In an age where so much of our lives are conducted online, we must all take digital security seriously. The 2017 Equifax breach of data on 143 million consumers and the 2019 Capital One breach of data on 105 million customers were wake-up calls for all of us. Data breaches and hacked accounts are alarmingly commonplace, and the consequences of having your identity stolen can be catastrophic.
If you’re curious about how easily you can be hacked, listen to this fantastic two-part series on Gimlet Media’s excellent Reply All podcast:
- Episode 91: The Russian Passenger – “Somewhere in Russia, a man calls for a car. Somewhere in New York City, a stranger’s phone buzzes.”
- Episode 93: Beware All – “This week, we discover who was actually behind the hack of Alex Blumberg’s Uber account.”
While I’m not an information security expert – I’m a business plan consultant – I’ve always made security a high priority and I’ve learned a few things along the way. I originally started writing this as a tip sheet for the people who work at Cayenne Consulting, but as it evolved, I decided to share it with the world as a blog post.
Below are 27 tips on how to safeguard your identity and your data:
- Update Software. Software publishers make frequent updates to patch security flaws, fix bugs, and improve features. Be sure to keep your operating system, software, and mobile apps updated regularly. Where available, enable automatic updates. Here are some tips for Windows, Mac, iOS, and Android.
- Antivirus & Firewall. Enable your firewall and antivirus. A former Mozilla engineer advises Windows users to use the built-in Windows Defender antivirus instead of third-party programs like Norton or Avast. If you are a Mac user, this article offers tips for securing your system. Think twice before choosing Kaspersky antivirus, which is thought to be linked to a Russian spy agency.
- Passwords & Password Managers. Short, weak passwords, especially if you use the same password on multiple websites, make you extremely vulnerable (did you listen to the podcasts above?). Use a password keeper like LastPass or 1Password. These tools enable you to have a long, unique, strong password like [email protected]$u6#5$$s^[email protected] for each website. You only need to remember your master password, and the password manager remembers all your other logins. And since the services are cloud-based, once you have an account, you can use it on your desktop’s browser, phone, and tablet. When selecting a master password for your password manager, bear in mind that the length of a password is more important than using hard-to-remember sequences.
Passwords are like underwear. Don't leave them out where people can see them, change them regularly, and don't loan 'em out.
— Chris Pirillo (@ChrisPirillo) July 30, 2007
- Two-Factor Authentication. Consider using two-factor authentication for your most sensitive accounts: email, banking, social media, sites that have your credit card data, etc. Two-factor means you need more than just a password to access a site – you need a second factor, such as a code sent by text or email, or a code generated by a mobile app like Google Authenticator. While two-factor authentication isn’t foolproof, it’s vastly better than a password alone.
- HTTPS Encryption. Make sure sites are using HTTPS, especially if you are submitting or accessing sensitive personal information. When using HTTPS (web pages that begin with “https:” instead of just “http:”), web pages should display a green padlock to the left of the address bar on your browser. HTTPS encrypts all interactions between your browser and the server, making it almost impossible for hackers to intercept your data. Consider installing the HTTPS Everywhere extension on your browser to ensure HTTPS is enabled by default wherever possible.
- Suspicious Links & Attachments. Hopefully you know by now not to click links or open attachments from unknown senders, as this can easily lead to viruses or other types of malware infecting your device. Some links can also lead to a “phishing” site: a website that looks like a legitimate site like gmail.com, but is, in fact, a fake site designed to trick you into providing your User ID and password. An example might be “grnail.com” – notice that the second and third letters are “r” and “n” which, taken together, look like an “m” – this could easily fool people into thinking they are logging into their Gmail account.
- Spoofed Emails. Beware of “spoofed” emails that appear to be from somebody you know, but are really coming from a scammer. Most spoofed emails are obvious fakes, but some might appear almost legit. Don’t fall for the CEO wire transfer scam. If the sender is asking for sensitive information or money, get them on the phone to determine if the request is real or fake.
- Unsubscribe vs. Spam. Lots of emails have an “unsubscribe” link at the bottom. If the email is from a legitimate source (like a company you have purchased from, or a newsletter you subscribed to), feel free to click to unsubscribe. However, if you really don’t know the sender, it’s often better to flag the message as spam. Otherwise, you’re just alerting the sender to the fact that your email address is a valid target for further spamming.
