The following article is a collaborative guest blog by Rohit Dasgupta, Cauvery Mallangada Kalaiah, Snehal Kasal, Nathan Layman, Aditya Sharangdhar, and Justin Greis.
With the holiday season in full swing, many of you are shopping and most likely have already bought one or more electronic gadgets. Gadgets ranging from smart phones, laptops and tablets to wearable devices are making their way into stores and in the hands of consumers at an ever-increasing rate. Recent devices such as the upcoming Apple Watch and the Fitbit Surge have the ability to track almost every action and motion we take and present it to you in a graphical dashboard. These gadgets are sometimes equipped with intelligent music systems to build playlists based on your heart beat, and can even monitor your health data to create diet plans for you! Truly amazing, isn’t it? Such ingenious features are blended elegantly with chic design and powerful interfaces to create an irresistible, must-have “sexy” product.
The companies that build these devices are creating an ecosystem of technology around us; virtual data centers of smart devices are being strapped to our wrists and living in our pockets. Best yet, these devices talk to each other and work in concert to make our lives easier and make healthier, more informed decisions. Using these devices, we can purchase products, make payments, navigate our way to our destinations and track location of our closest friends and family without even thinking about it.
But that’s just the problem: thinking.
Have you stopped to think: Are these devices really secure? Will you lose your most sensitive private data to a hacker? Will the device manufacturers use your private data for their benefit without your knowledge or consent?
If you haven’t asked yourself these questions, now is the right time to do so! These devices are slowly and steadily becoming part of our daily routines and challenging our notions of security and privacy. With recent breaches of renowned organizations, it makes you wonder whether your critical personal information is really safe or if it is just a matter of time before we get that apology letter in the mail that our personal information has been stolen. With the recent media attention on hacking, identity theft and security has become the focus of board rooms and dining rooms around the world. A fundamental lack of security controls built into our computer systems is one of the biggest threats to our personal security. It is important to know what we are signing up for and not dive head-first into a kiddie pool of danger when buying that new gadget. Sure, we love those shiny new sexy devices as much as the next person, but it is important to understand the risks before we buy.
So how do we ensure better protection? As risks associated with “sexy” devices continue to evolve, here are five tips we recommend to keep your information safe:
1. Keep Your Personal Data Personal
As consumers, we mainly store two types of data on our devices: data we care about and data we don’t care about. We may care about personal photos, home movies, health data, and financial information and may care less about game scores, news articles and weather data. The problem is: all this data is at the mercy of organizations who create the sexy products and often they are the ones who determine what data is collected and how it is protected.
Before parting with this data via your sexy device, ask yourself the following questions:
- “Am I comfortable losing this data?”
- “Will I be able to recover this data or minimize impact to me if I lose it?”
If the answer is a definitive no for both questions, then don’t share the data on device! Blindly trusting or assuming adequate security and privacy measures have been taken to protect you as the consumer is naïve, at best. You are the best firewall for your personal information. If you don’t want it getting out and/or you have no recourse to recover it, just don’t share it.
Though sometimes, despite being uncomfortable sharing certain data, we are so dependent on our sexy gadgets that we must part with it to make our lives easier. What should we do in such situations? The following measures are good steps to ensure you are covered when you share data you are not comfortable losing.
- Know what you share, where you share it and with whom you sharing. Understand the difference between private and public posting, especially on social networks. Most social media applications provide the ability to customize the audience of your post and ensure privacy of the content being shared. Always be sure that you understand what is being posted where and to whom.
- Monitor and lock your credit information. Sign up for a credit monitoring service so that you are notified about suspicious activity on your credit report. All three credit bureaus (Equifax, Transunion and Experian) offer proactive monitoring at a reasonable monthly price. You should also lock your credit report with all three credit bureaus to prevent access to your credit report without your direct consent. This mitigates the risk of someone taking out a line of credit in your name.
