A leading-edge research firm focused on digital transformation.
Subscriber Account active since
Our daily lives revolve around the internet more than ever. And while this is great for working remotely, making friends in other countries, and shopping from your couch, it also comes with risks.
In 2020, the FBI’s Internet Crime Complaint Center (IC3) received 791,790 complaints from victims of cyber crime. And while a lot of these complaints came from users who were simply tricked into sending money to scammers, a massive amount of them stemmed from data breaches.
Data breaches are the most common form of cyber crime, and experts estimate that there’s a new victim every two seconds. Despite this, data breaches aren’t hard to protect yourself from — it just takes some care and skepticism.
Here’s everything you need to know about data breaches, including how they work, how to protect yourself, and what to do if you’re hacked.
A “data breach” is a general term for any time that someone accesses electronic data or information that they’re not supposed to.
The simplest example of a data breach is a hacked email account. If someone gets your email password and logs into your account, they’ve breached your data. At that point, they can send emails with your name, see all your contacts and sell their email addresses to marketers, and of course see any personal info that you’ve sent or received.
Hackers might also target your bank accounts. Someone who gets access to your credit card information, social security numbers, or even online banking password can wreak a lot of havoc on your finances.
Things get trickier if it’s the servers of a major company that get breached. In 2019, First American Financial — one of the biggest mortgage insurance companies in the world — announced that over 800 million real estate documents had been leaked and stolen from its website. This included 16 years of bank records, phone numbers, home addresses, and more.
The actual customers couldn’t do anything to protect themselves here. It was the company that they trusted with their personal data that caused the problem.
If you use a password manager, you might occasionally get a notification saying that a password of yours was included in a data breach. This doesn’t necessarily mean that your accounts have been hacked — more likely, your password was included in a massive company leak like we described above. Still not good, but it gives you more time to protect yourself.
And hackers aren’t always the computer masterminds you see in movies, constantly prodding at big websites to find a way in. A great deal of breaches stem from social engineering scams, where a user gets tricked into giving up their passwords to a scammer they think they can trust. Some breaches even happen accidentally — maybe a company stores user passwords on a public website without realizing.
But no matter the cause, when it comes to your personal cybersecurity, there are a few best practices you should follow to protect yourself.
Dave Hatter, a cybersecurity specialist from InTrust IT, tells me that “It’s never been easier to have access to tools that make yourself a much more difficult target.”
You can protect yourself against data breaches and hacks in the same ways that you protect against most cyber crimes: Be proactive, be unique, and be skeptical.
The best time to worry about cybersecurity is before you’re ever in danger. This means making a security plan and sticking to it.
If you have data stored online that you can’t risk losing, make backups of it. This might mean taking screenshots, downloading documents, and moving things onto an external . The more backups you have, the safer you are.
Keep a close eye on your finances. Aside from checking your monthly statements, cybersecurity experts I spoke to all recommended signing up for a credit monitoring service that can keep track of any suspicious activity in your credit report.
Hatter also says that computer users should make sure they have a good antivirus program installed. Windows users are lucky that all new PCs come with Windows Defender, one of the best antivirus programs available, pre-installed. But “the top antivirus changes all the time,” he says, “so be aware of what options are out there.”
If an app or website offers two-factor (also called multi-factor) authentication, enable it for your account. It’s a simple but powerful way to lock strangers out of your data.
Enterprise users and companies should invest in a good firewall, keep a dedicated cybersecurity team on retainer, and perform regular “vulnerability tests” to see how strong their defenses really are. Also make sure you have a cyber insurance policy that can keep you safe in the event of a hack.
Darren Shou, the CTO of cybersecurity firm NortonLifeLock, says to keep all your devices updated — even including “printers, Wi-Fi routers, and smart devices.” It’s easy to brush off updates as being useless or annoying, but they almost always come with important security patches to help keep you safe against new threats.
Most websites only ask for a single username and password combo to log in. This means that if you have an easy-to-guess password, or use the same password on multiple websites, it’s incredibly easy to break into your account.
