January 20, 2012
This week I did a webcast, Planning for Failure, which makes the assumption that if you haven't been breached, it is inevitable, and you must be able to quickly detect and respond to incidents. An effective response can be the difference between your organization's recovery and future success or irreparable damage. While I was working on the slides for the webcast, I started to reflect back on the 2011 security breaches that personally impacted me. Three breaches immediately came to mind:
- Texas Teacher Retirement System – My personal data was stored unencrypted on a public server
- Epsilon – Email compromise that resulted in increased phishing attempts
- STRATFOR – My personal information, credit card and password hash were stolen
Unfortunately, I expect to be the victim of additional security breaches in 2012, so I started to transition my mindset from protecting entrprises to protecting myself. Since it is a new year and everyone loves to make resolutions (I call them strategic initiatives), I decided it was time to formalize my personal planning for failure strategy. I needed a plan to quickly detect and respond to incidents. Here is what I came up with:
- Banking Alerts – I use email alerts to notify me of account transactions over a specific dollar amount. Now if an unauthorized transaction occurs I am notified immediately, and can quickly take action. For me this is a better option than periodically reconciling my accounts.
- Google Alerts – Another strategy I employ is Google Alerts. I have Google news alerts setup for all of my financial institutions. If they suffer a security breach, I will get an email the first time the Google bot crawls the website. You could setup the following alert: Search Query = "bank of america" "security breach", Result Type = News, How Often – As it happens.
- Monitor Credit Reports – If you aren't getting a free copy of your credit report, you should. You don't have to download all three of them at once. Instead setup a reminder on your calendar and pull one every four months and you get year round visibility into your credit.
- Identity Theft Protection – Consumer Reports has some great articles on the various identity theft protection services. The general conclusion is that they are expensive and not worth the cost. Everyone's situation is different, but for those who have been victims it might be a prudent service to enroll in.
Consumer Reports Money Adviser: Don't Buy Into Expensive ID Theft Protection Services
- Virtual credit card numbers – Many credit card merchants (Bank of America, Citi) provide this free service, which allows you to use a temporary credit card number that is linked to your primary account number. I have never used these before, but I am going to test them out this year.
- Passwords – How many passwords do you have? I have dozens and some are stronger than others. For financial and email/social networking accounts, I use complex passphrases. I literally want to shoot myself when I try and type them into iOS devices. For other accounts I use less sophisticated passwords, and this was the case for my STRATFOR password. I didn't want to cause my blood pressure to spike every time I type in a password for a lower risk account. In 2012, I am going to upgrade from my current manual password vault to a more seamless application that generates and stores complex passwords like Wallet or 1Password. I want something that is cross platform and will work on my iOS and OS X devices. Now I won't have to remember a million passwords and can ensure that all my accounts have complex unique passwords.
- Google Voice – I started using a "throw away" Google Voice number last year and I always give it out to any business that I have a relationship with. If my phone rings from the Google Voice number, I know immediately that it isn't family or a friend. I let it go to voicemail and since Google Voice does voice to text, I can read the message. I have been able to avoid giving my "real" number out to third parties. If I need to change my "throw away" number it is much easier to create a new one myself than get a new one from my mobile carrier.
- Two-Factor Authentication – I am a huge fan of two-factor authentication and I highly recommend it to everyone. Both Google and Yahoo offer this capability. When I attempt to login to my Gmail account I get a SMS text with a pin number I need to complete the sign on process. Password + pin = two-factors. I would love to see this functionality expanded to other applications like Twitter and LinkedIn.
- Twitter – I found out about the STRATFOR breach from my twitter feed on Christmas Eve. It took several hours for me to get a notice from STRATFOR informing me of their negligence, and by that time I had already talked to my credit card company.
How are you planning for failure? I'd love to hear what strategies you are using.