You’re probably getting lost in a swirl of holiday activity and online spending, maybe even buying an Amazon Echo or two, so let’s talk about how to protect yourself in this digital world.
After all, awesome financial planning can’t make up for having your data ransomed, identity stolen, or privacy breached. Happy holidays!
Equifax’s data breach a couple months ago was simply the latest and greatest reminder that our data and identities are vulnerable thanks to this Internet Thing. Then there was the revelation about Uber’s data breach over a year ago. I’m sure I could list many more in the last 12 months, but I’m too lazy, it’s depressing, and that’s what Google is for.
When I worked in the tech industry, I spent most of my years in the software security field. I don’t have any particular security chops myself, but I was and am definitely Chops Adjacent.
So, motivated by my “first we protect against risks” approach to financial planning, I reached out to a former co-worker of mine, Andrew Storms, to get his perspective on how we can protect ourselves. Storms has a special place in my security heart because he yelled at me this one time for bringing someone (my brother) into the company’s office and walking around with him, without checking in with IT/security and getting a badge. It might be 14 years late, but Storms…you were right. Sorry, dude.
Below is a series of questions I asked Storms, and his answers.
[Meg’s Note: Andrew Storms serves as the Vice President of Security Services at New Context. He has been leading IT, Security and Compliance teams for the past 2 decades at companies like CloudPassage, nCircle (acquired by Tripwire), and Tripwire. Storms’ advocacy on IT security issues has appeared in CNBC, Forbes and The New York Times. He is a CISSP, a member of Infragard and a graduate of the FBI Citizens’ Academy.]
Q: What is the most common mistake people when it comes to (not) protecting their data and/or identity?
A: Probably not thinking like a nefarious person. Not to say we should be nefarious, but take a few seconds to consider “what could a nefarious person do?” when it comes to your information or situation.
I often counsel people to not post certain information online. For example, the fact they are going to be on vacation next week. That same person has a habit of posting their daily run stats, with a map that clearly shows their home address. Well guess what? You’ve now told everyone in the world your address and that you will be in Maui next week.
Q: What is the one change in how we interact with computers or internet-connected devices, that you’d most like to see ?
A: Probably the reliance and the trust we put into something so basic as the password, to have only 6 or 8 characters standing guard between the attacker and your account. Everyone and every system these days should be requiring 2-factor authentication.
Q: Listicle time! What are the top 1, 2, or 3 pieces of reasonable/doable advice you give to people to protect their data/identity?
A: #1. You know those password-recovery questions you are sometimes forced to create? Make up a fake persona for those questions.
Why would you possibly tell, say, your picture-sharing application your mother’s real maiden name? I don’t need to tell them my actual mother’s maiden name. They just need standard questions and answers that helps them identify you as the valid account holder so they can do an automated password reset. Make up a story about a fake person and have it committed to memory.
#2. Speaking of memory, you don’t need to memorize all your passwords. Use a password manager and let it create and store all your unique passwords for you. But be sure to enable 2-factor authentication to unlock your password manager. [Meg’s note: Here’s a recent review of the bevy of password managers available to you]
Q: Any thoughts on the explosion of IoT devices? On the dangers they specifically pose? With Christmas coming up, I assume there’s about to be a hell of a lot more Nests, Alexas, Echos, Google Homes, what have you.
A: The growth of IoT is purely too hard to comprehend. Here are some stats and predictions from 1 year ago. It’s like when you watch Cosmos and Neil deGrasse Tyson tries to explain the number of stars just in our galaxy. And then you are told there are countless galaxies larger than ours.
Every single electronic thing in your house and in your life will soon be internet-enabled in some way. These are your refrigerators, your light bulbs, cars, thermostat, cameras, smoke detectors, and even that failed wifi-enabled juicer experiment that was the epitome of valley ridiculousness (I kept waiting for someone to tell me that it was a joke and actually part of the HBO Silicon Valley show).
From a privacy perspective, you need to be careful with devices in your home that have microphones and are connected to the internet. You just don’t know if or when they are listening. We’ve already seen smart TVs that listen and kids’ toys doing this. And then what is the company doing with all that data?
There is no doubt that all these things lend for huge innovation and automation, which should hopefully give us more time to be creative and move our cultures forward.
On the other hand, a lot of these IoT vendors just don’t have security-engineering experience or skills. They take the shortest route to reach market and will almost always forego security and privacy in order to capture market share. Not much here is going to change because the consumer demand is outrageous and most people are willing to give up privacy for technology at a low cost.
Q: What is the top danger in data security/identity protection right now?
A: I live in this cyber security industry and have seen the most creative and nefarious attacks, which continue to surprise me. Our attackers are just as smart [as we are] and oftentimes have more time and resources. They only have to be right once to break into the system, but the defenders have to be right all of the time.
One time in my life I refused to talk to this 10 year old who was going door to door trying to sell things. I told my wife that I thought she was sent here to try and get information out of me. Call me paranoid.
At some point we just have to do our best to live our lives and not constantly have to be looking over our shoulder. Protection is about risk management.
These days everyone should have free credit monitoring because everyone’s identities have been leaked. [Meg’s note: There are a ton of free credit-monitoring tools out there. Also realize that if a tool is free, you, specifically, your data, is the product.] And you might as well just revolve your credit cards once a year. Did you know you can just call your credit card company and ask for a new card even if it hasn’t been stolen or lost? If they give you a hassle about, tell them you lost it.
Play it safe. Ask questions. Don’t be afraid or hesitant to ask people who call or email you to prove that they work for your bank or other institution.
I was in the middle of refi once and the bank called me on my cell phone. She demanded I tell her my SSN before she would complete funding the loan. I told her that I didn’t know she worked at the bank. We were able to be creative and figured out a way for her to identify to me that she did actually work for the bank.
But these kinds of things happen all the time, we just make assumptions that people are working in best faith and that’s not always the case.
Sign up for Flow’s Monthly Newsletter to stay on top of my blog posts (and the occasional video), and also receive my guide How to Start a New Job (and Impress Yourself and Everyone Else) for free!
Disclaimer: This article is provided for general information and illustration purposes only. Nothing contained in the material constitutes tax advice, a recommendation for purchase or sale of any security, or investment advisory services. I encourage you to consult a financial planner, accountant, and/or legal counsel for advice specific to your situation. Reproduction of this material is prohibited without written permission from Meg Bartelt, and all rights are reserved. Read the full Disclaimer.