WASHINGTON, October 6, 2014 – With last week’s revelation that some 76 million accounts of JP Morgan Chase were hacked in early summer, a lot of people are wondering if they are next. Yes, they are.
In fact, if you do business or banking online, some of your information is probably in someone else’s hands. Be thankful that you are a small fish.
At a seminar in Indianapolis by the law firm of Barnes & Thornburg on Friday, October 3, a panel of experts – Scott Morris of Eskenazi Hospital, Nick Taylor of Netlogix, and Von Welch of the Indiana University Center for Cyber Security – offered perspectives and advice.
If you think you are immune from hacking, think again. In the past 12 months, 43% of companies have had a data breach. Over the past 24 months, that figure reaches 60%. Even knowing this, 50% of companies admit they are not where they would like to be regarding their data’s security.
Things have changed a lot in the past few years, when most attacks were “lone wolves” creating mischief or looking for specific information to steal, or insiders who were looking to make a quick buck through data mining at their employers’ expense.
Now, Morris says, “Inside threats are being eclipsed by state actors.” Taylor says we need to know that all data are “under constant attack, from (among others) Eastern Europe, China, and Russia, and any bits of information, gathered from multiple sources, can be assembled into a cohesive identity.”
This, Welch says, is relatively new. “Ten years ago,” he said, “we were looking at prevention of these breaches. Now, we need to contain the risk to an ‘acceptable’ level, but where we really need to improve is in our response,” since persistent, well-coordinated and –financed attacks are likely to succeed.
All current solutions to this ongoing problem are inadequate. But taken together, they’ll make someone else a relatively-easier target, not you.
For starters, at a corporate level, see if you can isolate your high-value data and restrict access to those who really have a need to know. Business partners may not have adequate security. Limit what your partners, suppliers and customers can access.
You might even consider separate servers. Guard your back door: obscure it, hide it, or lock it up some other way. And if you hate being subpoenaed as well as having a healthy aversion to exposing your clients’ and customers’ data, don’t collect what you don’t actually need.
Personal security advice also covers a lot of bases. Don’t use your Social Security Number (SSN) for anything other than paying taxes or banking. Though many identity checkers ask for only your “last four numbers,” remember that the first three numbers are location-specific and coded to where the number was issued, and are thus relatively easy to discover. (Where were you born? Where did you get your first job? What are your last four digits? BINGO!)
Limit the information you give out or use. No one who asks for it is checking your mother’s maiden name, but those who do their research can find it. So, use a made-up maiden name. No one needs to know your real birthday: make one up, use a friend’s, or list a “birthday” that’s a few weeks off the mark. And don’t put anything on Facebook or anywhere else that you don’t want everyone to use against you. Even if your life is boring, don’t tell everybody about it. If it’s really boring, why share, anyway?
Speaking of Facebook, why would you want to give a city-by-city account of your trip to Budapest, while you’re still out of town? Why let the world know that there’s no one at home? Nick Taylor advised staying off Facebook and all social media altogether.
The era of tricky passwords is dead. How will you remember 17 characters, numbers, and special characters, particularly when you have to change them every couple months? Use pass phrases, wherein you can insert numbers you’ll remember, as well. Here’s a place for your favorite cousin’s birthday, inserted in between words of a phrase you’ll easily remember.
Your phone is a gold mine for data miners. Lock it, as you lock your laptop and desktop. Make sure that phone is locked and password-protected. Turn off your phone’s GPS and Wi-Fi unless you’re actually using them, which saves battery life, as well. Don’t buy a smartphone that you can’t remotely scrub, but be sure you know how to scrub it yourself. Always have a plan you can implement, one that will minimize your exposure when you do lose that phone or laptop.
For personal banking, something that we usually cannot avoid, consider using an old, scrubbed computer, and dedicate it to nothing but your online banking. Keep it turned off when you’re not using it.
The cloud is becoming more secure, daily. The best security minds are dedicated to its safety, and the best security is currently likely to be found there. So with cloud computing, consider that your exposure only occurs during transmission. On that topic, it is a good idea to let cookies keep track of your passwords. This minimizes transmission time. You may not have been told that your transmissions, even to your bank, are in CLEAR. I.e., they are subject to interception.
If you have other security ideas and things that have worked, feel free to share them below, in our comments section. Or on Facebook and Twitter – it helps our numbers!