Since 2007 in Europe and 2009 here in the United States, the 28th of January is observed as a day to consider just how critical it is to protect our own personal information, as well as the sensitive data held by an organization. A relatively new observance, the impetus for this “holiday” was the emergence of social media as a centralized and pervasive means of sharing data.
Here at DGC, we help organizations of all sizes understand their data privacy requirements, and identify and address risks to the confidentiality, integrity, and availability of their data. We would like to take a step back and review some best practices that individuals should consider applying in their daily lives to protect their own personal information. The following top three privacy considerations for individuals can also be (and should be) implemented at the organizational level to protect a company’s assets from the risks associated with identity theft and data breaches.
Unfortunately, it’s safe to assume that some of your own personal information is already out there, potentially in the hands of identity thieves. The now notorious breach suffered by Equifax exposed names, addresses, dates of birth, social security numbers, and driver's license numbers of up to 40% of the entire United States population. Combined with the multitude of other historic and ongoing breaches, it’s a safe bet that at least some of your information is exposed already. This type of personally identifiable information, trafficked by hackers on the dark web and underground forums, is all that is needed to steal someone’s identity. Identity theft often results in lines of credit being opened on behalf of the individual whose data was compromised. For example, thieves may open new credit cards.
To stop these thieves in their tracks, the best defense is to simply freeze your credit reports. All three major credit reporting bureaus offer the ability to “freeze” your credit report, meaning it cannot be requested or reviewed without your explicit consent. Once frozen, no new lines of credit can be extended, as any new line of credit requires a credit report inquiry. Freezing one’s credit puts the power back in the hands of the individual, even if certain personal data has already been compromised.
In the business world, the corollary to this risk of identity theft would be the risk of fraud. Just like opening illicit lines of credit on an individual’s behalf, organizations face the risk of wire transfer fraud and business email fraud. To combat this, organizations should implement best practices around their financial processes, procedures, and accounts, for example – ACH Positive Pay.
Common sense dictates that one of the best ways to ensure that your financial, social media and e-commerce accounts cannot be accessed by attackers is to use very long and complex passwords. Additionally, it is critical that we don’t reuse the same password across multiple sites and services. This is because a breach of one organization that you use can affect your other accounts as well if you reuse the same password.
However, this “common sense approach” creates a real-world problem – password management. No one can be expected to remember dozens and dozens of unique, long, complex passwords. As a result, people end up either reusing the same password across most sites and services or keeping a local file on their computer that lists all of their passwords. Neither of these approaches promote effective information security.
In this case, the best bet is to leverage a personal password manager, such as LastPass, KeyPass, or 1Password, among others. These tools allow you to create unique, arbitrarily long, and arbitrarily complex passwords that you don’t even need to remember! All you need to remember is the password to the password manager itself. While the use of such a tool may create a potential “single point of failure,” the information security industry agrees that this approach represents the lesser of two evils. It’s better to securely store and manage all passwords than it is to rely on a single password for all sites and services.
These same types of tools can be implemented at the organizational level to help manage the myriad of passwords, passcodes, encryption keys, and other sensitive information that an organization needs to manage securely in order to promote effective information security.
While a password manager will absolutely enhance any individual’s approach to their personal information security, we cannot overlook the inevitability that at least one of our passwords will be compromised. People may fall victim to phishing attacks, in which a person is tricked into submitting their username and password into a “fake” login page. Once submitted, the attacker has your password. Alternatively, one of the organizations that you do business with may be hacked, leading to the disclosure of your login credentials. How can we protect ourselves when the attacker already has our password?
The solution to this dilemma is multi-factor authentication. While no solution can prevent 100% of attacks or identity theft, multifactor authentication is likely the single most powerful tool individuals and organizations alike have against hackers. When a service or website requires multifactor authentication, a password alone is not enough to gain access to an account. Access to the account will also require something you have or something you are. Examples of something you have would include a text message sent to your cell phone or a pin code generated by an authenticator app. Something you are would include biometric authentication (i.e. a fingerprint). Therefore, when an attacker attempts to log into your banking application using your password, they will still need to provide an additional layer of authentication. And without having direct access to your cellphone, or your fingerprint, they will be out of luck.
While the other two recommendations in this article can be implemented at the organizational level, and arguably, should be, multifactor authentication is a must for all organizations, on all internet-facing services, such as webmail and VPN. Hackers are always looking for the easy way in, and a lack of multifactor authentication at the enterprise level means that your organization may be that “low hanging fruit.” When architecting new solutions or reviewing the security posture of current services, multifactor authentication needs to be top of mind.
DGC’s IT Risk Assurance & Advisory practice offers a range of IT Audit, compliance, and cyber & information security services that can help identify, evaluate, measure and manage compliance and cybersecurity risks. Our professionals are trained to identify areas of exposure and recommend size-appropriate, cost-conscious corrective actions. For more information, contact Scott Goodwin, OSCP, OSWP at 781-937-5722 / email@example.com.