October is the European Cyber Security Month and at the time of writing this blog, there is also a digital security themed week going on in Finland. Related to these, many companies, authorities and cyber security specialists organise events and awareness campaigns. That got me pondering if I, too, could do something to raise awareness related to cyber security. As I think cyber security is everyone’s concern, the idea of this blog is to point out how cyber security affects us all in our different roles and what we can do to improve cyber security status.
In a digitalized society first bits of personal information start to form even before a person is born. At birth, we are given our first identification tool, a social security number (although I hope it wouldn’t be as generally used for identification as it currently is). As we grow up, the amount of information piles up so that it is possible to describe our lives with material collected from registers and social media.
At the same time we get new accounts and credentials along with all the roles we have in life. We don’t handle just our own information, but also our employers’ and different organisations’ information, possibly even our loved ones’ information. We log in to different accounts, such as emails, social media services and work related applications using different authentication methods, such as passwords, fingerprints, generated codes and bank identification numbers.
As the amount of information and applications handling and storing information grows, so grows the possibility of misusing them. Information may end up in the wrong hands purely by accident, which could be embarrassing at the least and pose major risks at the worst. Unfortunately there is also a great risk of malicious and criminal actions against all of us and our information. Ransomware, phishing and unauthorised online shopping are just a few examples.
What can we all do to protect our information?
First, evaluate the value of your information. Social security numbers, email accounts (especially the one which is used to restore all other accounts) and bank identification numbers are of interest to criminals because of the financial value they might have. Phone numbers, email addresses and address information as such are a little less valuable, but can still be misused, especially when put together with other information about the target. Personal information, such as matters related to religion, health or family life, might not have financial value, but can again be misused. It is also worth considering what it would mean if such information becomes completely public.
Mind what you share and with whom, especially when it comes to digital information and platforms.
Once you have identified your valuable information, it can and must be protected. When it comes to digital information, a simple way is to minimise the amount of digitised information by considering when and where to share it. For example your social security number: it is probably already as digital data somewhere, but you can still limit the databases where it is. For example, authorities have it in some registers. But if an online shop requires it as a verification before you can buy, I’d consider whether I have to make my purchase from there, because then that online shop will also have your social security number. They are unlikely to misuse it, but it’s one more place where the information can leak.
Another thing to consider is when and where to share your email address, especially if you only have one email account. You’ll then have one address you’ll use everywhere where email is asked for, whether it’s actually needed or not. There will be tons of spam, info letters, advertisements and, the more widespread it is, also phishing and other malicious emails. On the other hand you’ll use that email for your daily life and, most importantly, to restore all other accounts.
Now if you lose that email, which is more likely if it is widespread, then you risk losing all your accounts.
Consider having two or even three emails: one just for restoring accounts, one for daily use and one to gather all the spam when you have to inform your email for whatever (and probably irrelevant) reason.
Of course, when it comes to sharing your information, mind what you post online, be it Twitter, Linkedin, Facebook, Instagram or some other social media. I’m glad how many take the issue seriously and don’t post really sensitive information online, but there’s always room for improvement: what we share unintentionally that may, in some way, be used against us?
A simple example: you set a security question to restore your password when it’s forgotten: what’s the maiden name of your mother? Then you have an unrestricted social media account with your mother tagged to a family picture. And her profile, also unrestricted, happens to share her maiden name. So, no need to set the tinhat too tight but consider what you share and understand that things can be found out from the Internet surprisingly easily.
Next step to protect your information is to secure your login information. Do not share them with anyone, whether it’s your username, banking identification number, password or a pin code. Biometric login information (facial recognition, fingerprints) is pretty hard to share, which is good. Use as strong authentication methods as possible. If you need to remember your passwords yourself, prefer complex password sentences. And by complex I mean that they include letters, numbers and special characters. The idea of the sentence is that it would be easier to remember yet long enough (I use at least 15 characters) to be hard to break or guess. Pin codes are often by default four numbers, but many times they can be set to be longer.
I strongly recommend the use of password management systems so that you won’t have to remember all your passwords, just one.
And in those cases, you might also want to use computer generated passwords, which are hard to break but inconvenient for a human to remember. And finally, use multifactor authentication whenever possible. It requires at least one more form of authentication in addition to a password, usually an email, SMS or a code from an authentication application.
