By Bruce Schneier, in his 15.May.2019 Crypto-Gram
I don’t have a lot of good news for you. The truth is there’s nothing we can do to protect our data from being stolen by cyber criminals and others.
Ten years ago, I could have given you all sorts of advice about using encryption, not sending information over email, securing your web connections, and a host of other things — but most of that doesn’t matter anymore. Today, your sensitive data is controlled by others, and there’s nothing you can personally to do affect its security.
I could give you advice like don’t stay at a hotel (the Marriott breach), don’t get a government clearance (the Office of Personnel Management hack), don’t store your photos online (Apple breach and others), don’t use email (many, many different breaches), and don’t have anything other than an anonymous cash-only relationship with anyone, ever (the Equifax breach). But that’s all ridiculous advice for anyone trying to live a normal life in the 21st century.
The reality is that your sensitive data has likely already been stolen, multiple times. Cybercriminals have your credit card information. They have your social security number and your mother’s maiden name. They have your address and phone number. They obtained the data by hacking any one of the hundreds of companies you entrust with the data — and you have no visibility into those companies’ security practices, and no recourse when they lose your data.
Given this, your best option is to turn your efforts toward trying to make sure that your data isn’t used against you:
- Enable two-factor authentication for all important accounts whenever possible.
- Don’t reuse passwords for anything important — and get a password manager to remember them all.
- Do your best to disable the “secret questions” and other backup authentication mechanisms companies use when you forget your password — those are invariably insecure.
- Watch your credit reports and your bank accounts for suspicious activity. Set up credit freezes with the major credit bureaus.
- Be wary of email and phone calls you get from people purporting to be from companies you do business with.
Of course, it’s unlikely you will do a lot of this. Pretty much no one does. That’s because it’s annoying and inconvenient. This is the reality, though. The companies you do business with have no real incentive to secure your data. The best way for you to protect yourself is to change that incentive, which means agitating for government oversight of this space. This includes proscriptive regulations, more flexible security standards, liabilities, certification, licensing, and meaningful labelling. Once that happens, the market will step in and provide companies with the technologies they can use to secure your data.