- Buy identity theft insurance to help alleviate anxiety of losing your hard earned reputation and money as a result of identity fraud. Most insurance companies provide this for a nominal fee or as an add-on to home-owners/renters insurance. Based on the kind of plan you choose, the insurance company will help restore your identity, cover all identity theft events and also help recover stolen funds from your bank.
- Google yourself from time to time. It’s amazing what’s out there if you search your name on the internet. You may even find things you wish to remove or follow up with the content owner to correct. Google Alerts even lets you set up alerts based on your name or any other key words you like. Simply create the alert keyword and new content will be sent to your inbox when Google detects it relates to your keywords.
2. Sharing ≠ Caring
Isn’t it neat to record personal fitness activity on a wearable device (such as a Galaxy Gear, Fitbit or Jawbone Up) and then port this information on your phone to plan your diet? It is one of the many cool things we can do, just by syncing our devices. Some related apps on your device can also access and modify this centrally stored data (such as RunKeeper, Apple Health and MyNetDiary). Although sexy devices come with a pool of best-selling features, they also pose risk of reduced security through access by different devices/applications and increased chances of malicious attacks through multiple access points. Many apps in today’s world of digital information share your data with one another. The issue is: though one app may be secure, your personal information is only as secure as the most insecure app that holds the information.
To ensure we are covered while sharing information, we should practice the following safety tips on the sexy new devices:
- Know what talks to what. Many apps will ask your permission to access information stored on other apps. Don’t just click “yes” if your app wants to access another app. Remember, sharing the data in one app means that it could be compromised if the connecting app is breached.
- When using Wi-Fi, make sure you are on a secured network. When you use a public network, hackers on the same network can access your information and access your personal data quite easily. Connecting to a private or secured network reduces the chances of broadcasting your sensitive data with criminals.
- Avoid blindly clicking the “Yes” or “I Accept” button on the “Terms and Conditions” page for apps before understanding how your personal data will be accessed, used or shared. Most apps provide information on what data the app will access and share. Take the time to read or at least quickly scan this information prior to loading in your life history. [Note: for a great spoof on this, watch the South Park “Human CentiPad” episode. Warning: NSFW!]
- Watch out for Autosync. Many apps (like Flickr) can sync your photos with your Flickr account. Be sure you tune your permissions to make sure the photos are set to Private. If you end up connecting accounts like Tumblr or Flickr to auto-publish photos from your mobile device, be very careful about what photos you are taking! …they may cause embarrassment and end up somewhere you never intended.
3. Don’t Feed the Bears
OK, this is the easy stuff…the low-hanging fruit… In the digital world, passwords are the key to a safe containing your valuables (personal and financial information). With so many devices and online accounts requiring protection, your first line of defense is a strong password, and better yet, a multi-factor authentication mechanism such as Google Authenticator. As consumers, make sure you use these mechanisms to keep your devices and accounts secured.
Here are some tips on how to ensure a strong password for your sexy device prior to and after purchase:
- Enable password protection when setting up your device. Avoid using your birthdate and birth-month as your lock code since this information can easily be obtained by the bad guys.
- Longer passwords are more secure. The longer your password, the more difficult it is for a hacker to crack it. Where possible, an easy to remember “passphrase” with combinations of numbers, special characters and capitalizations are even better. For critical apps (such as banking, medical information or top secret information), passwords should be a minimum of 15 characters. Increase complexity using a combination of upper case (A-Z), lower case (a-z), numbers (0-9) and symbols (#*&). Below are examples of weak, moderate and strong eight character passwords.
- Frequent password changes keep the bad guys guessing. Change your password (for each device and application) at least every 90 days without repeating passwords. Each time you change passwords, ensure you use different passwords for different applications. For example, don’t use the same password for your Facebook and your Amazon accounts. If one account is compromised, the hacker will easily be able to get into the other.
- Use multi-factor security mechanisms for critical information. Most online applications provide multi-factor authentication. Multi-factor authentication combines something you have (a changing one-time PIN) with something you know (a complex password that only you know). This means two passwords are needed to access the account. For example in Google you can go into settings and activate this through a product called Google 2 Step Verification. Once activated, each time you access your Google account from a new device, you will use a combination of your password plus a one-time use PIN that is either texted to you or appears on the Google Authenticator app. Facebook and Twitter, two common targets for hackers also have their own built in multi-factor authentication. Enable this feature and you significantly protect yourself from attacks.
