By Amitava Ghosh, Oracle Insight
In today’s environment of distributed cloud-centric experiences, we are no longer in total control of our personal data. It seems that every few weeks, there is news of another massive cyberattack in which the data of millions of users is stolen.
In addition to data theft, a number of other trends are affecting the way companies and individuals conduct themselves online. Here are just a few examples:
Although you can’t protect yourself against every threat on the internet, knowledge is power. It’s possible to learn from these events and trends and do better. Here are 12 best practices all internet users should be aware of in order to minimize security risks and the impact of breaches.
1. Compartmentalize your work, social, and purchasing lives on the internet. Ideally, everyone would have three separate devices—one for work, one to connect with friends online, and one for buying and browsing over the internet. For most people, this is not feasible. The next-best thing is to use distinct browsers, sessions, and email addresses, so that a breach would cause minimal impact on the rest of your life.
2. Identify your most sensitive personal data and defend it vigorously. Some examples include using multifactor authentication for important accounts and not saving email passwords or credit card details in your browser’s cache or on mobile devices. It’s less convenient, but greater security often involves a few extra steps.
3. Focus on the message and potential consequences, not on the messenger. If a long-lost friend suddenly emails you about a deal that sounds too good to be true, it’s likely that someone sinister is interested in your data and money. Just clicking the link they sent can open you up to potential loss of personal data. The simple approach is to verify all links before clicking them—if you don’t recognize the URL, don’t click.
4. Do not try to verify whether your account has been hacked. If the news of a corporate data breach reaches you, and some other website or app is offering to verify whether your account is still safe, sidestep the bait. Instead, reset your password on the site itself and enable stronger, multifactor authentication.
5. Review app permissions at a granular level and grant them minimally. One way to minimize the risks associated with OAuth is to grant app permissions on a need-to-work basis. For example, the caller ID app you’re using should not have rights to know your location or to capture the device screen at random times. This is applicable for every update cycle. Spending a couple of hours every quarter on reviewing app permissions in each device is worth the effort.
6. Be aware of and use authentication best practices. Enable multifactor and biometric authentications whenever possible. Do not reuse the same password across sites. Do not store the passwords for auto-fill in any of your devices or browsers. Personally, I am not a big fan of password managers, so I try to attach a version of the site name before or after the core password string. Here are some examples of what you can do:
For certain extreme cases, where logins are infrequent but the stakes are very high (such as a securities account with high holdings but rare transactions), I deliberately do not try to remember the passwords. Instead I reset them for every use and embed a date-of-use string (for example, 01152018) somewhere within the password.
7. Limit the use of digital wallets and transfer money to them on an as-needed basis. Use a few digital wallets that are accepted at a wide number of merchants, such as PayPal or Apple Pay. As often as possible, load wallets with the necessary amount just before a transaction.
8. Invest in cryptocurrencies only what you can afford to completely lose. While the returns are eye-popping, the regulatory, technological, and economic risks are yet to be appreciated fully and can be very dynamic.
9. Remember the physical-life analogies for determining acceptable digital behavior. When in doubt, consider whether it is acceptable to do the same thing in the “real” world. Would you allow an unfamiliar photographer to take a photo of you at that particular private moment? Would you share your entire address book with an unknown marketer at your first meeting?
When in doubt, consider whether it is acceptable to do the same thing in the ‘real’ world.”
10. Periodically review apps on devices and IDs on websites visited. Delete apps, bookmarks, and cookies that are not useful and seem dubious. If you haven’t used an app or web service in three months, it is unlikely that you still need it. Streamlining guards against surreptitious changes in those apps or pages and against any malware that they might secretly download.
11. Stay loyal to fewer aggregator apps and web services. This will ensure that data and financial loss are minimal in the event of a breach. Some people use multiple aggregator apps to do the same thing—for example, Expedia, Hotels.com, and Kayak to book travel. Try not to use more than two or three aggregator apps for the same thing. More well-known apps are likely to be used by more people, more scrutinized for weaknesses, and consequently more fortified against vulnerabilities.
12. Keep the analog alternatives available. Always have some cash on hand. Know the areas you frequent well enough to navigate them without a GPS system. Remember the phone numbers of close family and friends. Besides preparing you for worst-case cyberscenarios, it might keep you rooted in the real world.
The internet, with its ever-expanding capabilities, reach, and bandwidth, is opening us up to new experiences and a better quality of life. With a few security-minded steps, we can better safeguard against its risks.