How to protect your (and your company's) data in an increasingly connected world

Data and account security are among the most overlooked potential risks in personal and company environments. While security in these fields is a necessary no-brainer, most people tend to follow a 'do as I say, not as I do' way of thinking. This is due to the thought that it won't happen to them. The scary thing is, accounts have probably already been hacked.

Let's take the example of http://haveibeenpwned.com. The website checks whether any e-mail address has been included in a hack of a website in the past few years. One of the prime benefits of the internet is that it does not forget, makes data instantly accessible and has a global presence. At the same time, those characteristics also make it a prime spot for crooks. Having a password stolen is probably going to be pretty inconsequential, with possibly no repercussions at all. But once the data is out there, it is very hard to get rid of it, much less erase it.

An average company gathers loads of data as a result of daily operations. Obviously, this also causes a risk, because every data-point is also one that can be stolen. One of the most dangerous situations arises when a company is collecting unneeded or unwanted data. Because the capabilities are there' is not a good reason to be storing it. Moreover, because the data is not especially valuable to this company, the protection will also probably not have the highest priority. Meaning that there's now potentially data freely accessible that's not so valuable to the company, but all the more to the data owners. This is also what the upcoming EU General Data Protection Regulation (GDPR) tries to prevent, by forcing companies to enable customers to access personal data; companies will at least be thinking of the data they have at present

Attack vectors

There are many ways in which malicious people will try to steal, or even trick users into giving them, data. The ways they try this are called 'attack vectors'. By now, probably everyone knows the shady African prince asking for money; including deliberate spelling errors for weeding out attentive readers. That attack vector is probably not as effective, as it was before. Below are a few potential threats:

Phishing
Phishing is the activity in which 'hackers' are trying to cheat the user into giving them their login info. For example, the user gets an email saying their Netflix account will be retired unless they login immediately and provide their credit card info. The link in the email will not send the user to Netflix, but to another domain entirely. This is also why proper security and encryption is so important. A legitimate, but unsecure, website can also be tricked into asking for this information. Once the user enters the credit card info and his password, the data is compromised. The tricky part is, that this technique does not need a lot of effort to be set up and can be put to use pretty quickly. By sending the email to tens of thousands of people, only a few need to respond to plausibly making it a lucrative venture. Also, these attacks are getting more and more sophisticated by making the login-pages near-identical copies as well as also using 'real' links to the website in their email to give it the veneer of legitimacy.

High-profile people (celebrities, politicians, etc) might also be targeted for so-called 'spear-fishing', which is a directed attack at a specific person because they can access valuable data. An example of this is the hack into the Democratic Party in the U.S. in 2016.

Social engineering
Everyone knows the standard security questions that used to be (in some cases, still) asked to verify an account. What was your mother's maiden name', 'What's the name of your city of birth', and so on. These questions were asked in a simpler time, when people did not foresee handing most of their private information over to social media. The unfortunate thing is that while people might forget, computers hardly ever do so. So every post, every scrap of information often is relatively easy to find. Making these 'hard-to-know' questions, not so hard to guess. Once the password is reset on e.g. your e-mail address, the 'hacker' can now proceed to modify most passwords of accounts associated with that specific email address.

Social engineering is probably the most used technique in situations where someone wants to target you specifically. For example because you have an interesting twitter handle.

The main issue is that people will always try to help someone with a good story, which makes the security protocol as strong as the weakest link. In other words, a human factor will always weaken security systems. This is not in itself a 'bad thing', but it should be accounted for.

The risk with some of these attack vectors is that they're easy to direct at thousands of people at the same time. This makes it a low-risk investment in time and effort coupled with a potentially high reward, even when only a tiny percentage of people fall for it.

Stolen data
Even when someone has all of the necessary preventions and security in place, this does not mean that your data is safe with other companies. Hacks, inadvertent releases of data and breaches have been widely reported over the past few years. One of the biggest ones yet was the credit company Equifax' last year , with over 250 million records being published. Another one was that Uber paid a hefty sum to cover up a breach of 50 million records of drivers and passengers. The scope and size of these data-sets are very big.

The scary bit is that in the case of Equifax a critical part of their infrastructure was left unpatched when a weakness was discovered. Meaning that the 'hackers' did not have to perform any elaborate hacks, they just exploited a known weakness and ended up with a quarter of a billion records of financial information. Showing that performing regular updates is every bit as important as is usually stated.

Tips to prevent this from happening
Knowing all this, what can anyone do to minimize the damage?

  • Stay alert - Be on the lookout for potential issues, be aware of data being stored elsewhere and know where to turn if things go south. Check from time to time whether your account information is still safe: https://haveibeenpowned.com
  • Use a password manager - One of the biggest risks is to use a similar password for multiple services. Using a password manager helps by:
    • Generating secure passwords
    • Remembering every password for every separate website
    • Reminding you that a password has not been changed in a while
  • Enable 2-factor authentication - Most services offer the ability to enable 2-factor authentication. Do so immediately, it enables a second barrier that most malicious entities do not know how to best. Whether it's a code by text or a token generated from one specific device (this is the best option).

In conclusion, these three (relatively) simple options will protect most people from harm. Of course, there are some caveats. Hacks will still keep happening; these steps will not protect in all cases. However, they will prevent a very significant percentage of attacks. This is better than not having any additional protection at all. Also, creating a habit will take time now, but save time in the long run. Keep that in mind, as well as the added security.

Subscribe to The Next Organization newsletter.

The Next Organization newsletter keeps you informed about activities within The Next Organization, current developments within our profession and interesting and relevant articles. You will receive this newsletter approximately once every quarter.

GDPR

Registration successful!