- Enable remote wipe on the device. Many devices provide a “lost” mode where you can lock or wipe all your data remotely in the event of theft/loss. This can be activated from device settings on most devices. Ensure these capabilities are turned on so that you are covered if the device is stolen or lost.
While all the above are recommended in order to secure every online account we have, the number of online accounts we have are growing fast. Imagine the nightmare of having to remember a different eight character password for 10 online accounts. Most of us resort to writing these down on a post-it note or a notepad, which compromises security of all our online accounts.
To prevent this and make life easier, you can use password vaulting software (also termed password manager) to organize and secure your passwords. All your different account passwords are in one application (which is the vault) and this is then secured using an extremely strong password often called a master password. Password vaults increase security of our accounts, while making it more convenient to log into your online accounts. Most password vaults today employ strong encryption for the master password and will use multi-factor authentication as an extra layer of protection.
Password vaults can also be downloaded as an app on your mobile device and behave the same way as they do on your computer. Just imagine – only one, very strong password to remember, ability to stay secure by logging out of your accounts, but at the same time not having to enter a different password each time you log in – convenient and secure! Some popular and highly rated password vaults today include LastPass, KeePass and 1Password. Most sexy new devices you purchase should allow you to download a popular password vault from the app store and secure your account passwords.
4. Ready to Where?
Most new devices today have the capability to track location. This means the device manufacturer has information about your geographic coordinates at all times and knows where you have physically been. Internet websites also have the ability to keep record of your physical location and logical location (internet traffic pattern/history) while you surf. Websites often store something called a cookie in a folder on your computer each time you visit. Cookies track user activity while we are on the internet. One such type of user activity is your location – be it physical location (city, state, zip, etc/) or virtual location (IP address or website). There are a number of steps you can take to ensure privacy from location tracking:
- Enable location services features as needed. For mobile devices (including tablets and smart watches), location tracking is generally a service you can turn on and off as needed. You can go to device settings and you will see an option for location services, which can be turned on or off. Certain apps such as navigation applications and ride-share applications don’t function unless location services are turned on. Your sexy new device should allow you to turn location tracking on and off as required. Plus, turning off location tracking will help conserve battery life!
- Be mindful of who is tracking your website activity. There are several services available, one such highly rated service being Disconnect. This blocks cookie installation from popular websites and hence prevents location tracking. Most blocking services are available as a plug-in to your browser (such as Google Chrome). You can also tweak your browser privacy settings to block cookies if you do not wish to be tracked online. You can typically find this option in the settings section of your favorite Internet browser. While this may inhibit certain functionality on websites, it can also prevent you leaving a trail of cookie crumbs wherever you travel on the internet.
5. Sexy Devices Increase Your Attack Surface Area. Stay Vigilant!
In a fast changing world, we have evolved into prolific users of technology and the internet. New devices are integrating deeper and deeper into our daily routines and people are increasing usage of social media and internet services. Your internet footprint is growing and expanding and this makes us increasingly susceptible to attacks.
Even after taking the necessary steps when purchasing a sexy device, it is incumbent on us to be the chief security officers of our own information and protect ourselves against criminals. One of the most common methods used by attackers and hackers is “phishing.” Attackers will craft emails and insert links to websites that appear safe but are actually malicious software designed to steal your information. You might receive an email with a link to a 75% discount coupon for that new smart watch you have been eyeing online. In reality, clicking such links can install malicious software on your computer or device which then sends your personal information to the attacker. While these are old and very common attacks, they have proven very effective means for attackers to gain access to our accounts. If a link looks too good to be true, it probably is. Don’t click on online advertisements marketing an incredible offer for you on a device or service you use. If you receive an email that seems suspicious and requires clicking on a link or opening an attachment, you should double-check the authenticity of the email prior to taking any action. Kevin Mitnick said it best when he urged people to stop, look, and think about what you are clicking before you click it.
