Reading the news today I realised that after Kristy Merlino’s email and Mailchimp accounts were hacked, that Kanye West’s iPhone passcode is 00000 and that Facebook doesn’t care about your privacy – it might be possible that other people aren’t 1) as passionate about Internet privacy and security as I am, 2) and even if they were, they might not know how to protect themselves.
Why should you care
If you don’t value your personal privacy, then anything I write won’t convince you otherwise, but there are three reasons you should value your business data security.
- The Code of Practice for Marriage Celebrants, section 5 part (c) requires you to keep “facilities for the secure storage of records” which is more related to digital data security than it is to a filing cabinet these days.
- Federal law requires you to “Protect personal information from theft, misuse, interference, loss, unauthorised access, modification, and disclosure.” You are also required to “take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose permitted under the Privacy Act 1988. This might include shredding documents or storing them in a secure area.”
- Even if the Marriage Law section of the AGD office skips you, and the Australian Federal Police decide to leave you alone, you’re at risk at looking silly (screenshot). And second to obeying the law, having a good reputation is paramount to a successful business in this era.
How do you protect your business’ data?
Answering this question truthfully and to the full extent it deserves will take a lifetime, but here’s some starter ideas that you can take home, chew on, and hopefully implement.
1. Passwords
You probably have a bad password
There is only one kind of good password: a unique password.
I don’t care how advanced, fancy, and awesome your current password strategy is, if all of your passwords are the same word, or the same word with a differentiator like a number, a capital letter, or the name of the website, then you have a bad password.
There’s an extremely simple reason behind this strategy of having unique passwords. Every day other businesses, websites, and companies are hacked, and those companies may have data and information on you. Worse, if they are a company you created a user account with, they have your password and username, so when that company is hacked, those hackers now know your password.
If you’re curious as to how many hackers possibly have your personal private data, usernames, credit card numbers, passwords, and phone numbers, enter your email address into this website: https://haveibeenpwned.com. “Have I Been Pwned” is an Australian operated legitimate website that matches your email address against known hacks. “Pwned” is slang for “owned” meaning that someone owns you.
If I know your email password, does that mean I can access your online banking and your Facebook too?
I can’t remember all the passwords!
So if every website, service, and account has a different password you’ll never remember them all will you? So that’s what you need a password manager for. An app that is a secure vault of all of your unique passwords. I personally use 1Password. 1Password can generate random passwords so each place you need a password has a unique password and when that place is hacked, the hackers only have that unique password, not your top secret password you use everywhere.
There are other free password managers, but I like paying for my password manager for the same reason I liked using paid-for antivirus: I wouldn’t hire a free security guard. If I pay for it I can trust it. I pay for a 1Password business subscription so that Britt and I can share our passwords with each other. The 1Password app is on all of your Mac, Windows computer, Android, and iOS devices – even the Apple Watch – so you can access your secure password vault everywhere. I’ve even started storing all of our personal details like Passports, Medicare Cards, and Credit Cards in there so we can access them any time.
2. Two-step authentication
Many services today offer two-step authentication, which simply means that there are two steps to authenticate you. If the service only asks for a password that is one step, but if it asks for a password and an SMS code that’s two step. You’ve probably already experienced this with your bank.
Identify your most important services and make sure that if two-step authentication is available, that you enable it and use it.
My most important services are
- my email, firstly because that’s all of my conversations but also how you can authenticate me if I’ve forgotten my password
- my mobile phone account, because that’s the first point of call for most hackers, they’ll steal your number so they can then steal your two-step authentication codes and your “forgot your password” codes
- my Apple ID, because that secures my three main computing devices, my Macbook, my iPad and my iPhone. If you can access those devices, you can access everything, plus that Apple ID contains backups of all of those devices, plus it has my Apple Pay and credit card information
- my Dropbox account because that’s my “filing cabinet”
- my online banking details, because money
- my Paypal account, because money
- my Facebook, Instagram, and Twitter accounts because those three places comprise my “online identity” and if that is compromised a hacker could claim falsehoods as true and maybe ask you guys for help or money
For all of those services I am doubly sure that I have a two step authentication method and a unique password for each, I like the 1Password “three word” style of password for the same reason this XKCD web comic likes them.
If nothing else, please, for the love of God, just do this, if nothing else.
Pathways to accessing your data
Good passwords and two-step authentication are important, but if a bad actor or hacker can simply walk up to your computer and access everything then you’ve already lost.
