It is quite an understatement to say that many people will be very happy to leave 2020 behind. But, as we prepare to enter 2021, we should take stock of the various lessons that we have learned this year, and endeavor to apply them in 2021 and beyond.
Today, I’m going to look at a few personal-level cybersecurity and data privacy items that should be on everyone’s list for 2021 preparation.
Strong Password Management
This coming year, if you haven’t done so already, please consider implementing a password manager (e.g. LastPass, Dashlane, KeePass, etc) so that you have a consistent and manageable way to maintain strong passwords for services that you use online or offline (e.g. social media sites, banking, etc).
If you have a low risk appetite, and are comfortable with managing two different password management tools, I would further recommend that you consider maintaining both an online and an offline password manager. This will allow you to keep the passwords for your offline services in the offline password manager, and reduce your risk of exposure in that way. (Why put offline account credentials in an online credential manager if you don’t have to?)
Also, please make sure you are using unique passwords for each site. Every password does not have to be of the 64-random-character variety — the strength of your credentials (username/password combo) should be commensurate with the level of the data being protected — but there is no good reason to share passwords across multiple sites. None. The breach of a site you use should not lead to potential access to any other site that you use.
Speaking of Passwords… What about MFA?
For that matter, start implementing multi-factor authentication (MFA) wherever possible. Multiple intelligent layers of security help you to reduce your exposure. The less you have to rely on plain old passwords, the better your overall security will be.
How are your backups?
Make sure you have a good data backup strategy for your computing devices, whether in the cloud or on your local premises. Data loss is easy. Data recovery is hard when there hasn’t been adequate preparation.
A few months ago, a secondary drive on my main workstation failed after a power supply incident (the hard drive won’t even power up), and although I had backups of 95% of the data that was lost on that drive, and although I was able to recreate the other 5% of that data from other systems, the loss was still annoying. And it exposed a place where I thought I had 100% coverage, but due to changes I made with other systems, that coverage was undermined.
Thankfully, because I like to have redundant, redundant backups, my oversight only reduced my coverage, and didn’t eliminate it outright. Take some time to review your devices and make sure you will be able to recover from unpleasant system or data loss without a loss of time and/or money. We tend to rely on technology a lot more than we think, and only realize this in a loss or failure scenario.
Software and Device Management
Patches, patches, patches. Yes, many of us are tired of patches, but keeping your devices up to date is critical. This is true of Windows, Linux and OS X, as well as your mobile devices. Don’t let anyone try to convince you otherwise. Old, vulnerable software is one of the major vectors for getting into systems and networks and stealing data.
Make sure your mobile devices are running the latest software and that you set them to lock when they go to sleep. You may not want to turn mobile updates to automatic (I manually update my mobile devices), but you want to reserve some time to make sure they are getting updated on a regular schedule, especially for security updates.
Remember that your mobile phone is the gateway to all your other access and data — especially if you are using it for multi-factor authentication. Keep it locked when not in use.
Social Media Profiles
Take some time, at least two or three times a year, to review your social media profiles and make sure that the security settings make sense for your personal privacy and security goals, objectives, and philosophy. Remember that your goals might not align with the goals of the owners of those platforms, so don’t expect that the defaults will protect you as they should.
For those running a business or a business department…
If you are responsible for a business or a department in business that deals with personal information, then consider the following:
- Be sure to pay attention to the data privacy regulations that can affect your business and its customers, such as GDPR and CCPA.
- Review any of the free Security Awareness training resources to help you understand the popular threats that can affect you and your business or employer, such as https://www.nist.gov/itl/applied-cybersecurity/nice/resources/online-learning-content
Yes, it is very true that keeping up with security can feel bothersome, annoying or even overwhelming, but if you really want to be overwhelmed, just try to recover from identity theft or a data breach. Those are far more onerous and time consuming.
Trust me on that!
Security, like health, requires constant vigilance, and is easier to manage when you do so regularly.
Just as we need to be wise about our personal health, but are not expected to become our own doctors, so we need to be wise about our own cybersecurity and data privacy, without becoming a cybersecurity or data privacy professional.
Be safe out there.
Happy holiday and a happy new year to you all.