In the first six months of 2017, there were an average of 122 records breached per second. If this statistic isn't sobering enough, the recently disclosed breaches at Equifax and Yahoo are stark reminders that security is hard, and we aren't effectively stopping the bad guys.
You may be wondering why the threats continue to persist, even despite the advancements we've made in cybersecurity. In short, because securing information is hard. The dynamics of product development only compound this. First and foremost, companies are focused on making sure their products will succeed in the marketplace. Security features are often an afterthought and adding them later on is much harder than baking them in from the beginning.
Of course, applications and users have also moved outside the traditional firewall. The notion of a perimeter no longer exists, making it more difficult than ever before to manage access and protect data.
But all is not lost in the fight against cybercriminals. Here are four surprisingly simple things that you can do to protect your identity and stay a step ahead of hackers. They'll not only go a long way toward protecting individuals, but they'll protect your enterprise as well.
Turn on Multi-factor Authentication Everywhere
The first thing you can do to shore up security is enable multi-factor authentication (MFA). When you log into your email account or a web-based or mobile service, you have to enter your username and password. Your password is just one way to verify your identity. MFA prompts you to provide an additional factor to prove you're who you say you are.
This additional factor must be something that you know, have or are. Because almost everyone has a mobile phone, your phone is a commonly used additional factor. To prove you are who you say you are, you might receive an SMS text message with a unique code that you must enter to complete login. Or you might have to download an application on your phone that prompts you to verify your login attempts.
Put simply, when you enable multi-factor authentication, you add a layer of protection against password theft. Even if someone steals your password, they can't complete login without control of your phone. Of course, this adds a step for you, too, but those few seconds are a small sacrifice compared to the many hours and weeks you'd spend recovering from identity theft.
Many services--including Facebook, Google/Gmail, your bank and plenty of others--provide optional MFA, often called two-step authentication, and you may not even be aware of it. I suggest enabling it wherever you can, but at the very least, do so on your email account, since it is the hub of your online identity.
Delete, Delete, Delete
Once you've enabled MFA on your email account, put on your hacker hat for a moment. If a hacker were to break into your email, what would they find? What information do you have stored in obvious and not so obvious places in your email account and folders? Kind of scary, right?
The good news is that hackers probably aren't there yet. Use the time you have right now to start deleting anything that you wouldn't want in the hands of a stranger. Pay particular attention to emails and documents containing sensitive information, like bank statements, tax returns, anything that could make it easier for a hacker to get access to your financial and business accounts. While you're at it, make sure you delete any incriminating photographs, too.
Don't - I Repeat Do NOT - Reuse Passwords
Thinking like a hacker means understanding how hackers work. A criminal isn't happy with just one hit, and hackers are just a particular breed of criminal. Once they have your password, they try it everywhere. Reusing passwords is how the breach of some minor service you forgot about (that stamp collecting website that had no security on it) can become a breach of your banking information.
Many of the biggest data breaches--like the ubiquitous Yahoo breach, with a potential impact in the billions, and the LinkedIn breach, which affected more than 100 million people--are exacerbated by password reuse. Think about it like this. Let's say you use the same password for your Yahoo account that you use for an ecommerce site. Due to one of the recent breaches your password falls into the hands of hackers. These attacks have automated tools that will run your username and password combination against hundreds of popular websites. All it takes is one hit, and they can be shopping on your dime.
Now imagine you also use this same password for your checking account and your credit card account. You can see how the damage spreads. I know you hate trying to remember all of those different passwords. But don't let this cause you to resort to reusing the same ones over and over. You don't want that one piece of information to be the key that unlocks everything.
Use Passphrases, Not Passwords
Switching to passphrases, instead of passwords, is the perfect way to address the memorizing piece, plus strengthen security. While we've been ingrained to create eight-character passwords that maybe have a number and a special character, they're notoriously hard to remember and increasingly easier to hack. They were a step in the right direction at the time, but modern security practices are moving toward passphrases.
A passphrase is a few words that you string together. An example, might be a favorite quote or song lyric. Or something that your mom used to say to you. It doesn't need to be a complete sentence, but it should be something that you can remember and be longer than 14 characters. They key is that it means something to you, but means nothing to a hacker.
Unlike a password, a passphrase can contain spaces in between words. It can also contain symbols or special characters. The primary difference is that a passphrase is longer and more meaningful (and therefore easier for you to remember) than a shorter, but random string of letters, numbers and symbols. This also makes it significantly harder for a human or robot to crack.
While I could certainly add to this list, these four steps are a great start for anyone who wants to reduce exposure to identity theft. If you haven't already shared these best practices with your employees and partners, that's a perfect next step for you.