We found out on Wednesday that 1 billion Yahoo accounts were hacked in 2013, only a couple months after we learned about a separate 2014 hack that compromised an additional 500 million accounts. Combine that with the 360 million compromised MySpace passwords, 117 million from LinkedIn, 65 million from Tumblr, and 32 million from Twitter, and you can almost guarantee that you or someone you know was affected by the mega-breaches announced in recent months.
Being as most people use the same password over and over, these breaches give hackers access to multiple accounts. In a proactive security screen this fall, Netflix found a number of users whose Netflix passwords were compromised as part of another company’s breach. These instances do not simply let attackers tweet on your behalf; they can affect all of your accounts. How many people use the same password for LinkedIn or Yahoo as they do for their corporate email? An unsettling number.
After seeing so many headlines, it can be easy to feel discouraged and helpless. Indeed, a recent survey we conducted found that 41 percent of Americans believe it is inevitable that their identity will be stolen at some point, and 75 percent don’t know what to do when that happens. Another survey we conducted found that even IT professionals are beginning to tune out major hack headlines. The number of U.S. data breaches in 2015 totaled 781, making it the second-highest year on record – but while the number of breaches continues to rise, awareness of them amongst IT professionals is down (20% lower than in 2014). In fact, in just the past few weeks there have been serious cyber attacks that you might not have even heard of, including the 9th largest data breach in history and the hacking of a nuclear plant.
Unfortunately, there’s no silver bullet, magic pill, or miracle elixir for cybersecurity. Staying safe online is like eating your vegetables: a little every day goes a long way. While most people do not need to be quite as paranoid as I am -- founding a security company and paranoia go hand-in-hand, as it turns out -- here are ten simple steps that everyone can take to reduce their risk of being hacked.
1. Use a password manager to generate and store random passwords. This makes sure no two accounts share the same password -- if one is hacked, the others stay safe. Secondly, even if one account shows up in a breach, the randomness of the password will make it almost impossible for attackers to crack. Pay a little extra to be able to use the password manager across all your devices -- laptop, tablet and smartphones, so you can store passwords in one place.
2. Make sure the master password for your password manager is extremely strong, yet still memorable. I like to start by imagining a completely bizarre and inexplicable scene. Sparkly amoebas (in) Prague dining (with the) Pope. Then squish it all together and add a number or two, e.g. “7sparklyamoebasPraguediningPope” (not my actual password). Far easier to remember, and just about as secure, as “u}(xh1)g~sl” (also, not my actual password).
3. Enable multi-factor authentication for all your critical accounts, including email, banks, and your password manager. When logging in from a new device, and every 30 days, you’ll need to enter a code from your smartphone. This way, even if an attacker knows your password they still can’t get into your account so long as they don’t have access to your phone as well (the risk to phones created by multi-factor authentication is a whole other story).
4. Think before you click. Phishing is an old trick, yet still wildly effective. Attackers are using it over email, SMS messages, and even messaging apps. According to the Anti-Phishing Working Group, there were more phishing attacks in the first quarter of 2016 than any other time in history.
5. Know what you’re downloading and make sure you trust the source. Official app stores from the likes of Amazon, Microsoft, Apple and Google are usually pretty safe. Random, third party app stores are usually not. Regardless of the source, check out the developer to make sure they can be trusted, read the reviews to ensure the app does what it says it does, and be aware of what sort of access the app gets to your device and your information.
6. Always and immediately install security updates from your operating system or device manufacturer. Similarly, set your apps to “auto-update” as there are often security fixes in these updates.
7. It’s OK to use public WiFi (I do it all the time), but be extra careful of what you’re doing on that network—you can be spied upon. Make sure that any website that asks for your password has the correct URL and the lock icon in your browser. If you’re doing banking or accessing extra-sensitive work data, just wait until you get to a more secure connection. Absolutely never download a special app or “profile” in order to connect to the network (this may be an attempt to hack your device).
8. Use encrypted messaging services such as iMessage, Wickr, or WhatsApp. End-to-end encryption ensures that your communications are safe from third party interception, which is especially important if you’re traveling in a foreign country. Remember that you’ll still have to trust the providers of these services to keep your communications private.
9. Install security software on all of your devices. These tools, like Lookout (full disclosure: my company), ensure that your and your company’s information will stay safe, even if you accidentally click a bad link or download a malicious app.
10. Set a pin or password on every device. It’s the best way to protect your data in case your device is stolen. Fingerprint readers such as TouchID are fine to use even though they’re less secure than a good pin code. In a recent study conducted by Lookout, only 35% of respondents said they use a password or pin code to secure their mobile device. Slightly weaker security that you use is better than strong security that you don’t.
Image Credit: Den Rise / Shutterstock