Author: Zak Lodhi
Hacking has become a common event in our lives and long gone are the days that the hacker is a lone-wolf attacking systems to find out if they can. Hacking is big business and is also being leveraged as a political tool of hostile foreign nations. There are several interesting statistics posted by the National Institute of Standards and Technology1 in 2020.
10% of small businesses that had a breach were forced to shut down.1
88% of small business owners feel that their business is vulnerable to cyberattack1
Ransomware is the #1 threat to small business and the average ransomware payment has been going up. As of Feb 2020 the average ransom was $41,1981
It is forecasted that as of 2021, cybercrime will cost the world over $6 trillion1
Trying to protect yourself in a world of such hostility can seem overwhelming and until recently many online institutions did not even offer basic means of protection beyond a simple password. What makes this even more intimidating is, through no fault of your own, your data may become compromised from a government agency breach to ubiquitous tech-giants who’ve mastered collecting and harvesting all of the data they can. This doesn’t mean that ignoring these threats but instead, become aware they exist and protect yourself accordingly.
The first thing to consider is the password you use. That sentence alone should be cause for alarm as you should not just have one password that you use across all of your services and devices. If any one of those services become compromised and the attacker somehow gains access to one of your services then all of your services will be vulnerable and ripe. Since most people also use their email address as their username, it isn’t a complex system to crack. Good passwords are long. The longer the better, if that password also employs complexity that will make it even harder to break.
I can already hear the groaning! “What do you mean! I already have more passwords than I can remember!” The little secret is you don’t have to remember them all! Using a password manager to keep your passwords in a central and secure location will bridge the gap and allow all of your services to each have their own unique, long, and complex password. There are many password managers out there, some with the ability to auto-populate web forms. Some of which are Roboform, Keepass, and LastPass, just to name a few.
The next line of defense for your online accounts is enabling a second type of barrier to being able to log into your service, in the form of Two-Factor (2FA) or Multi-Factor Authentication (MFA), both of which can be used interchangeably. Many services have begun to force users to implement these and I’m still surprised at how many online institutions don’t have the means to enforce MFA. MFA is the mechanism that enforces your participation for the log in. For example, after entering your password, if the system sends you a text message with a code that you then have to enter to complete the login process. Texts can be intercepted and stolen so they are not the preferred method for MFA but they are absolutely better than nothing and in those situations where that is all that is offered, it should definitely be employed. Preferred MFA solutions would be using a dedicated hardware tokens like YubiKey or an App like Google or Microsoft Authenticators. Without becoming overly complex, Google Authenticator works in so many situations, it is my preferred solution when it is available otherwise MFA by text messages is a viable alternative.
So, you have a good, strong, and unique password now and are using MFA solutions, you are out of the woods, right? Wrong! If you think like a hacker, there MUST be a way around all of these security mechanisms, right? Yes, there is. If you want to know the biggest vulnerability to your data, well, hole in your armor is you. Do you send important information in plain text emails? When was the last time you sent a password and username in an email or text message? Excluding the fact that the email could be intercepted in in transmission, your “Sent Items” folder and email in general is a treasure trove of information about you. How you communicate, what you communicate, and what you have access to. When you need to recover account information (even when secured by a strong password and MFA), most systems recover account information via email verification. If your email account ever becomes exposed or accessed by a malicious entity, the attacker can slowly take over your accounts with you being none the wiser. Treating your email accounts is one of the most critical services you use is going to be essential to protecting yourself. Next time someone calls you out of the blue attempting to help you or you receive an email requesting information, ask yourself… “How can this be used against me?”
With the reliance our civilization has come to depend on digital communication, securing the means we communicate is paramount. Never getting any of your accounts hacked or otherwise compromised is a tall order in this age. We are constantly under assault and it doesn’t matter if you are successful at repelling an attack 999 times out of 1000, it takes one oversight or failure on your part to be victimized, just once for massive amounts of damage to your business, finances or reputation to suffer. Even being under constant attack, doing everything you can to prevent it from happening in the first place is critical and if you do happened to become compromised, minimizing your attack surface or the damage that can be caused by that event is the best way to protect yourself.