When reports surfaced recently that U.S. federal agencies have the ability to spy on ordinary users via phones, TV sets and other online devices, outrage sounded across the web.
But why were so many people surprised? Global cybercrime makes headlines with increasing regularity, from the now-infamous Target breach in 2013 to the newly discovered hack of 1 billion Yahoo accounts (the largest in history – so far). In fact, hackers, who break into networks and devices around the clock, pose a much greater threat to privacy and security than any CIA hacking, as that agency is constrained by laws.
A breach of a big corporation or known website, though, may not seem relevant to most individuals. “Who would want to hack me?” they might think. As we know, plenty of people do. Ransomware is big business, extorting about $1 billion from a range of victims in 2016 alone. Last September, hackers used around 10,000 security cameras and DVRs (a breach committed via the internet of things, or IoT) to force down popular websites. This shows that none of us is impervious; targets can be anything connected to the internet at any time.
Most astonishing of all is how unsophisticated hackers’ methods really are – and how consistent. Most breaches still occur after people click on phony links in phishing emails or use easily guessable passwords. No matter how stringent our safeguards and plans, it’s users who continue to be the greatest risk factor. Even if unintentional or accidental, a breach is a breach.
Users should be cautioned, repeatedly, that whether they are working on company-owned, BYOD-enabled or personal devices, following simple cybersecurity precautions will go a long way toward preserving security and privacy.
1. Mind your passwords
Whenever connecting anything to a Wi-Fi network, change the “default” password that comes with the device. The IoT hack succeeded because too many people didn’t do this. Cybercriminals accessed cameras and DVRs using a list of passwords obtained from the manufacturer.
Make sure that any new password is strong. Every year, the list of most often-used passwords includes “password” and “123456.” These are a cinch to crack, and a veritable invitation to hack. Best practices include: passwords unique to each site; at least 12 characters long; and containing an alphanumeric and varied-case character combination arranged in a seemingly nonsensical order.
2. Keep it private
One of the most troubling claims emerging in these latest news reports is that outsiders can use device speakers to listen in on conversations, and webcams to observe. Turning off features such as voice-activated assistance on smartphones and voice recognition services on TVs can help block those attempts.
3. Authenticate – twice!
Two-factor authentication works like a one-two punch against unauthorized access to accounts. When anyone tries to get in from a new device or browser, sites with 2FA or even MFA (multi-factor authentication) will send a passcode to the email address or phone number designated for this purpose. This list includes sites supporting this feature. Note, too, that some sites do not activate 2FA automatically, but require opt-in.
4. Update and patch immediately
System updates and patches can require periodic downtime, which may be annoying, but they often address and repair cybersecurity vulnerabilities in operating systems and software. If the supplier knows about them, chances are that hackers do, too – or will discover them soon. Urge users to install updates promptly, especially on devices used for work.
5. Think before clicking
Phishing, or sending phony emails with bad links to unsuspecting victims, remains cybercriminals’ number one technique for accessing networks and devices. People fall for this trick again and again, especially as thieves increase their sophistication. A single, thoughtless click is all it takes to unleash a veritable online pestilence: malware, ransomware, identity theft and more. Urge users not to click on any link they are not expecting, and when in doubt they should call the sender or contact IT support.
To learn more about how to protect your data, find out more about an advanced degree in cybersecurity.