New Year’s Resolution: Improve Your Personal Digital Security

2020 was an incredibly hard year, and many of the challenges we faced in 2020 are still with us in 2021. In times of crisis, trauma and uncertainty, it is easy to feel out of control. But there is one risk area you can get more control over right now, today: your personal digital security.

The pandemic is changing our way of life. Work, school and social connection have moved mostly online. The United States facing a recession and possible economic depression. This economic pressure has pushed many people and systems to the breaking point. As a result, scams, hacks, and data breaches are at an all-time high, which means the risk you get hacked, scammed, or compromised is at an all-time hight. But fortunately, there are easy steps you can take to protect you, your family, and your organization.

Below is a list of 8 steps you can take to take to make yourself significantly more secure. I recommend you do every step. But if you aren’t able to, at least do a few steps. Every action you take to secure your devices, accounts, and data will help keep you and your family safe. If you have one new year’s resolution for 2021, let it be to take more control over your personal digital security.

1. Password protect your phone

On average, US consumers lose their handset about once a year. If you lose your phone and have not password protected it, anyone who finds it can get access to everything on your phone, including your email. With access to your email, a person can access most accounts you can access, directly or by using the “Forgot Password” mechanism on most sites. This includes your bank account and social media accounts. Protect yourself and all your accounts by setting a password on your phone. Instructions on how to set a password for an iPhone can be found here: https://support.apple.com/en-us/HT204060 and Android: https://support.google.com/android/answer/9079129?hl=en

2. Enable 2-Step Verification on all your email accounts

2-Step Verification, sometimes known as “two-factor” or “multi-factor authentication”, is an additional layer of security to protect your email from phishing, by periodically prompting you to enter both your password and also a code sent to or generated by your phone or a separate security key to gain access to your email. Phishing is the fraudulent practice of sending emails pretending to be from reputable people or companies in order to trick you into disclosing personal information, such as passwords and credit card numbers. Most email users will receive several phishing emails a year. If a phishing email is successful and an unauthorized party tricks you into giving up your email password, this party can then access your email, and access the accounts your email grants you access to. Enabling 2-Step Verification makes it harder for thieves who steal your password to break into your email, because with 2-Step Verification enabled, a thief would need to steal both your password and your phone or security key.

3. Confirm you can access your primary email account’s ‘recovery’ method

Most email providers make you identify a ‘recovery’ phone number or email address that can be contacted to help you if you lose access to your email account. Many people set and forget this, and then realize later when they need it that they no longer have access to the email or phone they identified as a backup. Login into your primary email account, and check your ‘recovery’ or ‘backup’ settings in your account. For gmail accounts, go here: https://myaccount.google.com/security and look at the “Ways we can verify it’s you” section. Make sure your recovery settings are up to date, and that you are still able to access the recovery email or phone number you have listed there. If this setting is out of date (for example, an old phone number), update it. If you have listed a personal email address as a backup email, ensure 2-Step Verification authentication has been enabled for this email address. Your primary email account is only as safe as your backup methods.

4. Protect your social media accounts like Facebook, Twitter, and Instagram with Login Verification or Multi Factor Authentication

Your social media accounts are also a target of hacking and phishing, especially if you are the administrator of a group or organization. Enabling Login Verification makes it harder for thieves who steal your password via phishing to break into your social media account, because with Login Verification enabled, a thief would need to steal both your social media account password and your backup mechanism, like your phone.

5. Perform a “Security Checkup” on your email account

To mitigate the widespread risk of phishing, many email providers have created additional tools you can use to understand how your email account is being accessed, and audit your account for potential security problems. For example, you can find Gmail’s security checkup feature here: https://myaccount.google.com/security-checkup Follow the instructions using your email providers “Security Checkup” tool. In particular, make sure that all the recent device activity listed here was you (if not, revoke access and change your password immediately).

6. Call your cell phone provider and put a pin on your cell phone account

This might be a surprising one. Hackers can learn your phone number and then call your phone company pretending to be you, and then claim that they (posing as you) got a new phone and need to transfer your number to their phone. If they are able to succeed at this, then suddenly they (and not you) have control of your phone number and all incoming messages and calls. If this happens, when someone calls your number, the call will get redirected to the hacker. And if one of your accounts sends a 2-factor backup code to your phone, the hacker will get this code. This called a ‘SIM Swap’ attack, and many people have been victims of it in the last year, including Twitter CEO Jack Dorsey. To protect yourself against this, call you cell phone provider (Verizon, ATT, etc), and ask them to set up a PIN on your account. If your provider has this feature, login to your provider’s website and use their account tools to set up a PIN yourself. If you do this, hackers trying to steal your phone number would need to steal not just your phone number, but also this PIN, which makes you safer. Store this PIN in a safe place, like a password manager.

7. Use strong, unique, passwords, and use a password manager

Store your credentials like passwords in a secure password manager, like 1Password or LastPass. This is better than writing your passwords down in a paper notebook or a digital document, because it’s harder to break into a secure password manager than it is to break into your house and steal your notebook, or break into your digital document.

Never reuse passwords across accounts, because reusing passwords across accounts makes you easier to hack. Every week, companies large and small get hacked, and hackers release databases of stolen passwords. Probably one of your accounts has been hacked in the last few years. Check out a list of recent breaches here: https://haveibeenpwned.com/ If you always use a different password for every account, then one stolen password just means one compromised account. If you reuse passwords, one stolen password means many compromised accounts. Keep track of all your different passwords using your password manager. Use strong passwords. As a rule of thumb, longer is better. Randomly generated passwords are best.

8. Keep your devices up to date with software updates

This goes for both your phone and laptop. Security is a cat and mouse game: hackers and security professionals are constantly finding new ways to break into software, and software engineers and companies are constantly fixing these security problems. Probably every system and software update you download contains security patches. Stay on top of updates so that you benefit from all new security patches released.