Today, we conclude the discussion of a “four-step solution” to security problems. Once you have taken reasonable measures to keep bad things from happening and accepted that they will sometimes still occur, you can move onto the next step. You can take measures to limit the negative consequences if they do occur.
I live in an area where “hurricane season” lasts from June 1 through November 30. There’s not much I can do to make hurricanes less likely (step 1). However, I can pay attention to weather forecasts so that I am aware when one is headed my way (step 2). I can accept the possibility that it might end up increasing in intensity and threatening my community (step 3). Now, I am left with step 4: reducing the impact when and if it does threaten us.
I can have a hurricane kit in place. I can make sure my home and yard are prepared as much as possible (taking in lawn chairs, garbage cans, and other things that could become projectiles in the heavy winds). I can make plans on where I will go if evacuation is necessary. I can make sure I have a sufficient supply of food, water, medication, batteries, and other necessities in advance, as the stores may sell out if I wait until the last minute. I can also make sure I have adequate insurance in case the storm damages my house. Some of these have to be done in advance. If I wait to get proper insurance until the storm is approaching, I am out of luck. The companies won’t sell a policy when the storm is threatening, at least not for the current storm. It has to be done in advance.
The same idea applies to cyber security. We sometimes need to prepare in advance.
Consider ransomware. We can install security software, which can detect and prevent some of the ransomware from being successful (step 1). We can learn to recognize the warning signs (step 2), like a web page that says that illegal activity has been detected on our computer and law enforcement will take action if we don’t pay a fine (Hint: Don’t click on the link!). Although it is possible that this notice could appear after we have already been infected, one technique is to scare us into clicking on the link that will either cause an infection, or will extort money from us through scare tactics without there being any actual risk. Despite all precautions, we can still become a victim; we need to recognize that possiblity (step 3). So that brings us to step 4: taking measures to reduce the negative impact if we become infected.
The measures we can take to limit the impact have to be taken in advance. The most important measure is to have a good backup of our data and our computer. A backup will enable us to completely ignore the ransomware demands, because we can restore our system to a “known good” condition from before we became infected.
Another measure we can take is to operate as a user with limited privileges rather than one with full privileges on our computer. The limited privileges can prevent the ransomware from being able to do as much damage because it also is restricted to the limited privileges that we have. (More recent versions of Windows restrict privileges for your safety. However, if your computer asks you if you want to allow a program to run and you allow it to, doing so could compromise your computer if the program is malicious.)
Another example of limiting the damage that can occur relates to data breaches and credit cards. You can shred any credit card numbers if you are going to throw them in the trash (step 1). You can learn some of the ways credit card data is stolen and avoid those situations. For example, since crooks sometimes install skimmers on the card readers inside gas pumps, you can pay inside the store instead of at the gas pump itself (step 2). You can accept that your card data may still be stolen, perhaps when you swipe the card at the store (step 3). Now, you can take measures to reduce the negative impact when your card data is stolen (step 4).
I gave a couple tips about this on day 10 of my daily tips for Cyber Security Awareness Month. Additional tips are available in the extended tip of day 10. But let me repeat a couple here.
* You can have multiple credit cards but not use them all. Let’s say you use only one card (or possibly two). Keep an extra card or two that you don’t use. Then, if there is a data breach and your card is compromised, you have an extra card that you can still use while the compromised card is being replaced. This is especially helpful if you are travelling when the breach occurs. Just make sure you have the card you don’t use with you when you travel. That way, you don’t get stuck without funding available when you want to stay at the hotel but your card has been deactivated or your credit limit has been reached because of a data breach.
* If you use a debit card, have a separate bank account with a small amount of money in it. Don’t use a debit card for your account where you maintain a larger balance, one that you depend upon to pay your bills. That way, if the card is compromised, the only amount at risk is the amount in the smaller account. (Of course there could be insufficient fund fees on top of that but, in the case of fraud, your bank may provide at least some protection through reimbursement of some of those fees.) Consider using a credit union instead of a bank for this separate account. They typically don’t have monthly fees just to have an account.
* Check your statements frequently and report any issues immediately. There is protection for unauthorized charges, but only if you report them within a given time period.
* Place a low limit on your credit card. That way, if the account is compromised, there is a limited amount of “shopping” that the crook can do with it. Although you can probably escape financial liability regardless of the amount, it may be a lot easier to deal with a fraudulent charge for gas and a hotel bill than if the crook went on a $10,000 shopping spree. And most of us would feel less stressed when the fraudulent charges came to $80 than if they added up to $9,352.48.
