Digital Transformation - Personal Security Practices

This is a?confession.?I’ve been writing these articles weekly, but published nothing on October 7, 21 or 28. The reason is that someone hacked my LinkedIn account. And LinkedIn shut it down. Twice.?

Given my knowledge of the technology landscape, I consider myself?‘relatively okay’?as far as cyber-safety goes. My LinkedIn password was more than 8 characters, included symbols and was unique to the account. I’m guessing that they got in through brute force because, honestly, it wasn’t much more than 8 characters. Turns out, I wasn't okay.

I know the importance of good personal security practices, and yet I was lazy. Taking off my rose-colored glasses, I realize I was doing the bare minimum of keeping my information safe. The problem is that the bare minimum is a grey area. There are many people out there trying to take advantage of those of us who are just squeaking by. Clearly inadequate?

I have now moved on from my previous (clearly inadequate) approach to password management to that recommended by several security experts that I know. I’m using a password vault to store my passwords. I chose 1password, which was recommended to me by those I trust, but there are others out there that are very good as well. I’ve moved my passwords into the repository and tried to maximize the length of the password I use for every site (Note: You will be shocked by the maximum length allowed by some websites. They clearly don’t know or care how much brute force the hackers can bring to bear).?

I had always been nervous about creating a?‘honey pot’, putting all of my passwords in one spot, meaning that any breach would be significantly more devastating. I’ve gotten over this and decided in this case (as in so many others) that it’s best to take expert advice. My approach was wrong, so I’m fessing up and changing to the one most recommended. I only wish that more people and more companies would move to 64 character passwords/2-factor authentication/etc. The risk that’s out there is too big.

Because that’s the funny part. If you had asked me before what my?‘critical’?accounts were (those for which I had better/longer passwords or 2 factor authentication), I would have told you about bank accounts and other sites where I saw a direct line to sensitive information risk. The problem is that I hadn’t factored in other risks, like the risk of being banned from a site. Yes, I have a lot of information on LinkedIn, but information that I have up there isn’t secret. I think most of it is out there in the public domain already. I would have classified this as a low-risk site for me. But when they told me they had permanently banned me, I realized how important the access was to my daily (work) life.?

I read a book a while ago about how humans generally fear the wrong things (unfortunately I can’t remember the name of the book, but the content stuck with me). For example, most car accidents happen close to home, but we worry more when we go far away. I see that misunderstanding of risks happening with information security. I’m worried here that we aren’t listening to the experts and even worse that we don’t truly understand the risks.?

After their recent ransomware attack, Tesco, the British grocery chain, said something to the effect of?‘don’t worry, no credit card data was touched’. They highlighted that risk, ignoring that that is not actually a huge risk—it’s pretty easy to get a new card number and most cards limit the liability of the cardholder pretty significantly. Instead, the biggest issue for their customers was that they would not get their groceries, or that they were going to get 2 sets of groceries (if they ordered from someone else and couldn’t cancel from Tesco) or that they had wasted a bunch of time trying to figure out if they were going to get their groceries. It’s like me with LinkedIn. I wasn’t worried about them stealing my data. I never considered how big an impact not being able to use it at all would be for me.

How about you? Do you have appropriate personal security practices? If not, are you going to change?

--

Brigid McDermott is Vice President and CTO, Digital Transformation at?IBM. She believes that technology can make life better for everyone—if more people focus on what the technology can do, rather than just how it works.?