|
The following were the most used passwords throughout the world, for organizations and individuals combined:
1. 123456; 2. password; 3. 123456789; 4. 12345; 5. 12345678; 6. qwerty; 7. 1234567; 8. 111111; 9. 1234567890; 10. 123123
Other studies show repeated numbers (e.g., 9999999), letters (e.g., bbbbbbbbb), and words (e.g., FirstnameLastname) are also commonly used worldwide. Do you use such passwords? Well, if so, stop doing that! You’re making yourself a sitting digital duck for a cybercrook hunting an easy victim.
Despite decades of proclamations to the effect that, “Passwords must be replaced with a better authentication method,” passwords are going to continue to be used for the foreseeable future, for a wide range of reasons that I could fill a book explaining.
To have strong passwords that actually will keep people out of proprietary, sensitive, confidential and personal data, at a minimum do the following:
a. Create passwords that contain as many characters as possible.
b. Make them complex; using upper- and lower-case alpha characters, numerals, and special characters.
c. Do not use anything that can be found in any type of dictionary.
d. Make them hard to guess; don’t use the names of sports teams, celebrities, math equations, games, or anything else publicly available, such as in lists online…including lists of the world’s most common, worst passwords.
e. Use different passwords for different types of purposes. For example, you should not use the same password you use on TikTok, Facebook, Spotify, or similar types of social media sites as you use on your employer’s network, which should also be different from your password used for your banking, and different from the password to your patient data portal, and so on.
f. Do not use biometrics as a password substitute, as the sole authenticator, at this point in technology development. AI has exposed a large portion of biometric authentication to being susceptible to successful impersonation using AI tools, including for voice, face, fingerprint, iris, and other biometric identifiers. Which takes us to the next basic cybersecurity practice.
2. Enable multifactor authentication, or MFA, to prove you are who you say you are online.
MFA has been proven to be extremely effective in protecting against automated cyberattacks because it takes more than just one authenticator (typically a password) to authenticate to get access to data and systems. MFA isn’t yet used everywhere, but is increasing in use and has long been used for banking, healthcare, corporate portals, online stores, and other favorite hacker targets. Activate and use MFA everywhere possible. If it is not offered, then request it from the associated site or application.
So, continuing from item 1, if you do want to use a biometric authenticator, use it in addition to another authenticator. Using two or more authenticators is generally referenced as multi-factor (aka multi-step or two-step) authentication. MFA uses a combination of two or more of:
- Something you know, such as a password, PIN number, etc.
- Something you have, such as an authentication app on your phone, a physical device such as a key fob or digital code card, etc.
- Something you are, such as your fingerprint, face, voice, etc.
3. Enable every computing product for automated updates.
Software is nearly everywhere. Make sure you set them up for automatic updates when you install new software. If you’ve not yet set up software for updates, go back and do it now. Also, set up every type of computing product (laptop, desktop, tablet, smartphone, etc.) to receive automatic updates. The most compromised, hacked computing products are those that have not been updated with the latest security and privacy patches. Automated software and firmware updates not only install new capabilities, they also fix security and privacy holes that have been discovered.
You need to do this for all computing products. Automatic updates are not only needed just in your more commonly considered computers, but also in “smart” internet of things (IoT) products, all of which connect to the internet and other types of networks, makes all IoT products (fitness trackers, digital assistants, security systems, smart appliances, etc.) attack targets.
4. Practice ongoing app security management.
Without looking at your phone, answer this question: How many apps do you have? Write it down.
Now, look at your phone. How many apps do you actually have? I’ve asked this question of my clients, readers, listeners and those who attend the events where I’m speaking many times throughout the past 20 years. With rare exception, everyone has more apps than they thought they did. Why? Two primary reasons:
1) Most people will download an app if they are somewhat interested, and when most of those are not something they actually end up using, they leave them on their phone; and
2) Often apps are automatically loaded to your phone from websites you visit, especially those the you got to from clicking a link in a social media site, email, text or a popup window. So, most people aren’t even aware they were loaded in the first place.
Many of those apps are malicious by design, and those successfully hooking you into downloading them didn’t really expect you to use the app. Other apps do provide some entertainment or useful utility, that you may realize isn’t something you’ll use once you’ve downloaded them. However, they are still running even when you don’t use them. Additionally, most people are thoughtlessly agreeing to let all the apps they download to take all their digital contact lists, their GPS/location, access to control and use their camera and microphone, content of their messages, activity logs, to post to sites on behalf of the app user, and often even to give them access to their passwords, as part of the terms of use required to be followed when the app is loaded. If you have this habit if simply agreeing to terms without reading them, you are literally allowing all those who provided those apps to do anything they want on your behalf if they have that intent.
- Immediately disable apps you have never used, and haven’t used in the past month or so.
- Then uninstall those apps.
- Next, delete all associated software and files, which most apps will leave behind to be able to hook the device user back into their digital ecosystems.
- Repeat the above periodically. Remember, you may have had apps installed without realizing it.
Keep an eye out for indicators you have malicious and/or spying apps on your phone, such as getting unsolicited calls or texts about things that may creepily be related to something you’ve looked at online, or from a location where you’ve physically been. Also look for your camera, video or audio recorder lights turning on randomly; it may be an app activating them and sending the recordings elsewhere.
5. Learn to recognize and report social engineering, like phishing, attacks.
Social engineering tactics, such as manipulating people and tricking them into doing actions to benefit the manipulator in some way (e.g., through phishing messages), have been around since the beginning of civilization. Old face-to-face methods still work, and more and more digital methods are emerging daily as new tech and new activities emerge. Social engineers are always looking for new email, texting, social media, phone, and other new technology ways to convince you they have a legitimate need for you to click a link or provide some sensitive information in some other way. Their strategies are always changing.
