A quiet revolution has taken place, with the digital world becoming a central part of every aspect of our lives, and chances are you’ve felt the shift yourself. Many of us now rely primarily on digital devices to work from home, shop, socialize, exercise, or relax with a good book or movie. Unfortunately, the benefits of this online activity also bring more opportunities for bad actors to gain access to your digital devices and information. Here we’d like to summarize the latest best practices for protecting yourself digitally and what we’re doing at LNW to keep your data as safe and secure as possible.
Back Up Your Data
Your data isn’t just passwords or email addresses. Your digital devices hold priceless and irreplaceable information, like family photos or years of writing and research. Losing this data can be devastating. Given all that can go wrong in the physical world (fires, burglary, malfunction, etc.) and the digital world (ransomware, server failure), backing up your data is the number one thing you can do to protect yourself.
The best practice is a layered approach, including both physical and online backups. A good starting point is an external hard drive that is large enough to hold backups of those critical files and can stay connected to your computer. You should opt to encrypt this external drive to keep it secure. It is worth noting that Mac and Windows OS both have backup functions that will operate largely automatically, making it relatively simple to keep your backups up to date.
This physical backup should be paired with an online service that stores your data on a remote server, also called “in the cloud.” Reputable cloud services should keep your data private since it can only be accessed through a password or encryption key issued to you. Whichever backup service you choose, make sure that it supports full encryption.
This two-prong approach provides you the assurance that your data will be safe. If something happens to your external hard drive, you have encrypted backups in the cloud, and if something happens to your cloud access, you have your backup hard drive available.
Access the Internet Privately and Securely
The wi-fi you use to access the internet in your home is relatively secure as long as it is password-protected. In public spaces like airports and hotels, the free wi-fi can be suspect as there is little way to know if it is secure and private. In particular, you should be wary of connecting to a wi-fi network that does not require a password. Before using public wi-fi, it is good to ask yourself how dangerous it would be if whatever you’re working on was visible to bad actors who may also be accessing that connection. If you must connect to a public wi-fi network, keep your browsing activity short and to the point. If possible, make sure that your system’s firewall is enabled and that your software updates have been applied before connecting.
One robust solution to the problem of privacy is to get encrypted access to the internet at home or in public through a Virtual Private Network (VPN). A VPN service creates an encrypted tunnel for your browsing activity to transport through, reducing the potential for a bad actor to snoop on your internet activity. A number of VPN services work on mobile devices like phones and tablets in addition to your computer. There are many free VPNs, but the free services likely bring as many problems as they solve. Their revenue model is based on free tools, so they can track your internet activity and then sell your online habits to advertisers or other businesses. A good rule of thumb with any online service is that if you’re not paying for a product, you are the product.
Managing Passwords
Passwords are the keys to our online identities and personal data, so it is vital to develop strong password habits to help protect all of our online accounts. Here are three ways that you can make sure your passwords are secure.
- When it comes to passwords, longer is stronger. According to the FTC, you should strive to create passwords that are at least 12 characters in length and contain a mix of upper and lower-case letters, numbers, and symbols. Think about creating passphrases instead of passwords. This approach might make it easier for you to remember your long passwords.
- Creating unique passwords for each login is critical to protecting yourself from a “replay attack.” In a replay attack, a hacker gains access to one of your passwords from a breach or leak from one online service provider (e.g. Facebook) and then attempts to use that leaked password at other service providers (e.g. Gmail, LinkedIn, Schwab). The hacker hopes that you are using the same password for each of your logins.
- Use multifactor authentication (MFA) whenever possible. Multifactor authentication, also called dual factor or two factor authentication, creates an additional validation step in a login process. Even if someone does have your password, they must still circumvent an additional hurdle before they can access your data. In addition to providing a password, you are asked to confirm your identity each time you log in by answering a personal question or a randomly generated number that is sent by text message to your phone or sent to your email. We encourage our clients to use this feature not only for their LNW client portal but on all important websites. You should strongly consider enabling MFA on your email account as the first step down this path. Email accounts are one of the most vulnerable accounts we establish because they can often be used to reset the passwords of your other online accounts.
