What You Need to Know about Online Security
Every week, we hear another story about a company or individual whose security was compromised, leading to loss of data, trust or worse. Many of us are tempted to accept the seemingly overwhelming evidence that it’s impossible to remain secure on today’s web. After all, hackers are gonna hack. The truth about online security, however, is a little less melodramatic and the solution fairly pragmatic.
Hundreds of Passwords
One of the reasons that security is such a difficult problem to master is because it is so easy to take advantage of people’s habits. After all, electronic security is theoretically very similar to physical security. When approaching a wall, you could defeat the wall with brute strength, and use a bulldozer to remove it. You could find a hole in the wall and sneak through. Or you could trick the gatekeeper into allowing you through directly.
The truth is that tricking the gatekeeper is often the easiest and most reliable way to gain entrance without getting caught – bulldozing the wall will result in immediate discovery of a breach, and finding a hole is usually very difficult. The gatekeeper in the electronic realm represents you. You hold the key to the gate, and often times that key is all to easy to defeat: your password.
Passwords have been around a long time, and we’re still trying to figure out how to get rid of them. The problem with passwords is that we don’t remember them very well. This means we opt for simple passwords that use our child’s name and birthday, because that’s easy to remember. We also use that password, or some variation, for every online login we use, often in conjunction with our email address.
The problem gets even worse as companies add more and more online services. Unbelievably, I just did a password audit on myself, and I have approximately 423 passwords. These passwords and usernames go across over 300 unique websites.
There is no way I could manage all those passwords on my own, so I long ago switched to a password manager out of sheer necessity. However, even if you only have a few dozen passwords, it is impossible to make them secure enough and unique enough using only your memory (unless you have more time than good sense). You hold the key to the gate, and if you use the same password, then you have created dozens of keys. If you loose one of them, any of those gates can be accessed.
Passwords are, at the end of the day, still one of the most convenient and easily implemented security checkpoints. If you recognize your own humanity and opt to use a password manager, you still need to remember these basics:
- Use complex passwords
- Use 10 characters minimum when possible
- Don’t re-use passwords
- Change passwords once a year
- Don’t email your passwords – unless you change it afterward
- Don’t write down your passwords – unless its in a password manager or a physically secure location
- 123456 is not a password 🙂
No, it’s not a complicated mathematical formula, but it does provide you with a frustrating new way to lock yourself out of your own account.
Jokes aside, the truth is that two-factor authentication (2FA) actually does provide a significant extra layer of protection to your online security and should be used for sensitive accounts such as email. There are methods to make it less inconvenient, such as saving certain devices as trusted devices.
It’s easy to forget just how important it is to protect your email login, but if someone gains access to your email, not only could they see potentially sensitive information, but they can impersonate you. They can also reset your passwords on other accounts, since password resets are often tied to your email address.
If your email account isn’t protected by 2FA and a unique, complex password, it’s only a matter of time before someone finds out. Hackers typically target the easiest opportunities with the largest payback. It’s like if a bear is chasing a group of people, you don’t have to outrun the bear, you just need to outrun the other people.
Of course, if you become an intentional target, then you’ll need to avoid falling for social engineering. Not surprisingly, social engineering is the one of the leading causes of security breakdowns. Social engineering involves tricking someone into not following “standard procedure,” and doesn’t require technical skills at all.
It’s impossible to eliminate the risk of falling for these tricks, but using good judgement and being extra cautious when something seems odd or too good to be true goes a long way.
Don’t Share Passwords
This is one rule that seems meant to be broken. It almost always happens that there are account passwords that must be shared. Some social networks are difficult to manage without sharing passwords. Sometimes an account must be managed by multiple people, but the service only allows one login account.
Whenever possible, each unique user should have their own set of credentials and access. That access should be granular, meaning they only get the responsibilities they need to do their job. However, in many cases the marketing world lags behind and doesn’t offer enterprise level access controls.
There is a secure way around this, and that is to use a password manager to share passwords. I personally use LastPass, and have found that it does a great job of keeping security tight while allowing quick access to passwords on both desktop and mobile devices.
LastPass gives several options for sharing passwords, the best of which are included in their enterprise version. This allows folders to be created, and groups can use these to securely share access to shared resources. Passwords can be shared both visibly and not, which adds an extra layer of security in the case of a breach.
Once again, the password storage methods are only as secure as the individuals who are using them, so it’s important to maintain good computer security habits when sharing passwords.
The Deal with Encryption
Encryption is nothing if not cryptic. Though truly understanding how encryption works is far beyond the scope of this post, I feel it’s important to understand the basic functionality, and how it can directly affect your online security.
Encryption does much more than just keep sitting data safe. It allows computers to positively identify themselves to other computers, it allows secure communication between two computers over an insecure networks, and it can create a “web of trust” that allows computers to vouch for the authenticity of others.
When you go online to a secure site that is using a form of encryption, it provides a certificate that is signed by an authority. It then compares what the server provides with a known list of authorities on your computer. This initial process is called a “handshake,” and uses Public Key Encryption. During the handshake, another key is exchanged, which then secures the unique session.
Even though this process is complex, it prevents anyone outside of your browser from seeing the information exchanged with the server. This means if you are using the unsecured internet at your local coffee shop, that at least your connection to that one website is secure.
Due at least in part to the proliferation of free unsecured wifi at coffee shops, Google, Facebook and others have implemented always-on encryption on their sites. This means a much safer web experience for all of us. However, there are many services that haven’t implemented this yet. When you login to those services on an unsecured wifi connection, anyone who is nearby could potential see your username and password, and any other data transferred over the air with that connection.
This is especially true if you manage your own website and haven’t implemented encryption. After all, it’s a lot easier to wait for a victim in a coffee shop than it is to try to hack unknown vulnerabilities in a server somewhere.
The Final Word
Online marketing is about creating trust and building credibility. That means a security incident could be an extremely costly event. Even if it’s just someone tweeting out inappropriate things, it still represents a breach of trust. It’s critical that each member of the marketing team knows the risks and the process. The chain is only as strong as the weakest link, and when the weakest link has access to everything, it can quickly turn into a PR nightmare. Online security is the responsibility of every member of your team, and it’s critical to your customers as well.