Passing the Word—Securely

The good news is that the work you are doing is succeeding and making a difference. The message is getting out and people are paying attention to you and what you do. The bad news, of course, is that people are paying attention to you and what you do. All sorts of people, including bad guys.

We live in a fear-based society. Politicians and others use the promise or threat of bad news to drive public response and policy in direction(s) that they deem to be desirable. That is not what we are doing today. My goal isn’t to scare you into action, but instead to try to ensure that you are making informed security decisions.

The only truly secure computer is connected to nothing and accessible by nobody. Obviously this is not a realistic standard, so we are already making the decision to compromise on security. I want you to make good decisions on your way to creating an intentional security protocol.

The first thing is: if you are going to take naked or otherwise compromising pictures of each other, use a camera and don’t upload the photos anywhere!

Now that we’ve got that out of the way, here’s my assessment of the current digital security landscape, and some suggestions about how to best protect yourselves and your organization.

In 2014, according to Experian (a US credit monitoring, reporting, adjudication, and warehousing firm), half of all US organizations experienced some sort of data breach, which was 10% more than in 2013. They forecast further increases for this year. Their expectation is that the most attractive targets are cloud data and digital identities. The Rand Corporation published a report that suggests that social media credentials are becoming more valuable than credit cards because of the greater yield that they make possible!

We all hear about the gigantic data breaches. Last year Target, Home Depot (twice!), Michael’s, JP Morgan Chase, and Staples each experienced breaches that exposed records counted in seven and eight figures. And then there’s Sony Pictures, whose breach wasn’t just the loss of movies, passwords, and personal data. They also lost control over many hardware and software systems that were vital to day to day operations of their businesses. And they still don’t have full control!

Of course you may not be an attractive target for credit card data, or blockbuster movies, but you are still a very attractive target for people or companies who would like to know where your gaze is going to go next, what you have planned, and who may want to silence you digitally. That’s why we are talking today.

Securing Your Digital Identities

We live in a world of passwords and PINs. One of the good things to come from all those data breaches is that we can sift through the records and mine for nuggets such as 2014’s most popular passwords (“123456” and “password” are numbers one and two for the second year in a row), which shows us what to avoid as well as revealing the extent of the problem. If you are using anything like the top 25 change them now!

Avoid using real English-language words. Anything that can be looked up in a dictionary will be broken by a brute-force attack. Simple substitution of numbers for letters (b0w3n, for instance) is also covered by these automated attacks. It used to be enough to be creative, but that is no longer the case. Passwords have to be meaningless, non-pattern based, and unique. For YEARS, I secured everything with the name of the sailboat that won the around the world sailboat race in 1977 and 1981. Not only is such a lapse far too easy to crack, once someone had my CompuServe password, they also knew what to use when trying to log into other services.

More and more sites and/or services now require you to use passwords that are both long (the number of digits) and wide (case-sensitive letters, numbers, special characters, etc.), but they can be ridiculously difficult to keep track of. And if they take seriously the protection of your data, these sites will also require you to change that password regularly.

For far too many people and companies, the response to this is the venerable Post It Note, or bits of paper scattered all over their desks. Crazy, right? But how else will you remember “B8#Ppd@upE” which is rated as “very strong” (scores 93 on passwordmeter.com)? And if you practice good password etiquette, you’ll have an equally difficult one for each site and service that you use. Impossible!

Managing Your Electronic Credentials

Fortunately there’s a great tool that enables you to secure all your user IDs and passwords, serves them up as needed, and even generates passwords according to criteria that you set. It’s called LastPass, and I’ve used it for almost two years and recommend it to all our clients.

The free version of LastPass is enough for most individuals and I urge you to have your friends and family use it. For organizations, though, there’s LastPass Enterprise, which costs US$24/person/year and adds centralized management and data sharing, data breach alerts and smartphone integration. This means no more calls or emails asking “what’s the user ID and password for our GoToMeeting account?”

Securing Your Devices While Out of the Office

We’ve all heard that we shouldn’t go log in to bank and other secure websites while in a hotel or Starbucks, or using any other sort of public Wi-Fi. But sometimes we forget, or are in a big hurry, or figure that it’s probably safe. It’s just not worth the risk, particularly when we can secure our phone, tablet, and laptop through the simple use of a VPN or Virtual Private Network.

Once a VPN connection is set up, ALL the digital traffic sent to and from your device is encrypted, which means that you can connect at will and not be concerned about digital eavesdroppers. The one that we use and recommend is BTGuard which costs $90/user/year.

Summary

By now, you are hopefully convinced to use strong passwords, to store them for ready use, to change them regularly and to use a central management tool. You’re going to make sure you are connected securely while out of the office. Congratulations! You are MILES ahead of 95% of the people out there. But there’s always more: I am happy to talk with you about two factor authentication, biometric security, RFID tags, and anything else you’re interested in.