Third step to protect your information is about making it restorable. In other words, take backups. There is always a risk that you will lose your information completely, be it human error, malicious actions or natural disaster. Luckily for us, it is easy to minimise the risk. Keep your information at least in two different places and for most important information, perhaps even in three. For example, you have documents or photos on your device such as a laptop or smartphone. Good, then you can probably quite easily turn on automatic saves to a cloud storage. Now your information is in two places. Take a backup to a removable media every now and then and you have information in three places. And finally, if you want to keep the tinhat tight, make sure your removable media is in a different place than your primary device (you know, in case of a fire and the cloud datacenter exploding).
Fourth step is to use well-known applications with support from reputable sources. Such applications are provided with information security updates on known vulnerabilities and threats. Just remember to install the updates (and good for us, that too can usually be automated). And amongst those applications you are using, I’d suggest investing a little bit in antivirus software, firewall and VPN. Often they can be bought in a nice package from one vendor.
What should we consider in the role of employee?
Many of us handle sensitive company information and use applications for our work tasks. It is up to the employer to define and implement guidelines and procedures for the use of information and applications, such as acceptable use of assets. It is then up to the employee to follow those guidelines and procedures. I think that the employee also has at least an ethical responsibility to inform the employer of any information security weaknesses, malfunctions or attacks, especially if the company is handling other people’s personal information. Depending on the role, employees should also maintain and improve their information security competence. At the very least, attend your employer’s information security training (which they hopefully provide).
The actual methods of protecting your company’s information assets are very similar to those used to protect your own. The company usually defines information classification, the employee is left with understanding the classification and handling it with proper care. The company is also responsible for access management to its assets (hopefully strong credentials and MFA), employees just have to use them properly. A good company also takes care of (hopefully even enforces) backups, antivirus software, firewalls and VPN connections so that it takes little to no effort from employees.
For companies: information security isn’t that much more complicated than that.
Identify your information assets and risks related to them, manage who can access them, take backups and implement other security measures as per the risks you have identified.
Okay, maybe it’s a little more complicated than that, but that’s a good starting point.
What can we do to protect each other?
Have you shared with someone else’s secret? It is polite to keep it a secret, that is obvious for the digital world as well. In the digital world it is polite to be extra careful on what to share of others, even if it is not a “top secret” secret. It might be something the other person does not want to share and when online, it is public.
Sometimes things might go wrong even with good intentions. For example, a group of workers wishes to remember a fellow worker who is on leave for personal reasons. They decide to gather money for a gift with an email sent to every worker and while doing so, they inadvertently share the reason he/she is on leave, thus causing harm with their good intention. Mistakes aside, the golden rule stands time pretty well: treat others as you would like others to treat you.
I strongly recommend everyone to consider what we can do for those who have trouble understanding the modern digital world with its dangers and who struggle to keep up with the pace of the fast evolving. As a parent it is tempting to share lovely pictures of our children with everyone, yet as a parent it is even more crucial to mind where we share those pictures. Children should have the right to eventually decide what is shared of them online, as it stays there pretty much forever. While often positively well aware of many things and at least curious to learn more, children are still oblivious to the many dangers of the Internet.
It is up to parents and trusted adults to inform them on what to do and not do.
Guiding must be done according to the age of the child. There are applications to restrict what children are allowed to do with their devices. I think enforcing some restrictions is not a bad thing, but should be done according to the age.
Another group of people who might be extra vulnerable to the threats of the digital world are the elderly. They have lived most of their lives in a very different world where important information was memorised or on paper. Information was shared with radios, television, newspapers and letters. If something had to be done, it was taken care of face to face at shops or offices. For them it might be troublesome to learn all that is needed today for taking care of anything. Therefore it is up for the next generations to help keep the older one safe and provide help in the use of applications and devices. Today might be a good time to ask whether a familiar senior citizen needs help with email, smartphone or online bank applications.
Not so long ago safety meant the absence of hunger, sickness, poverty and protection from violence and the elements. After a few years with a pandemic, high inflation rates and a war between two sovereign states it seems none of the old threats have vanished even from the post-industrial world. In addition, we have new threats as the world has become more and more networked and information dependent. But using the aforementioned methods we can protect our own, companies’ and our loved ones’ information and so prevent financial losses and human suffering.
We can make our digital world a better, safer and more stable place for all of us. And, with all the nasty old threats coming up again, I think we could use all the safety and stableness we can have.
So, remember to identify your valuable information, take care of your login information, take backups and update your devices and applications.
Oh, and mind what links you open, no matter how trustworthy they seem. Have a good and secure rest of the year!