At the Republican National Convention in Cleveland last year, a security company set up several public Wi-Fi hotspots around Quicken Loans Arena to see exactly how people behaved online. Thousands of users accessed these Wi-Fi hotspots; more than two-thirds had their identities exposed, 10 percent shopped on Amazon or another site and 1 percent accessed banking records.
The company did not keep any of the records. But imagine if a hacker did this.
This test proved the need for good information security, whether for your business or for you as an individual.
Below, I have listed five cyber hygiene tips for both businesses and individuals.
Five “Cyber Hygiene” Tips for Businesses
Businesses are primarily concerned with protecting data they store, including vital proprietary information as well as customer data.
- Understanding all the technology touching your network and storing your data — The first step is to develop a complete inventory of all technology that connects to your network or store’s company or customer data. The list should include devices — desktops, laptops, smartphones, etc. — as well as any third-party apps — Dropbox, a variety of android and iPhone apps, Paypal, merchant processors, etc. — your company uses. I mention third parties because so many companies are moving files “to the cloud” for cost savings and convenience purposes. I’m not saying cloud services are bad; we use them at Thompson Burton. Rather, what’s important is to understand how these third parties handle your information and the security measures they employ in doing so. Most of the time, a true understanding of what third parties are doing only comes by way of reading the incredibly monotonous and ever-boring “Terms and Conditions.”
- Encrypting devices so they lock when people use the wrong password — Many laptops and smartphones come with built-in encryption that will prevent any unauthorized access. For someone to decrypt any of your devices, they need a required password. If the appropriate security measures are in place, a person entering the wrong password too many times will completely erase the device’s data. For example, an iPhone will erase all data after 10 failed attempts. Using this service greatly reduces the likelihood that someone can access data if the device is stolen.
- Create an incidence response plan — I’m a firm believer in “hope for the best but plan for the worst.” A response plan ensures that everyone knows what to do to keep your business up and running if your company is the victim of a data breach or hack. The plan should account for different degrees of issues. For example, finding malware on your website is very different from stolen data, which contains customer Social Security numbers. For most companies, the decision on whether or not they need to follow data breach notification requirements specific to a victim’s state often never even occurs to them.
- Backup data regularly and have a parallel business plan — Here’s a question: What would happen to your business if employees could not access their electronic files or connect to the company network for a week? Most businesses would struggle — and some would maybe even cease to exist. This is likely to happen if you have a serious enough data breach that requires the involvement of law enforcement. What happens if law enforcement requires your business to turn over control and access to its data and network for the entirety of the investigation? This is admittedly a worst-case scenario, but a backup of your network and its data helps circumvent this potential nightmare.
- Have outside legal counsel on call when a breach occurs — Contacting an attorney upon the immediate realization of a breach provides you some additional protection should litigation arise. For example, an attorney’s involvement in the decision to engage a security consultant helps reduce the likelihood the consultant’s work will be discoverable in litigation. An attorney can also help you navigate the maze of federal, state and industry laws applicable to your case.
Five “Cyber Hygiene” Tips for Individuals
For individuals, the primary concern is protecting one’s privacy from hackers.
- Stop using easy passwords and writing down your passwords — It’s impossible to live without passwords. I encourage my clients to use password software, such as LastPass or 1Password, in order to store all passwords in one place so you don’t have to try and remember all of them. You only have to remember one master password for your password software versus memorizing complicated passwords for each online account. I also recommend creating strong passwords for your email, online banking accounts and social media accounts.
- Changing the password and login when you buy new devices for your home — Many new devices that you buy for your home connect to your Wi-Fi network. These devices have default usernames and passwords — e.g. admin and 1234 — widely known and discovered by hackers who use them to access the devices and possibly your Wi-Fi. Changing the defaults provides you with an extra level of protection.
- Use multi-factor authentication for important data — Multi-factor authentication (MFA) is a two-step process where you log in with your password and then enter an additional code sent via text to your phone. The only way someone could break into an account with MFA enabled is by having your password and the device that receives the additional code at the same time. That is highly unlikely. I recommend using MFA if possible for the data you want to protect most, such as financial records, email, etc.
- Know when to use and not use public Wi-Fi — Public Wi-Fi, like the example I mentioned above, is convenient but also one of the biggest threats to personal privacy and data exposure. A decent hacker can watch what you are doing on public Wi-Fi and even find ways to copy the passwords you use. It’s fine to visit news or sports websites while on public Wi-Fi, but you never want to access any website that requires more invasive information like usernames or passwords. The use of free Wi-Fi opens you up to a world of potential hacking vulnerabilities.
- Updating software with security patches — Google, Microsoft, Apple, Facebook and all technology companies invest massive amounts of money towards the protection of their customers’ information security. Those companies cannot do their jobs if users fail to update their software with the latest security patches. It’s easy to turn on automatic updates so your devices update whenever a new patch is released.
For the best “cyber hygiene” practices and legal updates on relevant privacy and data protection topics, you can follow Thomas on twitter at twitter.com/cybersecureatty.