Have fun, stay secure, and we wish you all a happy and safe shopping season!
About Rohit Dasgupta
Rohit is a senior consultant with EY in the Cybersecurity National Advisory practice at EY. Rohit helps clients implement improvement opportunities in their information security functions, and yield high returns from subsequent investments in IT and information security. Rohit specializes in IT Governance, IT Risk Management, Cyber Program Management, Vendor Risk Management, IT Metrics, Financial Analysis and Information Security Strategy. Rohit currently holds the ITIL v3 Foundation and CIPP/IT certifications.
Prior to joining EY, Rohit worked at Dauby O’Connor and Zaleski in the IT organization where he helped transform the employee evaluation process by automating generation of employee performance reports. Rohit is based in Chicago, Illinois and is a frequent guest lecturer at Indiana University, Bloomington. He is a contributing author of the IT Governance, Risk and Controls course in the Kelley School of Business Master of Sciences in Information Systems (MSIS) program.
About Cauvery Mallangada Kalaiah
Cauvery Mallangada Kalaiah is a graduate student pursuing her Master of Sciences in Information Systems (MSIS) at the Kelley School of Business, Indiana University. She holds a Bachelor of Engineering (BE) degree from Visvesvariah Technological University, India. Cauvery has worked at two IT services firms: Infosys Limited and Computer Sciences Corporation (CSC), before moving to Indiana for her higher studies. A large part of her prior work experience has been focused on .NET and SharePoint technologies. She also interned with Indiana University over the summer of 2014 as a Data Analyst for the Office of Research Administration and worked on performance improvement during her time there.
About Snehal Kasal
Snehal Kasal is a Senior Consultant with EY where she is a part of the Enabling Technology practice. Snehal has a experience working with global Enterprise Resource Planning (ERP) solutions, specifically within the SAP Finance (FI) and Control (CO) modules. Her experience also spans various technology advisory projects focused on IT strategy, program management, and process improvement. Prior to EY, Snehal worked with Tata Consulting Services where she led delivery of lean solutions to clients using Six-Sigma methodologies.
Snehal holds following certifications: Six Sigma Green Belt, ITIL V3 Foundation, SAP TERP10 (Integration of Business Processes), and SAP TFIN-52_66 (Financial Accounting). Snehal holds a Master of Science in Information Systems (MSIS) degree from the Kelley School of Business, at Indiana University, Bloomington, Indiana and a Bachelor of Engineering (BE) degree in Instrumentation and Control from Pune University, India.
About Nathan Layman
Nathan Layman is currently a junior at Indiana University majoring in Information Systems at the Kelley School of Business with a focus in Information Process Management. Nathan was a member of Kelley’s inaugural IT Consulting Workshop where he developed a passion for IT consulting. His research interests consist of exploring the risks and security implications of emerging technologies, cloud computing, mobile devices and social media. Nathan is also highly involved on the Indiana University campus where he currently serves as Vice President of Phi Delta Theta Fraternity’s hockey philanthropy event called on the Dropping the Puck on Cancer, which benefits the American Brain Tumor Association. Nathan is an avid hockey player and is planning to pursue a career in technology.
About Aditya Sharangdhar
Aditya Sharangdhar is a Business – Technology professional with over two years of experience within the Financial Services Industry. He has worked in both corporate as well as consulting capacity, assisting a wide variety of Banking, Insurance and Re-Insurance, Mortgage and Asset management institutions with IT Strategy, Process Improvement, Business Intelligence and Reporting initiatives.
He is currently working for EY’s Financial Services Office within the Technology Consulting practice where he has contributed to a number of technology strategy initiatives focusing on helping Financial Services clients design their business continuity and disaster recovery, crisis management and cloud solutions strategies. Aditya holds a Master of Science in Information Systems (MSIS) degree, with a specialization in Business Intelligence and Analytics. He also holds a Bachelor of Engineering (BE) degree in Computers from University of Mumbai, India.