By Patrick Rono, Security Technical Professional- IBM East Africa
With major cybersecurity incidents dominating headlines for the past several years, consumers are well aware of the threats they are facing and the basic tips to stay safe online.
In Kenya, banks have become the leading target of cybercrime as people increasingly adopt the use of financial technology. According to Serianu’s Cybersecurity Report, African countries lost at least $2 billion in cyberattacks in 2016. In East Africa, Kenya recorded the highest losses — $171 million — to cyber criminals. Tanzania lost $85 million while Ugandan companies lost $35 million. Over one-third of organizations that experienced a breach in 2016 reported substantial customer, opportunity and revenue loss of more than 20 percent, this according to Cisco 2017 Annual Cybersecurity Report.
In an age where the volume of breached data has increased by nearly eight times in the past 5 years alone, the basic security tips that consumers have relied on in the past aren’t necessarily the best (or only) advice that should be considered in the modern threat landscape.
In the wake of countless cybersecurity breaches that have compromised billions of email addresses, passwords, and personal information on consumers, we must accept the reality that many of the “checkpoints” commonly used to prove our digital identities are now in the hands of hackers, and no longer a valid way to confirm who we are online.
New methods of authentication are needed to replace or supplement outdated methods that rely on personal information or passwords to verify identity. These changes will take time as new technologies, systems and policies emerge to replace legacy methods.
In the meantime, consumers must take an active role in taking measures to protect themselves online. Knowing basic security hygiene is important, but people must also start to look at emerging technologies and should consider more recent tips from experts that can help them safeguard their digital identities.
The following tips are a great starting point for consumers to consider as they start to take small steps to better protect themselves in an age where personal data is no longer private data.
Tips for Consumers in the Data Breach Era
Ideal Password = A Long, Nonsensical Phrase: While the death of the password has been long predicted, they’re currently a core method of access for most systems and must be created with care. While the “rule of thumb” for passwords in the past has focused on complexity – at least 8 characters combining letters, numbers and characters – guidance in recent months suggests longer “passphrases” – several unrelated words tied together, at least 20 characters – are actually harder to crack and easier to remember.
Store Passwords in a Digital Vault: Reusing passwords is one of the worst thing one can do, because if one gets compromised, an attacker can access other accounts as well. But memorizing a different password for each account is virtually impossible, which is why 81% to 87% of people re-use passwords in the first place.
Rather than try to memorize multiple passwords or store them insecurely on your phone notepad, use a password manager – which not only acts as a vault for existing passwords, but can also generate stronger passwords for you. Rather than managing over 10 passwords on your own, you’ll just have to remember the one key to your digital vault.
Lie on your Security Questions: Many account security questions ask about information that could easily be found online these days (former addresses, your mother’s maiden name, etc). Consider either selecting questions that are opinion based – like your favorite color or movie – or even using fake answers for these questions to ensure that only you would know the answer.
Double Dip on Security Checkpoints: Many services nowadays, particularly sensitive accounts like email and banking, allow for two-factor authentication (2FA,) which adds an extra security checkpoint when certain risk factors are present – like logging in from a new location or device. Determine which accounts are at risk/sensitive and add an extra login step to avoid a single point of failure.
The most popular example is an SMS sent to your phone at login, asking you to enter a one-time code in order to access the account. But second factor can be anything from an email to a phone call, an extra question before login is granted, or a hardware token generator that stands alone and produces time-based codes. Picking the right measure depends on your service provider, but you can also use your own judgement to secure your accounts.
Get Down with Biometrics: Even applying the best practices above, we’re quickly approaching a future in which the use of passwords as the sole to method establish identity isn’t enough. Biometric authentication uses physical and behavioral characteristics, such as fingerprints, as a means of protection and can use the identifiers that are uniquely you as a safeguard. At the same time, experts have devised ways to make sure this data is collected and applied in way that ensures privacy for consumers while preventing the ability for this info to be used by hackers. Consider using the fingerprint option to unlock your mobile device, and back it up with a lock code. Some providers use voice signatures, others use facial recognition – the race to replace the password is in effect, and adopting these new methods can help test them and enhance them over time to make your digital identity more secure.
The Internet, our identities, and the ways by which we need to protect ourselves online have evolved considerably in the past decade. Almost everyone has a digital identity nowadays – nearly 26 per cent of the Kenyan population were online in 2016, as revealed by, the International Telecommunications Union (ITU) therefore attackers have a vast growing playing field. Learning to outsmart the bad guys in this reality is no different than knowing the perils on the street, and can go a long way in shifting the dial on safeguarding our identities.