Mobile devices
If you have an iPhone or iPad, is your passcode less discoverable than five zeros? I actually made mine a word, because I didn’t want people to be able to watch my number passcode over my shoulder. On the same device, have you activated FaceID or TouchID? If you have a good passcode and FaceID or TouchID enabled, not even the FBI can access that device. This is the main reason I use Apple devices, for their security detail. If you have a new Android phone on the latest operating system, it very likely is very secure, but most Android phones don’t receive regular security updates so if it’s more than a year or two old it’s likely that the phone is insecure.
Desktop or laptop computer
Is the login password to your computer easy to guess? My father-in-law’s desktop computer password used to be his name with a capital first letter. Second to the password for your user account, are the other user accounts also secure? Is there a guest account that can access the computer without a password?
An often forgotten security tip on the more traditional form of computers is hard drive security. The computer might be secure, but can I take the hard drive out and put it into my computer and simply access all the data? On a Mac go to “System Preferences” then “Security and Privacy” and “FileVault” and make suer FileVault is turned on. On your Windows computer go to search and enter “manage Bitlocker” and enable it there.
External disks, USB sticks, CDs, DVDs
Do you have important and private business data on a USB stick, or a backup drive, just sitting on your desk? For a data thief that’s barely called hacking, it’s just simply taking advantage of a silly person.
Trust no-one
Every day I find emails and social media posts from friends and family that have had their email or social media compromised, and the number one culprit is trust.
They’ll receive an email that seems legit, or read a Facebook post which must be true. That direct message which claims to have information it can use against you to expose your embarrassing secret life or a lie about how you’ve already been hacked.
Learn how to identify which emails, messages, phone calls, and direct messages you can trust.
- Look at the email address it’s coming from, does it seem real like [email protected] or is it something tricky like [email protected]
- Think about who is sending the message, click on their profile and see if they look trustworthy
- If it’s a Facebook page with a too-good-to-be-true competition or offer, firstly, it probably is too good to be true, but secondly, look at the page and maybe it’s weird that Jetstar’s facebook page has a weird full stop at the end of the page name and it only has 2000 fans.
- If an email is asking you to log on and confirm details it’s most likely false.
- Almost nothing good comes via a phone call today, if it’s actually important the authority will send you a written letter or email.
Follow your gut
In the end you need to develop a gut instinct for what’s good and bad. Recently I followed this instinct on leaving Gsuite, Google’s email and business services product. Most of us have our email and calendar hosted by Google’s Gsuite for $5 a month but over the past year I’ve started to develop a distrust for Google as a company. I don’t trust them with my personal data, my business data, nor do I trust that they are doing the best things with that data.
So I’ve followed my gut and moved all of my email to Fastmail (10% off if you follow this link).
I’m not going to advocate for you to follow me and do the same, but read the news, read the tech articles, develop a gut instinct for who to trust, and who to ignore. This is your business and you are storing your own and your client’s private data (think of all the marriage paperwork you have with all that private information) and if your systems are compromised the law and the court of public opinion will hold you to account.
I just wanted to give an example of how I know this email I’ve just received is designed to hack me.
First step, I look at who the email is from. It’s from a Hotmail address. Hotmail and other free email accounts are so often hacked because their users don’t set good passwords. So the email account looks ok but why is someone I’ve never heard emailing me about business from a Hotmail account instead of a business account?
Then even if I was interested enough to click the link, which you shouldn’t do, but I did. It opens and the first red flag is the website URL, the domain name and website address I’ve been sent to. It looks so dodgy, and has nothing to do with Microsoft Onedrive like the graphics would lead me to believe.
And then if I’m silly enough to click the ‘Login with Outlook’ link, it brings up this login dialog. You can tell it’s a scam because of the website address in the title of the window.
And this is the trick. You log in with any old email address and password and it simply adds those details to a spreadsheet for the hackers to try. It takes you nowhere, it just asks you to login to Onedrive again.
It’s genius! Don’t be scammed.
I just thought of another place worth securing: your website or your CRM. Is that password unique and is the data secure?
Great article Josh!
I’ll second the recommendation for a password manager but for those of you that for whatever reason don’t want to go down that path, please at least use the “three words” method (and also read everything on XKCD – What if is my favourite blog ever).
I implemented the three words (four actually) for mum three years ago after she was hacked and she hasn’t had a problem since. Dad refused and he’s been hacked 5 times in the same time…