- Go Incognito. When using a browser on a public computer, browse in “Private” or “Incognito” mode. In Microsoft Edge or Firefox, press Ctrl-Shift-P. In Chrome, press Ctrl-Shift-B. In Opera, press Ctrl-Shift-N. In Safari, check here. This will ensure that cookies and browser history are deleted when you close the browser, and that you are logged out of any active sessions. Even with this precaution, avoid public computers for anything sensitive (like accessing your bank account or logging into your password keeper) because it’s possible that a malicious person could have installed a keystroke logger (or some other hack that can compromise your security).
- Have You Been Pwned? Periodically check https://haveibeenpwned.com/ to see if an online account associated with your email address has been compromised in a data breach. If you have been pwned, change the password for the breached site and for any other site on which you use the same password (of course, you now know that using the same password on multiple sites is poor practice). What you do next depends on factors you can read about here.
- Social Media Settings. Periodically review your privacy and security settings on social media sites. Here are links for learning about privacy and security on Facebook, Twitter, LinkedIn, and Instagram.
- Social Logins. If you use your social media or other accounts to log into other accounts (e.g., when a site or app asks “Create an account or sign in with Facebook”), periodically review which sites are connected to your social accounts and remove sites you no longer need.
- Close Accounts & Uninstall. Uninstall apps you no longer use. If the app required you to create an account, remember to close/delete the account first so that your information isn’t exposed if the service provider is hacked.
- Beware Flash Drives. Never insert a USB flash drive into your computer unless you are 100% certain it is free of malware. This means you’re aware of everything that has been done to the flash drive since it was removed from its packaging. Even flash drives received from a trusted source might not be safe.
- Track Your Hardware. Use an anti-theft product like Prey to keep track of all of your devices. If your device is lost or stolen, Prey will geolocate your device and will capture photos or screen shots to help you recover it. If your device can’t be recovered, you can remotely wipe sensitive data or lock down the device.
- Public Wi-Fi. Avoid unknown Wi-Fi networks. If you do connect to an unknown network (say, at a hotel, restaurant, or airport) then consider using a virtual private network, or VPN. That “Free LAX Airport Wifi” could actually be a fake network that can intercept data using a “man-in-the-middle” attack.
- Be Anonymous. A VPN isn’t just for public Wi-Fi networks. You can use it at home and at work so that your Internet service provider cannot monitor your activities. It will also prevent the sites you visit from logging your true IP address. If you need an even more secure browsing tool, consider using the Tor Browser.
- Temporary Email. Consider using a temporary, “burner” email address from a service like 10minuteemail.com when you need to provide an email address to access an online resource.
- Back Up Your Computer. Back everything up using Dropbox (which can synchronize files among multiple devices) or one of the many other cloud backup solutions.
- Have a Restoration Plan. Be prepared to restore all your software and data from scratch in case your computer becomes unusable due to damage, theft, or ransomware. Keep the installation CDs handy or know where you can re-download new licensed copies to replace the one you lost. Use a cloud-based service like Evernote or Notes on iCloud to store a list of all of your purchased software, software license keys, and other info you’ll need to rebuild a new computer from scratch.
- Back Up Your Phone & Tablet. Back up your phone regularly, preferably to the cloud. Here are some tips for Android and Apple
- Freeze Your Credit Reports. Consider putting security freezes on your credit reports. This makes it more difficult for identity thieves to open new accounts in your name.
- Protect Personal Information. Never give out personal information to a caller (or emailer) you don’t know – especially things like passwords, account numbers, your SSN, etc. Robocallers are perpetuating an ever-increasing volume of fraud.
- Monitor Your Credit. Consider signing up for a service like com to monitor your credit ratings, large changes to your credit card balances, etc.
- Review Your Statements. Review your bank and credit card statements monthly to make sure there are no unauthorized charges.
- Minimize Stored Credit Cards. Don’t store credit card numbers with ecommerce sites you don’t do business with regularly. If you make frequent purchases from well-established sites like Amazon, Expedia, and Lyft, it should be reasonably safe to store your credit cards on their sites.
- Virtual Credit Card Numbers. Consider using a virtual credit card number when making a one-time purchase from an online retailer you’ve never interacted with before.
This isn’t a comprehensive list, of course. And I don’t claim to be a security expert. As a rule, you need to use common sense and good judgment, stay on top of new security issues as they arise (both digital and offline), and keep your guard up. Stay safe out there!