Throughout my career and while growing up, I have been the “go-to-guy” for all computer related issues including every thing security related. As you can imagine, I’ve come across everything from identity theft to spyware and in almost every situation the victim had a false sense of confidence in their security.
I have compiled a list of the top 5 misconceptions that I am sure many can identify with and hopefully after you are finished reading this post, you will be able to make some minor changes that could have a significant impact on how well you protect your personal data.
The following statements were made after a security compromise and ended in the dreadful “I thought I was secure”
1.I installed anti-virus when I bought the computer so…
2. I’m not using a pc. I bought a MAC so…
3. The password I use on all my accounts is hard to guess and I used numbers and special characters so…
4. I don’t do online banking from my computer at home. I only do it from my cell phone so…
5. I don’t open links from email addresses I don’t know. The email came from my friend so…
In each one of these cases, they had good intentions and good practices were being used. The problem lies in the fact security isn’t black and white. There is a human aspect that is predicated on common sense and quality decision making.
We all know that to protect our homes from intruders we lock our doors and as an extra precaution we have alarm systems and some of us even have cameras and guards protecting the exterior. Is that enough? I would argue no. There are simple day to day measures that will ensure the effectiveness of the safeguards you put in place. You can’t give your key to multiple people can you? You need to turn your alarm on when you leave the house right? You have to pay the monthly bill to the alarm company to ensure your service is active don’t you? You wouldn’t hire convicted thieves as your guard would you? If you wouldn’t make these kinds of decisions when protecting your house; why would you do it when protecting your personal data?
Now lets re-visit the list above and identify where they all went wrong with their decison making
1.I installed anti-virus when I bought the computer so…
Though anti-virus is considered best practice when it comes to protecting your PC from a malware infection, the software is utterly useless if you dont update it. The software comes equipped to detect malware that existed when you purchased the software and if you dont update it , your anti-virus will never have the capability to detect any malware created after your date of purchase. Lesson #1 Antivirus is good but it is ineffective if you dont apply updates regularly.
2. I’m not using a pc. I bought a MAC so…
This is one of my favorites. Unlike the rest of the list, the fallay is rooted in errorneous advertisements moreso than PEBKAC. I am a PC guy so I will try not to let my bias affect my message. Lets clear one thing up. MAC computers are NOT more secure than PCs. Until recently the majority of vulnerabilities and compromises were discovered to be on the Windows platform but that is not because Apple doesnt have any security flaws, its because the lionshare of the computer market is Windows based. Recent surveys revealed that approximately 90% of all internet traffic is from Windows computers and only 5% is generated from Apple computers. If you are an attacker, would you spend time finding flaws in the 90% or the 5%? Conversely, more effort is spent by the security community to address flaws on the Windows platforms as well. Lesson #2 Purchasing a MAC is not a security meaasure.
3. The password I use on all my accounts is hard to guess and I used numbers and special characters so…
Today your bank, the company you work for and most e-commerce websites will force you to create strong passwords. Best practices suggest using a password that has 3 of the following four:Upper case, lower case, number, special characer. This is correct but now you need to take it a step further. With the ammount of compromises taking place today, it is strongly recommended that you have different passwords for different accounts. The last thing you want is for one company you do business with to get hacked and all of your accounts get compromised as collateral damage because you used the same credentials. Lesson #3 Diversify your porfolio of passwords to limit the impact of an account compromise.
4 .I don’t do online banking from my computer at home. I only do it from my cell phone so…
Two years ago this may have been a decent approach but those days are long gone. More people today would rather browse the internet from a mobile tablet or their phones than the conventional PC or laptop. Because of this, cyber criminals have redirected their attention towards thse new platforms. There is Malware built today specifically to target Android and Apple phones. Mobile phone viruses are usually introduced via text message or through fake apps posted in Application strores. Most people aren’t aware of this threat and as a result proper security measures aren’t applied. Do you have anti-virus installed on your phone? Did you know hackers can take control of your phone and record your calls or redirect your text-messages or turn the recorder on your phone while its in your pocket? This topic is so ripe and new that I could dedicate an entire blog to it. Lesson #4 Your mobile phone is probably less secure than your laptop or conventional desktop.
5. I don’t open links from email addresses I don’t know. The email came from my friend so…
After a cyber criminal compromises a computer they begin to search for new targets and one way they do that is by perusing the email boxes of machines they have already hacked. Wjat better way to convince someone to open a file or go to a link than to send it from the email address of someoen they trust. These types of attacks are hard to detect but there are some common idicators that should at least peak your curiosity. If you receive an email from your friend about a topic that you dont typically email about, it should raise a red flag. If the email is sent at 3 AM and you typicaly email during business hours, you should raise an eyebrow. This is one of those situations where you need to use good judgement. Lesson #5 Be suspicious of any and every email you recieve, regardless of the originator of the email.