Picron is an online-based accounting firm. This means that for us and our current and future clients, cybersecurity must always be a primary concern. This blog post is intended to help you by providing some introduction-level advice on protecting your online identity and improving your cybersecurity. Because of its importance, you can expect frequent blog posts on this topic in the future.
Why should I care about all this cybersecurity stuff?
Everywhere you look, a new app, website, or service launches to make your life easier. An unintended consequence of this massive change is that more and more of your personal information is online. From your online bank statements to your Facebook photos/posts, a treasure trove of personal information about you exists on the web, increasing your vulnerability to online identity theft.
The above chart from Statista shows the growth of cybercrime from 2001 to 2015 in terms of financial costs to consumers. According to the underlying report from the Internet Crime Complaint Center (IC3), in 2015 the financial impact of cybercrime crossed a billion dollars in cost to consumers. Apparently, stealing personal information like yours has become a booming business. What this means to you is that cybercrime is likely to grow as our society becomes increasingly integrated with technology. It’s no longer a sustainable option to ignore the importance of protecting your online data, and it’s time to start treating cybersecurity with the same level of concern that you’d give ensuring your home or car is safe and secure.
That’s crazy! How do I protect my online identity?
As with learning any new skill or complex concept, the first step is to gain an understanding of the basics. Here are some basics I believe make a good foundation: password strength, multi-factor authentication, encryption, and digital signatures.
#1 - Importance of password strength
Probably the most overlooked cybersecurity measure is the use of a strong password. Note that I didn’t say the use of passwords but the use of strong passwords. Where many fall short is not in using passwords but in choosing weak passwords. A weak password is password considered easier to determine using modern methods for cracking and/or guessing user passwords. Examples of a generally weak passwords would be passwords based on the following: your name, your child's name, your favorite TV show, your favorite food, etc. At a minimum, strong passwords are longer length (where allowed), avoid the use of dictionary words, and utilize a random combinations of letters, numbers, and special characters (source).
Like many people do, you may use weak passwords because they’re easier to remember, but therein lies the problem. What makes those passwords easy to remember is also what makes them unsafe. A number of methods have been developed to make cracking weak passwords feasible for even the most amateur hackers. You only need to Google “free hacking tools,” and you would find plenty of professional programs that illustrate this point.
One of the most effective ways to protect your online accounts is the use of a password manager. Password managers act as a kind of secure electronic safe for all of your online site passwords. The most important feature of popular password managers is generation and storage of random, strong passwords to use in place of choosing your own. Another benefit is that in the event a website is breached and hackers obtain your password, all your other online site passwords would still be intact compared to the person who used “password7,” for example, for all website logins. Here are a few password managers known to have good reviews, in no particular order:
Last Pass, Proprietary: Website
Dashlane, Proprietary: Website
#2 - Two-factor authentication as a form of user authentication
If you haven’t heard of user authentication, it’s a pretty standard practice for protecting your personal information. User authentication is the process of restricting access to a system so that only authorized users can access the system, each user would be required to verify the identity in order to gain access. User authentication methods generally fall into one of three categories:
Something you Know a.k.a Knowledge Factor (think user passwords),
Something You Own a.k.a Ownership Factor (think your phone), or
Something You are or Do a.k.a Inherence Factor (think your fingerprint).
You may not have seen the term multi-factor authentication used online too often, but even so, it is becoming more prevalent on modern websites to enhance cybersecurity. For example, have you ever tried to log in to a website, and they required you to input a verification code sent to your phone? This is an example of multi-factor authentication in use. The password is a knowledge factor (only the user knows it), and the phone of the user is an ownership factor (only the user has access to his/her phone). Keep in mind many sites will also use the term two-factor authentication, and in this context, the meaning is the same. An important point to remember is that multi-factor authentication is a form of user authentication.
Get in the habit of enabling two-factor or multi-factor authentication where the option is available. This further protects your personal information because for hackers to steal your information, they would require not only your password but also access to your personal cell phone.
#3 - The Wild Wild West of Encryption
An important concept in cybersecurity, encryption, as it's used in modern computing, is quite a complex topic, but I will try to provide a brief explanation without going getting too technical. To start what exactly is Encryption? Encryption is the process of encoding messages or information in such a way that only authorized parties can access it (source).
For example, let’s say I wanted to send you an encrypted message. I would use what’s called an encryption key to convert the message into an unreadable code.
To an unauthorized person looking at the now unreadable code, it would just be a useless series of random characters (an encrypted message). However, to you (the authorized recipient), I would provide you with the encryption key which would allow you to convert the message back into its original readable format. Please keep in mind this is a gross simplification, but as long as you remember that the base concept of encryption is converting information from a readable to an unreadable format to prevent unauthorized access, you will have a good starting point on the topic.
This is important because encryption can be used for more than just sending secret messages. Entire websites can use encryption to ensure only the authorized recipient (you) is able to access the information. For example, this website uses encryption to protect this information from being tampered with (https, also known as HTTP Secure). HTTP Secure means the website information is encrypted during transit. Be wary of websites wanting your personal information that have not taken the minimum steps of implementing HTTP Secure.
#4 - Sign on the digital line! Digital signatures (and electronic signatures)
Another important concept to understand are digital signatures and their relation to electronic signatures. Unfortunately, electronic signature and digital signature are often used interchangeably online, which adds to the perception these terms mean the same thing. Let me clarify, as described by HelloSign an electronic signature is an “electronic sound, symbol, or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign a record. In other words, any electronic method intended to substitute for the use of an ink signature would fall under the definition of an electronic signature.
A digital signature, while related, is a separate concept. According to Wikipedia, a digital signature uses encryption to achieve these three primary purposes: validate the authenticity of the signed message (authentication), prevent sender from denying having sent the message (non-repudiation), and ensure integrity of a message received from an intended sender (integrity). Digital signatures use a type of encryption called public key encryption. An full explanation of public key encryption would take up a whole blog post all on it's own. The important thing to note as it pertains to digital signatures it that a digital signature always has two keys: a private key (aka the signing key) and a public key (aka the verify key). Here is a simplified example to provide a some clarity on how digital signatures work on a basic level:
Let’s say I sent you a message and digitally signed using my signing key. I would send you my verify key. To confirm the message was truly from me, you would use the verify key to convert the digitally signed message back to original format. If you were able to convert the message back to its original successfully, you would have verification the message was truly sent by me. An important thing to remember is that while electronic signature and digital signature are separate concepts, it is pretty common for service providers to implement digital signatures when providing the option to electronically sign documents to its users.
To Sum Up
I hope this information was beneficial to you and ideally it has increased your understanding of the basics of cybersecurity and ways to protect your online data and identity. Are there some aspects of cybersecurity that you have found hard to grasp? Other areas you would like to get more information on? Post a comment or question on this blog. Look for more blog posts expanding on this topic area in the future.