If you look at these tips, none of them prevent or reduce the risk of your card data being stolen. However, they do reduce the negative consequences in the event that your card info is stolen. The result is that you don’t get stranded 1500 miles away from home without funds, you don’t lose access to the funds you need to pay your mortgage or your car payment, and you don’t have the stress of dealing with a fraudulent shopping spree amounting to thousands of dollars.
Perhaps the most important benefit of all is that you don’t have to worry about the possibility that your credit card could be compromised. You should still take measures to protect it. But, if you know you don’t have much to lose, you don’t have much to worry about. Of course, we prefer not to lose any amount. But if you set your credit line to the maximum amount that you can stand to have at risk, you know you can’t lose more than that. You can ask the credit card company to lower your limit if it is too high for your comfort level.
While we can’t prevent credit card data theft, we can limit the negative consequences we face when it affects us.
Here’s an example of a strategy to limit your credit card risk. Have multiple cards, and use them as follows (just an example):
* One card that you use for shopping, with a credit line of $500. Even if you usually spend $800 each month on shopping, you could always pay the balance down every couple weeks so that you always have enough on your credit line for upcoming expenses. That way, you can keep your credit line lower, lowering your “at-risk” amount, without limiting your ability to continue to use it for the purchases you usually make. (Adjust the $500 to an amount you are comfortable with.)
* A second card that you only use when you are travelling, with a credit line of $2000. (Adjust the credit line to match your circumstances.) You can still use your “shopping” credit card while travelling, but the compromise of your shopping card would not leave you stranded because you now have a “travel” card for your hotel, gas, plane tickets, etc.
* One or two additional cards that you never use, each with a credit line of $1000. That gives you one or two spare cards that haven’t had the credit card numbers exposed. Even if your “shopping” and “travel” cards are both compromised, you still have a backup. Even if you have used one of these “spare” cards previously, if it isn’t regularly used, it is reasonably safe.
WIth this strategy, the likelihood of a compromise preventing you from paying for needed expenses is greatly reduced. (However, be aware that if there is a major data breach, banks may reissue several of your cards, even if yours wasn’t compromised, as a preventive measure. As a result, more than one of your cards could be deactivated during a short period of time. Having more cards decreases this risk.)
If you decide to use this strategy, change the credit lines listed above to amounts you are comfortable with and to amounts that meet your requirements. The numbers I provide above are just to illustrate the idea.
CAUTION: If having more credit cards is likely to encourage you to spend more, I recommend you don’t accumulate cards. The reasoning behind the strategy I provide above is to REDUCE your exposure. If having more cards is going to increase your spending, then I recommend you do NOT implement this strategy. Or, if you do, then keep your credit lines low so that you don’t exceed your ability to pay your bills. The idea here is to have a couple of cards that are ONLY used for special circumstances or in emergencies. It defeats the purpose if you use them all interchangeably.
The strategy provided above is an example to illustrate the idea of finding a way to limit the risk you face if things go wrong. Feel free to come up with your own strategies for the different risks you face.
The answer, then, lies in planning ahead and taking appropriate measures for those events that are most likely to cause us harm or loss. Of course, to do this we need to know:
1) what things can cause harm or loss, and
2) what measures can limit the impact of those events if they occur.
Just like living in a hurricane zone, it means that we need to pay attention to the information available about how to protect ourselves. It also means being active in seeking out that information.
You don’t need to become a meteorologist to keep safe from hurricanes. You just need to learn what measures to take and you need to listen to a weather report occasionally. If you live in a hurricane zone, you may also begin to recognize the way the sky looks as hurricanes come within a couple days range, in advance of them getting too close. If you pay attention when you go outside and notice the “warning signs” in the sky and wind, you can then check the weather report to see if a hurricane is coming in your general direction.
In the same way, you don’t need to become a technical expert to protect yourself online. You don’t need to spend endless hours wading through textbooks to learn how to protect your information. But you do need to pay attention to sources of information that can tell you about the greatest threats and what you can do about them. And it means more than just listening to the news. The news can inform us of the latest data breach or privacy risk. But the information on those news stories is usually incomplete and is sometimes superficial. Plus, there is a lot that they don’t tell you that you need to know.
Although this post is about limiting the impact of bad events when they do occur, I want to return for just a moment to last week’s tip. We need to recognize that, despite everything we do, bad things can still happen.
Even if you were to spend an enormous amount of time learning everything available about how to protect yourself, there will always be some new threat that didn’t exist previously and that you couldn’t prepare for. There are also so many things that you would need to consider that you can’t realistically prepare for everything. Not only would it be too time consuming and take too much effort, it would be too expensive.
So, part of accepting that bad things can still happen is to recognize that you will never learn enough about security to protect yourself from everything.
Once you realize that, you can now start learning how to determine what the most important things are for you to focus on, and what you can do about those things.