There is much that is written about cybersecurity threats to companies. Prominent examples of security breaches like the one that Target announced on December 19, 2013 have led myriad companies to re-evaluate their security posture, and investments in new security processes and technologies have increased in many companies as a result.
The complexity of security threats to individuals has also increased, but no individual cybersecurity issue will receive the headlines that corporate breach will, so one can be lulled into a false sense of security. I sought the counsel of four CEOs of major information security companies to ask them what steps they take personally to secure their information and their computing devices. They offered the following five recommendations.
Manage Your Passwords Wisely
All four CEOs highlighted the need to more actively manage one’s passwords. Dov Yoran, the CEO of ThreatGRID, says, “Use complex passwords and pass codes, and change the important ones regularly, and don’t share your passwords or devices with anyone.” Andre Durand, the CEO of Ping Identity, says of ones mobile computing, “Put a PIN on it. When so much hinges off our phones, protecting it against trivial breach is critical and easy.” David Ulevitch, the CEO of OpenDNS says that it is also important to use two-factor authentication, which is an approach to authentication which requires the presentation of two of the three independent authentication factors: a knowledge factor (“something only the user knows”), a possession factor (“something only the user has”), and an inherence factor (“something only the user is”). After presentation, each factor must be validated by the other party for authentication to occur. He says, “Two-factor authentication will create another step of identification verification, which is another hoop any potential attacker has to go through to get to your data.”
Enable Remote Tracking and Wiping Capability for Your Devices
Andrew Hoog, the CEO of Viaforensics, says, “Enable the ability to remotely track and wipe your mobile device. Android and iOS have baked these features into their mobile OS’s – Android’s device manager and iOS’ Find my iPhone settings allow you to login and remotely lock, track, or wipe your phone from anywhere in the world.” He notes that it is one thing to take on faith that this capability will work well, but it is another to test it. Just as many companies have disaster recovery plans on paper, but do not know for sure if they will work due to a lack of testing, Hoog suggests going the extra mile.
Do Not Blindly Trust Just Any Network Connection
There was near universal agreement that one should be careful with network connection. Hoog expressed the general consensus when he noted, “Avoid open Wi-Fi.” He goes on to say, “Many public Wi-Fi connections are unsecured, sending unencrypted traffic and leaving you vulnerable to man-in-the-middle attacks. Use only trusted, secure connections.” Durand notes that one should make sure that when one browses on the internet, that one should ensure that connections use the “https” communication protocol. He notes, “The ‘S’ means ‘safe’. Let the browser help you identify safe sites by paying attention to its warnings.” He also say that it is important not to allow automatic connections to networks. “Allowing automatic Wi-Fi connections can get your device connected to a different (and possibly malicious) router with the same name, like ‘Free Airport Wi-Fi’.”
Distrust Incoming email by Default
This security panel also noted that a high percentage of breaches come through lackadaisical use of email. Durand notes, “Specifically, don’t click on any links within an email until you are sure the email is valid.” Yoran also suggests, “Switch off automatic download of images and opening of file attachments.” Ulevitch says, “Social engineering is a tactic employed by bad actors to get information or access to your system, and can happen via email – one popular method is sending a personalized message with a malicious attachment.” He notes that one should avoid clicking on anything sent by someone whose identity isn’t verified. He recommends that one should “use directions in the email to navigate to where you need to go. While it’s not fast or convenient, compared to the time it takes to clean your machine after it’s been infected, it’s worth doing.”
Pay Attention to the Apps You Download, and Keep Those You Do Current
As apps have proliferated, users have been less careful about what they download and how they download. Durand recommends that individuals read the permissions of apps more completely. “More importantly, the corollary – if the permissions the app is asking for seem incompatible with the function of the app, don’t install it,” he says. Hoog suggests that we uninstall what he refers to as “leaky apps.” He notes, “The biggest threat to your data is leaky, insecure apps. There are millions of apps in the Google Play and Apple App stores, and many of these apps request – and are granted – permission to personal data, including GPS / location data, IMEI information, contacts, SMS messages, and more. Even worse, much of the data they aggregate and capture is sent insecurely from your device to unknown servers all over the world.” Related to this, he also says to avoid unofficial app stores, as a majority of apps that contain malware reside on third party app stores. Yoran urges users to keep all software patched to ensure that the updates to software’s own security will be up-to-date, and security holes will be plugged. Ulevitch agrees, noting, “In addition to backing up your data regularly, keeping your software updated is essential. Most malware, even those used in advanced attacks, exploit known vulnerabilities. Vendors issue patches regularly, and keeping software up to date ensures these patches are applied.” Yoran recommends that users leverage security protection tools such as anti-virus, firewalls, and host-based intrusion detection system (HIDS), which are intrusion detection systems that monitor computing devices.
Each of these executives noted that we all need to realize that any individual can be an attractive target to hackers. Ulevitch urges, “Don’t ever say “It won’t happen to me,” because it can, and chances are, it will. Knowing this, and acting accordingly, is the first step to practicing good personal security.”
Peter High is President of Metis Strategy, a business and IT advisory firm. He is the author of World Class IT: Why Businesses Succeed When IT Triumphs and the upcoming Implementing World Class IT Strategy (Wiley Press, September 2014). He also moderates the Forum on World Class IT podcast series. Follow him on Twitter @WorldClassIT.