Best Practices: Security Measures You Shouldn’t Ignore
You’ve probably left your door open while you went to your backyard or checked the mail. Maybe you’ve even made a quick run to the grocery store and didn’t lock your front door. You fall into your daily routine and nothing bad happens, even when you aren’t diligent about securing your home before you leave. But imagine that while you’re out for a quick walk with your dog, someone walks in your house, and takes your credit cards, computer, social security card and the keys to your car all while you weren’t looking.
This may sound unlikely, but when it comes to online security this is essentially what is happening when you ignore basic, vital security settings. It is not outlandish to think that someone can take off with your data quickly and quietly from the comfort of their home while you’re looking the other way.
Making mistakes online is all the easier too. There are lots of simple security best practices that all too easily ignored – lots of “doors to leave open” in the virtual world. Here are four for starters.
Would you like to update?
“Remind me tomorrow” is not an option you should click day after day on that software update notification. Ignoring software updates is something everyone has probably done. You’re too busy to wait for your phone or computer to reboot, and then once it’s back up and running you might have to log back into your accounts. But the reason for software updates is not always to give you a shiny new update, but rather to fix issues you can’t see that make your information vulnerable. A weakness in the software you’re using is a weakness in security.
Knowledge Based Authentication
What exactly is knowledge based authentication (KBA)? It’s a security measure where you are using more than just a password to access your accounts, where (hopefully) secret answers to defined questions are used to identify you. While not foolproof, KBA is a solid way for providers to ensure that it’s really you getting into your account. But there are pitfalls here. Never use answers that could easily be guessed by an attacker. Whether through social engineering or a little good old-fashioned research, the answers you give to these questions should not be easy to discover. Don’t forget you don’t have to answer the question, it just had to remind you what you answered at registration time. My age: 25 – perpetual youth, now there’s a goal. Not every site offers KBA, but when a services does, its important to make sure your secrets really are secret.
Everyone has multiple accounts, from email hosting to bank accounts and social media, it’s not unreasonable that most people end up using the same passwords across sites. Our recent Market Pulse survey shows as many as 65% of people do. This is alarming for obvious reasons, but even more alarming given how many hackers have turned their attention to actively exploiting the human vector. So, in addition to making sure your passwords are strong, you should update them periodically as well. Some sites recommend or even require that you change your password when they sense a security threat or when a breach has happened (like the recent LinkedIn breach, for example), but others rely strictly on you. So implement your own good governance and refresh your passwords as often as practically possible.
Settings are not optional
Every account you have probably has its own customizable account and security settings. Go into those settings and really review and understand what you have in place. Websites and applications are offering more custom security settings, and when site updates happen those security settings can change or even be reset to whatever default settings the site has. Understanding, reviewing and managing application security and privacy settings should be like checking the oil level on a car – expect it to change and make it your job to make sure you don’t run out of oil.
At the end of the day, your data is yours to protect. In the same way you lock your homes and cars to avoid being robbed, you should treat your data the same way. In the same way that dead bolting your door doesn’t mean someone can’t still get in, each layer of protection makes it harder to do and easier to catch before the damage is done.
Like we’ve said many times before – it isn’t if, but when a breach will happen. The goal is to make life hard for hackers, making sure our data is safe. Ultimately, security teams should be enabling businesses (and by default, consumers) versus being in constant damage control mode. Save yourself the grief by being proactive and using best practices for security. Your brand and your sanity will thank you for it.