‘Be alert but not alarmed’ – why is information security so difficult?
A few months ago, I saw a terrifying warning when I logged into my personal email account. It read: “Government-backed attackers may be trying to steal your password,” and boy, did it get my attention. Apparently, a number of people have received these warnings since 2012, and the summary advice on what to do about it is: “Be alert but not alarmed.”
How exactly does one do that?
This summer’s Equifax hack was the fourth largest data breach in the last few years. Hackers have targeted companies ranging from Yahoo to Verisign. It’s likely we’ll see increased information security regulation in the coming years, but it is also reasonable to expect that at some level we are all on our own.
Perfect and permanent ‘security’ is probably outside of our reach. It exists on a spectrum and requires a set of practises that are best understood as another category of hygiene. Nobody can wash their face enough to permanently eliminate all chances of ever getting a blemish. But we wash our faces because we know it mostly works.
Join investment professionals from around the continent at the 2017 European Investment Conference. Keynote speaker Jonas Kjellberg, co-creator and former managing director of Skype will be sharing his insights about innovation. You may leave thinking about how to embrace change, disrupt the industry and think critically about the challenges ahead.
My hope with this essay is to help you find an approach that mostly works and connect you with some resources to go deeper if you’d like.
It is comfortable for some of us to think about information security through an economic lens. The picture is bleak, but computer scientist Ross Anderson summarised it well in his 2001 paper, “Why Information Security Is Hard: An Economic Perspective.” I find the first paragraph of his conclusion striking:
“Much has been written on the failure of information security mechanisms to protect end users from privacy violations and fraud. This misses the point. The real driving forces behind security system design usually have nothing to do with such altruistic goals. They are much more likely to be the desire to grab a monopoly, to charge different prices to different users for essentially the same service, and to dump risk. Often this is perfectly rational.”
The world is somewhat different 16 years later, but not in a way that makes security any easier. In fact, by welcoming internet-connected locks, refrigerators, thermostats, and wheelchairsinto our lives, we have broadened our collective vulnerability.
For an individual, the first step to sanity is to check if your information has already been compromised. I recommend a visit to haveibeenpwned.com to see if your email address and password have been revealed in any recent data breaches.
Hopefully, you are in the clear. But if not, it’s time to change your passwords. The best approach is to use a unique password for each of your online accounts so that if a hacker or bot gains access to one site, they can’t necessarily move on to others. That sounds quite daunting. Without some help, it means a lot of passwords to memorise.
Fortunately, many different password managers exist that can help you generate, remember, and categorise your various accounts. The most popular are 1Password, Dashlane, LastPass, and KeePass, and it’s worth spending some time figuring them out. They make life significantly easier because they will also do other things for you like fill out tedious forms.
Once you have set that up, take a look at this guide to personal information security. It contains many useful tips and is written to be accessible for your friends, colleagues, and perhaps clients. You may also want to develop a better understanding of how an attack may unfold or explore whether your firm is equipped to manoeuvre fast enough. It is past time to be alert, but hopefully thinking these issues through now will help keep you from being alarmed should they actually occur.
Sloane Ortel has worked in investment management since 2006 and joined CFA Institute in 2010.