Stay updated through taking security and privacy training, and reading alerts, such as what you find in my business’s monthly Privacy Professor Tips messages (sign up for updates of them here).
Keep in mind that artificial intelligence (AI) tools are becoming ubiquitous. If you get any type of request for your money, sensitive data, or for you to urgently perform any other actions, stop before you act. Call the purported requestor to see if it was really them who asked you for the information and/or action. This includes for calls that seem very convincingly to be from family and friends sounding frantic and claiming that they have been kidnapped, are being held in jail, have been in a car accident, or some other disaster has occurred. AI tools can sound and look very convincing.
6. Physical security
Often when increasing digital vigilance for security and privacy risks, physical risks get put on the back shelf. Physical security protection is one of the most important and too often overlooked type of cybersecurity protections. Many folks confuse physical safety protections as with being physical security since security and safety are often used interchangeably. However, the specific physical security actions are directly and necessarily responsible for supporting and accomplishing cybersecurity, no matter how counterintuitive it may sound.
You must still physically secure information, and protect your privacy, and the privacy of your family, friends and others. This includes keeping information in all forms from being seen and heard. Lack of physical security practices have resulted in hundreds of millions of cyber breaches, allowing unauthorized access to data that would not have been possible if the physical security practices had been in place. Computing devices, associated components (hard drives, USB drives, monitors, speakers, etc.) and hard copy items often contain a lot of confidential and sensitive information, such as personal data and intellectual property. These devices and hard copy items often contain a lot of personal information. Not only can this data be accessible and used for fraud, to gain access into networks, and other malicious types of activities, you could be violating any one or more of a large and growing number of personal data protection laws and regulations.
A few key actions to take include:
- Use privacy screens on your phones, tablets, laptops, and monitors to keep others from seeing what you have on your screens. In hundreds of flights and in thousands of work meetings I’ve been able to see way too much information on the screens of others…including on flights where elected officials were working on their computers, with top secret information in large font/size on their screens for everyone passing by to see and possibly record with the click of a photo!
- Configure screensavers to kick in after a reasonable idle period. The more people you have in your vicinity, the shorter the period should be.
- Remove personal information and other confidential information, in any form, from the tops of your desks and other accessible locations whenever any type of work area, in any location, is unattended and unlocked.
- Don't leave your computer unlocked and walk away. I see people doing this with their laptops, tablets and phones all the time while traveling, in restaurants, at conferences and other events, etc.
- Don’t discuss or show confidential, sensitive or personal information in public. Many people provide personal data, often of others, in elevators, lobbies, restaurants, bars, and other public places. I’ve traveled with a notebook over the past 25 years and have documented and filled many of them with such situations, such as when the bank account numbers, passwords, social security number, birthdate, address, and other even personal information of an ex-girlfriend of a man speaking very loudly on his phone in an airport boarding gate area.
- Lock computing devices, storage devices, confidential papers, and other business artifacts, within in-room hotel safes or take with you when leaving hotel rooms, remote meeting rooms, and other areas where unauthorized access and/or use could occur.
- Always be aware of surveillance cameras in the vicinity, which can also record and hear what you are doing and saying.
My team has provided free lists of the types of products and services that you can use to protect your privacy and secure your information. We’ve received a lot of great feedback on them and have been told they are not only helpful, but entertaining. For example, see our “Privacy and Security Gifts” list.
7. Securely Dispose of Hardware, Software, Storage Devices and Print Info.
Don’t forget about security and privacy when you no longer will use a computing or digital storage device, or are getting rid of hard copy documents, or cleaning out offices or homes when moving. These devices and hard copy items often contain a lot of personal information. Not only can this data be accessible and used for fraud, to gain access into networks, and other malicious types of activities, you could be violating any one or more of a large and growing number of personal data protection laws and regulations. Here’s a case in point: On February 14, 2024, California Attorney General Rob Bonta today announced a $5 million settlement against Quest Diagnostics, Inc., that in large part was for recklessly and in an unsecure manner disposing of protected health information (PHI), as defined by the Health Insurance Portability and Accountability Act (HIPAA) within the Security Rule which explicitly requires physical security to support the digital security of PHI. Any size and type of organization is subject to such legal fines under a wide range of legal requirements, as well being subject to civil suits. I’ve served as an Expert Witness in eight cases so far involving testimony about the cybersecurity practices that were, and were not, used. Such legal actions being brought more often as breaches and privacy violations continue to increase.
Take the following actions before giving away, selling, repurposing, or throwing away computing devices and associated components and storage devices:
a. Decide if you need or want to keep any data on the device. Back it up to a secure (e.g. encrypted) storage device that you have complete control over. I like USB drives that I can then keep local (in my home office), offline (not attached to the internet), and can secure (lock in a safe). If you choose to save to a cloud service, use a service that at a minimum strongly encrypts your data, cannot decrypt your data, and uses MFA.
b. Completely remove all data and apps from computing devices, including phones, when you will no longer use them. Doing a reboot, or restoring to factory defaults alone will not remove everything. Remove the SIM cards, and/or whatever other storage component is used.
c. If you are not sure if all the data and software has been removed, and you are disposing of the device, it’s okay to smash it to pieces to the point where the data cannot be accessed even if reconstruction is attempted. However, you still need to make sure you are safe when doing so (wear work gloves and goggles, etc.), and dispose of any type of electronics using a service where the associated chemicals will not poison the ground or water in landfills.
For even more guidance and tips about these seven actions and many more topics, here are some more of our resources: Visit our webpage; check out our blog; subscribe to our YouTube channel; follow us on LinkedIn.
|
