yourself and your business. The scare mongering headlines that scream “everything can be hacked!” are correct: just about everything can be hacked and nothing is safe. By the same token, San Francisco and Boston have some of the worst drivers in the country, but that hasn’t stopped people from driving nor do people think that either of those places resemble a Mad Max-esque hellscape. There’s always going to be someone (or something) that can crack a safe, so it’s best to make it unlikely to happen to you.
With that in mind, let’s recap:
- Sign up for notifications to let you know in case one of your accounts become compromised
- Don’t use one email address for everything
- Make sure that your software and hardware is patched
- Don’t buy into the scaremongering, but don’t ignore it. Keep a level head, but also keep an eye on the news.
- Kreb’s 3 Basic Rules for Online Safety – Krebs on Security
- Schneier on Security
- 9 reasons you should have more than one email address – GetApp
- A look into the future of security: Quantum Computers Explained – Limits of Human Technology – Kurzgesazt
- Password Managers – GetApp