In mid-2017, attackers breached Equifax, stealing personal information on 143 million people and marking the end of an era. With sensitive information on more than half of all U.S. adults compromised by online attackers, people should no longer assume that their information is private.
In fact, consumers and workers should assume that their information is in the hands of cyber-criminals. Not only do companies rely on the information as an identity test, but massive amounts of personal data can give attackers unprecedented insight into victims.
For that reason, consumers need to pay more attention to their digital lives, David Britton, Global Vice President, Industry Solutions, Fraud and Identity at Experian.
"Remember that all of the data about you as a person—meaning your name, your address, your phone number, your Facebook username, and everything else—all of that data has value," Britton said. "We often forget that as consumers, and if we think about that data having value, it should give us pause whenever we are putting that data out there."
1. Protect your devices against attack: Update regularly
After computer vulnerabilities are publicly released, attackers are quick to exploit them in cyber-attacks, especially if a proof-of-concept exploit or similar information is made public. In a study of the vulnerabilities patched over a six-month period, Microsoft found that about 8 percent of all vulnerabilities are exploited within 30 days.
The low exploitation level speaks to the increasing costs to attackers of finding and exploiting vulnerabilities in modern software. However, for users, the danger is much more significant. Exploits were released for vulnerabilities in four of the six months studied, so consumers should expect to be vulnerable nearly two-thirds of the time.
Software updates are important, said Marty P. Kamden, chief marketing officer for NordVPN, an encrypted network service.
"Many devices have … vulnerabilities that could also be used to exploit a device and steal personal data," he said. "The only way to avoid these flaws is to update your device whenever newest patches are released."
2. Sign up for important accounts, before attackers do
In the past, consumers could avoid taking part in the digital world and lead a private offline life. That's no longer true.
The most important data—tax filings, credit-card transactions, health data, and personal information—are all online. To best protect that information, the consumer needs to be online as well, Experian's Britton said.
"Even consumers that have no online presence, their data has been digitized," he said. "My recommendation is to sign up for the online version of your bank account, sign up for the online version of your credit card, because if you don't, it's possible that a fraudster might get your information and sign up on your behalf and then they have control of the digital channel."
By signing up for the online version of any important accounts, consumers also get an additional way of detecting fraud. Most financial institutions have an alerting mechanism to notify users of suspicious activity or transactions. Such alerting, along with regularly checking balances, can be the best way to detect fraud before it impacts your finances.
3. Beware of social media, leaky apps
While users should worry about attackers stealing their data and accounts, they also have to make sure that they do not compromise their own security and privacy by posting too much information online. Many people innocuously put their birthdays, maiden names, children's names, and other information online that could be used by attackers to gain access to accounts or make a more compelling phishing scam to fool the user.
"Always think before you put that data out there," Experian's Britton said. "Check what you are posting online, frankly. And know that any service that is a free service is using your information and the data to create a product."
Likewise, users should be careful about the apps that they use, because malicious or negligent developers may release software that harvests or leaks information. While numerous malicious apps have been discovered and removed from major app stores, smaller app stores generally do not have the security measures in place to detect intentionally malicious software. Exclusively downloading apps from the major app stores can help users remain safe.
4. Use a password manager
Passwords pose a number of security issues for most users. Strong passwords are typically complex and hard to remember, which means that most users create flawed and easily broken passwords, or create just a few strong passwords and reuse them.
Reuse, however, is a major problem. Third-party sites and services are often compromised, and if that company did not adequately protect its users' passwords, the attacker can attempt to use the passwords on other sites as well. Unique passwords will not give them any advantage, but a reused password is weak no matter how uncrackable the original password is.
Password managers allow their users to have unique, strong passwords for every site, with a single strong password that unlocks the password vault. They are also much easier to use and better integrated, said Fatemeh Khatibloo, principal analyst for privacy at Forrester Research.
5. Go beyond passwords: Multi-factor authentication
While password managers allow users to create a unique password for every site, a single secret is not enough to protect access to critical information. Any compromise of the password will give the attacker complete access to and control over the user's information.
A variety of additional security measures are often offered by service providers—from one-time password (OTP) mobile apps to hardware keys to fingerprint identification, such as Touch ID—and users should adopt them, advised Forrester's Khatibloo.
6. Ad blocking adds security
Online advertising is a chaotic ecosystem that involves numerous players, from advertisers and ad networks to publishers and marketplaces. The sheer number of players and the lack of visibility into who is the ultimate advertiser allows attackers to create malicious advertisements—so-called malvertising—that can be hosted on popular sites.
For this reason, ad blockers have become an important security measure. In the past, ad blockers were about user dissatisfaction with increasingly intrusive advertisements. With attacks coming through the advertising channel, however, blocking ads is increasingly about safety, said Forrester's Khatibloo.
"Meltdown and Spectre—the latest significant vulnerabilities—they are piggybacking on scripts that are running on ad servers," she said. "So ad-blocking is now a security and privacy precaution as opposed to 'I want to improve my Internet browsing experience.'"
7. When on a public network, use protection
With each individual using a proliferation of devices, many do not consider the networks they use to communicate. Hotel networks and free WiFi in coffee shops, for example, could allow an attacker to perform a man-in-the-middle attack and intercept a user's data.
Corporate or personal virtual private networks (VPNs) are a good way to protect data. Yet, for non-technical people, they remain intimidating or, at the very least, too troublesome.
"It is a step beyond what most people want to do," said Forrester's Khatibloo.
She recommends that all users considering forcing their browser to use HTTPS, the secure form of the Web protocol. However, doing so can cause issues with websites that don’t support the protocol.
Another way of protecting your communications is to not use the public network at all, but to use a hotspot through your phone. While not foolproof, intercepting such communications is more difficult.
8. Encrypted e-mail keeps archived information secure
Most people give little thought to the selection of an email provider. Using one of the large cloud email services can undermine a user's privacy, however, because companies offer the free service as a way to target the user with unwanted advertising.
Yet other options exist. ProtonMail, for example, is a free encrypted email service provider based in Switzerland and developed by researchers from CERN that allows users to sign up without providing personal information.
9. Stop throwing data in the trash
While the heyday of dumpster diving may have passed with the transition to digital documents, companies and individuals should consider their trash to be a potential threat. Many companies still do not require that paper files be regularly shredded or incinerated, Forrester's Khatibloo said.
"We have forgotten how important shredders are," she said. "I'm shocked at the large file folders of things that I see thrown away in our dumpster every day."
10. A credit freeze can help most people
Since the breach at Equifax, privacy advocates have urged consumers to put a credit freeze on their account with all the major credit firms. While doing so requires some effort—and requires that the consumer remove the freeze if they want to open an account—a freeze will prevent the most pernicious form of fraud: new account fraud.
"Credit freeze is absolutely is a great way to go," said Experian's Britton. "It allows you to put a block on your account so that no one can open a credit product in your name."
Britton also recommends that consumer check out their credit report at each of the consumer information companies, which they are entitled to receive for free annually. Businesses that rely on credit information will have to do more to ensure that they are dealing with the legitimate account holder, he said.
"The truth is that since 2013, the [amount] of breach activity is so large, we assume that everyone's persona, everyone's identity data has been compromised. Full stop," he said.