This means that you want to use a different password for all your separate accounts. And that password should be “strong” — in other words:
If you’re reading this and feeling overwhelmed, don’t worry: This is what password managers are made for.
Dave Hatter, along with every cybersecurity expert I’ve spoken to, fully recommends using password managers like LastPass. These apps will create incredibly strong passwords for all your apps, and then automatically enter them when you need them. This lets you keep your data secure without needing to remember dozens of different passwords.
The only password that you need to create for yourself and keep ultra-safe is your LastPass master password. This is the password that protects all the others, so don’t skimp on it.
Quick tip: If you’re worried about LastPass itself getting hacked and leaking all your passwords, don’t be. Companies like LastPass use “zero-knowledge encryption,” meaning that even they don’t know your passwords or store them internally — they just provide the software.
Some cybersecurity experts also recommend changing all your passwords every few months. And while this certainly doesn’t hurt, having strong passwords and two-factor authentication set up is much more important.
You can test how good your passwords are for free using NordVPN’s “online strength checker.”
Backups are important, updates are important, and passwords are crucial. But all the time you spend keeping yourself safe doesn’t mean anything if you don’t apply what Darren Shou calls “common-sense skepticism.”
If you receive an email from someone you don’t know asking you to download an attachment, you probably know not to do it. But what if you get a text, seemingly from your bank, warning about fraud on your account? Or a private message from a friend asking you to click a “hilarious” link?
Darren Shou refers to these scams as “an attack on the human operating system.” They’re designed to prey on users who aren’t thinking about what they click, or who completely trust that they’re protected.
Don’t click links if you don’t know exactly where they’re taking you. When you get a suspicious email or text, ask yourself: “Was I expecting to receive this? Do I know the sender? Is it even important?” If something seems too good to be true, it probably is.
If you’re not sure, directly contact your bank, or friend, or whoever is claiming they know you and ask. There’s a good chance that they’ll tell you you’re dealing with a fake.
And if you’re managing a large group of people, make sure that they’re educated about internet scams, data breaches, and suspicious links. It doesn’t matter how strong your locks are if someone inside just opens the door.
But what if someone does manage to slip past your defenses and access your accounts? How do you recover and repair the damage?
Before anything, remember: Don’t panic.
In the aftermath of a data breach, “You have to keep calm and keep your common sense,” says Shou. Lots of scammers are trained to strike at people who have just been scammed by someone else, hoping to take advantage of their desperation. Keep your guard up and stay skeptical.
Quick tip: There are dozens of websites and social media pages who claim they can easily get any stolen money or data back for a fee. Some will even offer to “counter-hack” whoever breached you. Don’t trust these sites — they’re scams.
Ideally, you’ll want to figure out how many accounts were hacked, and change all their passwords. If you use a password manager, change your master password too.
Triple-check your financial records, and if anything seems off, don’t hesitate to freeze your accounts and credit. Some identity theft monitoring services will let you meet with an attorney, if need be.
If you’re a company that’s been breached, get in touch with your cyber insurance team and report the breach, along with your in-house legal and IT teams. While your IT team works to limit the damage, you’ll need to make some decisions about whether to notify your customers (it’s required by law in some cases) and whether to contact law enforcement.
Dave Hatter warns that while you might be tempted to delete everything that the hacker saw, you shouldn’t do it. If you do decide to get law enforcement involved, deleting too much data can count as destroying evidence.
Data breaches can be devastating, and only get more common as we move our lives online.
But both consumers and businesses can take concrete and simple steps to protect their data and themselves. Create strong passwords, keep your electronics updated, make copies of your data, and don’t trust every link that comes your way.
And of course, don’t go crazy trying to manage everything alone. Services like LastPass, NortonLifeLock, and SentinelOne are designed to make cybersecurity easier. If you have the money and want to boost your security, check them out.
A leading-edge research firm focused on digital transformation.