In a connected world, everything you do online carries some degree of risk. Whether it's visiting websites, conducting financial transactions or simply checking to see if the 76ers won a game (Pro tip: Whatever day you're reading this, the answer is they lost), every action has some level of risk to it.
Correctly understanding that risk, and adjusting for it, is an evolving challenge for individual users. (Though, in fairness, while breaches often result in posts about simplistic passwords, that's often just blame shifting from those who are supposed to be responsible for cyber security.) In enterprise cyber defense, like we provide for federal and commercial customers, one of the core conditions is the creation of risk profiles, e.g., ensuring that the most sensitive information has the most robust security. Well-fortified enterprises evaluate their cyber security risk profile every day and implement corresponding security controls.
Use this concept for your own personal online activity.
Risk profiles are an enterprise security tip that should be part of everyone's mindset. Use account protections and access methods -- such as passwords -- relevant to the worth of the data they are protecting.
Think of it in real-world terms. If you're conducting an online banking transaction, you're working with highly sensitive information and you should secure that account to a high level. If you're simply signing in to your fantasy football team, use a lower level of security (though the thought of someone dropping Aaron Rodgers for Mark Sanchez is a legitimate cause for panic). Don't reuse your high-security bank password for your low-security fantasy sports site because a breach of the lower security account could give someone access to more important information.
Like with anything in cyber security, developing a personal risk profile begins with risk.
Step 1: Be conscious of the risk
Virtually every online company today requires individuals to register and create an online account to access their goods and/or services. This log jam of logins has aggravated users to the point where an average user today could have twenty or thirty or forty accounts they utilize with some degree of frequency. This is great for convenience, but bad for cyber security. If users truly do not care about the worth of protecting their data at specific sites, they will use the easiest password to remember.
The danger then comes when they use the same inadequate password for protecting data they actually want protected. A compromise in one account and exposure of account credentials can easily be exploited by an attacker across multiple online accounts.
Step 2: Develop your own profile
Enterprise level computer network defense typically operates on a defense-in-depth principle. Multiple overlapping security controls are implemented so as to limit any data exposures should networks be penetrated by attackers. User roles are assigned and monitored, along with network access authorizations and data movement credentials. Organizations also use a risk/reward ratio philosophy which protects the highest value data targets with the most secure protection mechanisms.
Individuals could benefit by adopting a similar approach.
Step 3: Align your risk profile to your online activity
For instance, providing an email address to receive a newsletter involves minor risk should the account be compromised. However, conducting an online transaction with an anonymous third party incurs substantially more risk if credit card credentials can be stolen.
It’s useful to think of your own personal data in the same way. If you intend to post sensitive 'selfie' picture you don't want exposed on social media sites, consider utilizing the strongest possible user security protections that vendor offers. Also, avoid vendors who show up as repeat serial data breach offenders or who do not offer multiple levels of protection mechanisms.
Keep the convenience/security trade in mind at all times.
For low-value accounts, convenience is paramount. For high-value accounts, data security should be paramount. If you intentionally decide to use a weak password to protect your high-value assets, then you are indeed an idiot.
Use Two Factor Authentication (2FA) whenever possible.
Most users are quite familiar with this, even if they do not realize it. You utilize this method every time you get cash from an ATM -- a combination of something you have (bank card) and something you know (PIN code). Online accounts offer something similar, often through a mobile phone augmenting your account credentials. A text message is sent to your phone if your online account is altered. This lets you know if some external person is modifying your account credentials. Apple offers this. Google does. Most financial institutions do. Use it.
Remember that you may not be the only one answering "security questions."
In the celebrity photo leaks last year, user names, passwords and security questions were compromised. Security questions are intended to support the convenience of a password reset, not as an additional layer of security. They have been compromised many times in the real world. In a famous example from September 2008, Sarah Palin had her personal Yahoo email account compromised through the account recovery mechanism when an attacker supplied the correct answers to her security questions. That offender was caught and convicted and received a one year prison sentence, but not before the damage was done.
Create a separate identity for your most secure information.
Some of the iCloud hacks occurred because the emails were familiar variants of firstname.lastname or firstinitiallastname. For email accounts associated with your most vital information, such as financial assets, create a separate account without biographical information or easily guessed identifiers. That account information should never be shared online and supports a defense-in-depth principle.
Use account security questions with hard to uncover answers.
For better or for worse, this identify verification scheme will continue to be used into the near future by companies due to its low cost to implement and the reasonable personal identification security provided. Consider providing answers that cannot be found by an attacker perusing your social media account profile. Answers do not even have to be legitimate. For example: Favorite elementary school teacher? No One or Re Cess.
Use account management software.
This category of software product can encrypt and store user credentials for all online accounts. This does create an 'all eggs in one basket' vulnerability so use a really, really strong password for that one product.
Maintaining privacy in a digital domain is exponentially harder than in the old analog days. Nothing is foolproof, but taking efforts to protect your most important data should be worth the inconvenience that the higher degree of protection requires. Remember that determined adversaries can remain in a faraway remote location, and yet inflict damage similar to breaking a window and entering a home containing physical photos. Thwarting such bad actors requires personal thinking similar to what organizations utilize.
Ultimately, it is incumbent on users to truly understand the risks they expose themselves to by using various services and online accounts.
Establish a personal risk profile. Accept the fact that online protections are necessary and will be with us into the near future.