5 cybersecurity tips for consumers: Lessons learned in the enterprise

National Cyber Security Awareness Month is coming up in October.  Its goal is to raise awareness about cybersecurity and increase the resiliency of the nation in the event of a cyber-incident.  With that in mind, here are five tips for consumers which I hope will spur thinking and discussion about how to protect your digital assets as a business would.

So many of our everyday consumer business processes — finance, healthcare, etc. — are now online.  They’ve become de-facto mission critical computing processes. We need them constantly accessible, available and secure.

With the stream of hacking incidents hitting the headlines such as the recent attacks on Home Depot, iCloud, and Target, together with various “credential dumps”, it’s time for consumers to get more serious about how they manage their cyber accounts.

It’s time to treat your electronic assets as a business would. This means understanding your digital footprint, prioritizing your most sensitive assets, implementing higher levels of protection for those assets, getting more disciplined with regard to backups, and having a business continuity / disaster recovery (BC/DR) plan ready to go ahead of time. So here’s five tips to help you get started:

1 – Take inventory of your digital footprint

Your digital footprint is large and cannot be erased. While there are emerging features in social media related to disappearing posts where you get to schedule the deletion of your posts in advance, there’s no global delete button that you can press to erase your digital tracks. Any attempt at this would need to be done one web site at a time and would be incredibly difficult, time consuming, and likely only marginally successful.

With your information scattered everywhere, it’s important to think about what valuable information you have where. For example, how many web sites are storing your credit card info? How many have an up-to-date card number and expiration date? Where do you have important documents, files, and videos across the web? You can start by making a list in a spreadsheet and noting the types of sensitive data associated with each site. If there are particular sites that you no longer use, you may also want to delete your account profiles there.

2 – Prioritize your most sensitive accounts

Once you’ve taken inventory, and done some housekeeping, you can now prioritize the most sensitive accounts and ensure you’re elevating your security levels in those key areas to the highest levels available. You can prioritize your accounts by the sensitivity of the data such as personal financial information, personal health records and so on. An easy scheme might be a classification of low, medium, and high for the levels of data sensitivity associated with each site.

To make the classification, think about your sensitive data such as financial and health information, but also how much of an issue it would be if your particular account got hacked and someone had access to this information and could alter the data, make fraudulent charges, or even steal your identity.

3 – Set the strongest possible access control and authentication for these priority accounts

For these priority accounts, go through one by one and elevate your security and privacy settings. This means setting stronger passwords, changing your security questions, moving to higher levels of authentication where available, and higher privacy settings. You’ll also want to change your passwords more frequently for these accounts.

According to Apple blogger, Jonny Evans, when changing your security questions, “the answers just need to be memorable, not accurate”. This will help to prevent incidents like the recent iCloud attack where the responses to the security challenge questions were easily guessed as one component of the overall attack method.

Where available, you should also set two factor authentication (2FA) for applications such as online banking, iCloud and so on. 2FA involves “something you know” (the first factor) and “something you have” (the second factor). The “something you have” is often a verification code that’s sent to your smartphone via SMS. Many new smartphones also offer biometric authentication which is even better since it relies on “something you are” – your unique biometric such as a fingerprint.

4 – Keep up to date with security patches, use caution when providing information online, and back up your data regularly

It’s important to keep your operating system, browser, and other critical software up to date with the latest security patches to minimize threats from viruses and malware, and also limit the amount of personal information you post online. Watch out for retail sites that hide monthly subscriptions in their fine print, so you don’t sign up for more than you bargained for.

The DHS’s Stop.Think.Connect campaign has some good general tips regarding safer online habits. In addition, you’ll want to back up your data on a regular basis either via an online service and/or offline to an external storage device. Scheduling this backup automatically can help to ensure a regular cadence.

5 – Have your personal “BC/DR” plan ready to go ahead of time

It’s important to keep an eye on your accounts to watch out for suspicious activity. This isn’t just related to bank accounts, but applies to other online services which can be hijacked such as international calling plans with automatic top-ups from your debit card. If the hackers can guess your PIN, they have unlimited calls around the world until you figure out the breach and turn off your automatic top-up setting. If you discover a problem with one of your accounts, it’s important to pay close attention to your other accounts as well.

Just like a business, your personal business continuity / disaster recovery (BC/DR) plan should help you continue your “operations” in the event of an adverse physical event, or if your accounts get compromised via cyber theft. Your plan should help you continue to operate “business as usual” and recover your access. Keep a list of important numbers to call in the event of identity theft and a list of your credit card numbers in case they’re stolen. It’s good to have a paper copy of this information and well as a copy on your smartphone so you can report lost or stolen cards immediately. Of course, don’t keep your PINs with your cards, and don’t create PINs or passwords using information that can be guessed easily.

The good news is the banks are getting far more efficient with remediation. After the Home Depot incident, my bank notified one of my family members right away and within 24 hours he was able to get a new, embossed, debit card printed at the local branch a couple of miles away with no need to wait 5 days or more for the postal service to deliver a new card via mail. This kind of “instant issuance” technology in terms of card printing has been around for several years, but is finding even more value in light of rapid response to cyber-attacks.

Cybersecurity is everyone’s responsibility

In our latest Security Index, we found that credit and debit card fraud topped Americans’ security concerns in 2014, against the recent backdrop of major retail and banking security breaches (Disclaimer: I work for Unisys). We also found that 60 percent said a security breach involving their personal or credit card data would make them less likely to do business at a bank or store they commonly use.

With the rising number of successful attacks against high-profile targets, it’s now not a question of if you’ll get hacked, but when. Cybersecurity is everyone’s responsibility. As I discussed in a prior blog, the nature of the cybersecurity threat is evolving, but many attacks are also successful due to simple lapses in applying common security controls. Businesses can do more to implement robust security practices and so can consumers. There’s no magic fix, of course, but the more safeguards the better.