If you have not noticed yet, the ABA Journal is undertaking a yearlong cybersecurity series. Our intent is to explore this complex and tangled issue piece-by-piece to make sense of the current thinking around data protection, legal ethics and regulation.
Admittedly, these articles are often a bird’s eye view of an issue that affects every person and business a little bit differently. Additionally, targets (that’s you) experience online threats differently based on who they are and what data they have. This makes it hard to promote one-size-fits-all recommendations.
To overcome some of the amorphousness that surrounds this topic, we wanted to provide a more concrete checkup that anyone, attorneys to zookeepers, could benefit from.
This checklist comes with the usual disclaimer that you should engage in a threat assessment of your own situation to know what is the best way to protect your data. Further, these are not foolproof recommendations. Nevertheless, if you are not doing the things below, you are likely less safe for it.
1. Have you been pwned? It is pretty safe to say we have all been hacked or compromised at this point. Between the breaches of Equifax, LinkedIn and Yahoo, information from billions of accounts have spilled out into the world. But were you one of them? While it is impossible to be 100 percent certain, there is one way to see if your account information has fallen prey to a hack. By going to haveibeenpwned.com, you can type in your email addresses or usernames to see if they come up in the sites database of publicly known hacks. If a hack has occurred but it has not been verified or made public, then the site will not have that information. However, it is a good first step to know if your passwords have been compromised.2. Consider a password manager. If your email address came up on haveibeenpwned, your palms are probably sweaty and fear has overtaken you. This is normal, but not necessary. Let us channel that nervous energy towards getting serious about passwords. Even the grinning readers who did not see their email on the website should follow along. A password manager will help you store your bevy of passwords, which should all be as unique as a snowflake. No longer will you need gimmicks to remember which password had an exclamation point or the capital “T” in it. The manager will handle that for you. While not hocking particular software, the Electronic Frontier Foundation has some handy questions to vet a company promising you security:
• Is the company clear about the limitations of its product? Do not trust companies that promise the world or use buzzwords like “military grade.” That is gibberish and should be discounted.
• Does the company share its threat model in case of a compromise? Mature companies who trust in their product will be transparent about the attacks they are prepared for and how they are prepared. Look for this documentation.
• Does the company say it cannot or will not access your data? You might have to read the terms of service, but companies that cannot access your data by design are better. “Will not” leaves the backdoor ajar.
• What do users say? Like everything else, you can find online reviews of password managers. Do people still trust the tool? Has the company made unfortunate headlines recently? These are all things to consider in your decision.
When you are thinking about which manager to use, Princeton’s Center for Information Technology Policy found that the password managers that come default in many browsers are being used by ad trackers to scoop up your data.
3. Treat yourself to better passwords. It is 2018, and a password under seven characters that combines your dog’s name and your birth year are not sufficient. Nor is it cool that you have a dozen passwords that are permutations of each other. While a password manager (see above) will help keep your online life in order, you still need quality passwords to make the software worthwhile. The National Institute of Standards and Technology updated their password guidelines last year, and they recommend that you create a strong password, or longer passphrase where possible, that avoids the maddening nature of passwords with upper-case, special symbols and numbers. Think of a line from a book or song that is not that popular and easy for you to remember. This is especially important to master passwords to things like that new password manager you got after reading this article. Also, unless you are breached, NIST no longer recommends making periodic changes to your password. If it is not broke, do not fix it. Last, NIST recommends avoiding password hints or knowledge-based authentication, which brings us to…
4. Two-factor authentication! I hope that when you saw that header, you smugly thought to yourself, “I already do that.” If so, you’ve graduated to step five. However, if you do not know what two-factor authentication is, keep reading. Two-factor authentication is a two-step process to signing into an account. Instead of merely typing your password and logging in, two-factor will send you an email or text message with a unique passcode to enter before you can access your account. The hope here is that if your password is compromised, you have a second line of defense. All major companies have two-factor now, so take advantage of it. (For a list of sites with two-factor authentication check out twofactorauth.org.)
5. Encrypt your devices. While the word “encrypt” can sometimes make people feel uneasy, it has become a painless, low cost way to protect your information. Doing so can make you feel slightly more secure if you lose or misplace your device. Android, Apple and Microsoft now all have turnkey encryption for their devices. For Android Pixel, Samsung Galaxy S8 and later phones, they come encrypted. For iPhone users, it is as easy as turning on your passcode, which Apple says 89 percent of its customers already do. Windows, as well, makes it easy to turn on BitLocker, their encryption service. With this step, do not forget to also encrypt external storage devices you use for documents or pirated MP3s from college.
With all of this being said, stay vigilant. As a digital consumer, you are constantly playing defense against an ever-evolving offense. While these tips work for today, they may not in the future. To keep abreast of changing threats and best practices, keep track of the Journal’s ongoing series and other trustworthy news sources.