Every week there are headlines about a company getting its email, website, Twitter accounts or something else hacked. The reason? In a word: Employees.
Each of your accounts and devices is a potential way in for a hacker. “You’re only as protected as your weakest link,” says Tom Cochran, chief technology officer at Atlantic Media (which owns Quartz), and former head of digital technology at the White House. ”All it takes is one person to fall for a phishing scam for your organization to fall for hackers.”
So how you do avoid being that weakest link? Cochran, along with two of Quartz’s developers, Michael Donohoe and Sam Williams, offered a list of ways for people and businesses to secure their online property. Here are their tips, in roughly increasing order of difficulty.
What: A simple browser extension, HTTPS Everywhere ensures that whenever you go to a website that allows encrypted browsing (such as many email, banking and other sites that store personal information), your browser will default to using the encrypted version, where the address starts with https instead of http.
Why: Encrypted websites “hash” (i.e., scramble) passwords rather than allowing them to travel through the network as clear text. This also means they don’t store your password on their servers, but only the scrambled version of it. So anyone who spies on your internet connection, or manages to hack the server you’ve logged in to, can’t get your password.
This also means you should be wary about sites that don’t use https, or that email you a password in plain text when you lose it. There’s a good list of offending sites at plaintextoffenders.com.
What: Many people leave their Wi-Fi network open, so anyone can use it. Go to the wireless router’s settings—you may have to look at the instructions for how to do this—and put a password on it.
Why: People accessing your network don’t just slow it down. They can “sniff” traffic and data being passed through the network including chat conversations and clear-text passwords (passwords that you type in on insecure networks). By putting a password on your Wi-Fi network, you are at least making it a little bit harder.
What: As Cochran writes, “Password protect as much as possible.” Put passwords or lock codes on every device you use that has internet access.
Why: While you may not store the most sensitive company documents on your phone or tablet, someone who gets hold of them can find plenty of useful information in your email. Someone who’s in your email can also pose as you to get passwords or documents out of colleagues. And if you use services like Dropbox or Google Drive to share office documents, your mobile device may give an attacker access to those too.
What: A number of social networks and websites—Google, Twitter and WordPress to name a few—now allow two-step authentication. This means that after you enter your password, you are asked for a separate code number, which you get either via text message or, for a growing number of services, from a smartphone app like Authy or Google Authenticator (for iOS/Android; there’s something similar for Windows phones.) The app doesn’t need an internet connection; it just spits out ever-changing codes.
Why: If you’re logging in from your normal computer, most websites will ask for the code only once every 30 days. The point of two-step auth is to prevent unauthorized logins from somewhere else. Even if hackers get hold of your password, they won’t be able to get into your account without also having your phone (unless they have also stolen your regular computer.) That makes this the best defense against phishing scams.
What: It’s very easy to encrypt your entire hard drive on a Mac using the built-in Firevault app. On a Windows PC it’s a little more involved, but there are various encryption apps available. This may mean leaving your computer on overnight the first time to encrypt the drive, but after that it shouldn’t be noticeably slower.
Why: Even if your computer is password-protected, someone who steals it could still, with the right know-how, copy the contents of the hard drive. Encryption protects your data if that happens.
What: Never send passwords or other important personal data over email, instant messenger, social media, or any other form of electronic communication. Don’t store them as draft emails or in documents on your computer either. If you have to share a password among colleagues—to a company Twitter account, for instance—choose one that’s long but easy to remember (see item 7), and pass it around by word of mouth. Even writing it down on a piece of paper is better than emailing it.
Why: ”Emails act as a window to everything,” Donohoe says, and the same can be true of anything else that stores your messages. A hacker who gets into one account can then get into others.
What: There are several password manager services that can both generate strong passwords (passwords with complicated letter/number sequences that are hard for humans to remember and machines to crack) for your various accounts and store them securely, with one master password to unlock them. Quartz’s Sam Williams is a big fan of 1Password. Here’s a tip from Cochran on creating a secure master password you can remember:
Instead of using your pet’s name, try a catchy song lyric like “Life is a highway. I want to ride it all night long.” If the full lyric is too long, you can use the first letter of each word: liahiwtrianl, for example. These are far easier to remember and much more secure.
Why: If you have to remember all your passwords yourself, chances are you’ll make them too weak or reuse the same password for multiple services, making them vulnerable.
What: A common phishing scam is when you get an email apparently from your bank, or Google, or another service you trust, with a link to its website, asking you to log in for some purpose. But in reality, the site is a fake one that records your password.
The most basic defense is to read the sender’s email address, and the site’s address, very carefully: is it google.com or googIe.com (with a capital I instead of the L), for example?
In addition, if you use Gmail, you can enable a feature that displays a little key symbol in emails from certain trusted sites, such as eBay, PayPal and big banks, telling you that the sender is legitimate:
And if you do fall for a phishing scam, two-step authentication (item 4) may still save you from harm.
What: Networks that you can connect to without requiring any password are open networks and are commonly found in airports and coffee shops. As mentioned in the second tip, data that passes through open networks can be “sniffed.” So if you do use these networks, it’s important to be cautious about what you access while online in such an environment. As mentioned earlier, if you’re on a website that uses an https connection—such as a social network or major email provider —you should be secure.
However, you shouldn’t transfer any sensitive or confidential material over chat messages and don’t visit any websites that you wouldn’t want others to know you’ve accessed.
What: if you can choose which applications can access to the internet, you automatically have more control over the flow of your data. You can do that using an application, recommended by Williams, called Little Snitch. This will bring up a pop-up box any time an application requests access to the internet and you can choose to allow this connection or not.
Why: Williams might be admittedly paranoid but he makes a point. ”Why should my video player connect to the internet while I’m watching something?” he asked. This is especially important if you have installed any third-party applications or have downloaded anything from a peer-to-peer network. This is because if programs are requesting access to the internet, they may soon pass on your information or install applications that log your keystrokes (and then have your password).
On that note, it’s good to regularly delete any third-party applications, whether that’s browser extensions or apps connected to your Twitter account, that you no longer use.