A good option for keeping track of these passwords is to use a password manager app on your phone or your computer that you access through a single, strong password or passcode unique to you. These apps can reside “locally” on your device or encrypted in the cloud, which allows you to sync passwords across devices. While encrypted password storage in the cloud is more convenient, keep in mind that keeping passwords stored locally on your devices is more secure.
Practice Good Digital Hygiene
In addition to major considerations like backing up your devices, securing your internet access and using good password practices, there are some other day-to-day habits you should get into to help keep yourself safe.
Treat email with suspicion. Hackers have gotten extremely adept at sending emails that look legitimate, as if they are from a friend, relative or trusted institution such as a bank. If you receive an unexpected email from a known contact with a link or attachment, it is best to assume that it may be fraudulent and follow up with the sender offline before doing anything with the email.
Think carefully before clicking on links or attachments. Malicious links and attachments are common ways to gain access to your device or information. By design, clicking on a malicious link should not immediately set off alarm bells. You may see an error message or be taken to an unexpected website and think, “oh, that’s just an error message,” or “the link must have been wrong.” What may not be apparent is that the website you were on for less than a second is installing ransomware or is capturing your browser data as you surf the web. When in doubt, ignore the link within an email or text message and use your browser to navigate directly to the website.
Hover to discover malicious links. If you get an email that includes a link, you can hover your cursor over the link to display the address that the link will direct you to. If you do not recognize the web address shown, or if it seems suspicious to you, do not click on the link. One thing to note is that some legitimate emails may have links with unknown addresses, particularly emails sent by large companies that use email distribution systems that use unique links to manage those emails.
Keep your software up to date. Software updates commonly include additional security features or fixes to identified bugs and security vulnerabilities. The software on all your devices should be set to update itself automatically. Nearly all current operating systems for computers and mobile devices include this option. Typically the default settings will be to update automatically, but it is good to verify that, especially after any significant updates or when setting up a new device.
Beware of bogus websites during major world events. Significant events, including public health events and natural disasters, create plentiful opportunities for bad actors to take advantage of the immediacy of the situation and people’s natural anxiety or desire to help. If you’re looking for information, it is best to go to reliable sites like government agencies, known nonprofit organizations or trusted news outlets like CNN or BBC News.
Our Commitment to Security
LNW devotes significant resources to maintaining the security of our computer systems, software, networks and other technology against attempts by unauthorized parties to access or destroy confidential data, disrupt service, or cause other damage. We accomplish this using layers of defense mechanisms, including technology and tools, policies and controls and our people and awareness.
We have developed a rigorous program to safeguard our clients’ data in our care, and we are committed to observing the data protection laws and regulations in all the jurisdictions in which we do business. Our information security program is designed to securely enable new business and technology initiatives while maintaining a relentless focus on protecting the firm and our clients.
We use a variety of approaches, including processes and technology, to implement our information security program:
Network and email security. We continually monitor the email and data that enters and leaves our environment. Traffic is scanned, logged, then permitted or denied based on a constantly evolving set of access rules intended to protect against malicious payloads.
Endpoint security. Our desktops and laptops are kept up to date and have been configured to limit the number of vulnerabilities that could be used against us.
Data protection. We use access control lists to govern who has access to specific information in our environment. The integrity of our data is protected by industry-leading backup strategies to provide redundancy and recoverability in the event of a disaster.
Cloud security. We leverage the power of the cloud to enhance our team’s ability to provide excellent client service from wherever they happen to be working. We use multifactor authentication, encryption and access controls to protect our cloud-based datasets.
Vulnerability reduction assessments. We regularly work with trusted third parties to search for vulnerabilities in our environment and simulate cyber-attacks. The findings from these vulnerability assessments help ensure that we are always improving our security posture and proactively addressing new vulnerabilities that have been discovered.
Security event and incident management. The signatures of digital events happening within our environment are collected and logged for future analysis. As these events are collected, they are continually monitored to alert us of suspicious activities happening within our environment in real time. We have a documented and rehearsed cyber incident response plan in place to help guide us in mitigating a potential cyber threat. This response plan is regularly reviewed and updated to reflect changes in our environment and changes in global attack techniques.
Information security is a shared responsibility. We believe our security measures, combined with our clients’ efforts to use necessary safeguards, can help protect their information from bad actors or unexpected disasters.