It’s hard to open the news today without seeing reports of yet another cyberattack. The number of data breach victims has gone up 1170% between Q2, 2023 and Q3, 2024 according to the Identity Theft Resource Center (ITRC). After each breach, we see articles about cyber best practices for companies and what we should be doing better, but what about the consumer? The people that are arguably most hurt by having their data exposed often receive complimentary identity monitoring services, but as I’ve heard many times before, once that one- or two-year period is up, ‘my data is still out there forever’. For this reason, I thought I’d write this issue of the ‘CIO Two Cents’ blog from the POV of the consumer. Given that data leakage isn’t a matter of ‘if’, but ‘when’, let’s discuss some best practices.

The Obvious

There are good practices that are nicely (and strongly) suggested by many companies:

1. Enable multifactor authentication

2. Do not reuse passwords

3. Use strong passwords

4. Keep software/applications up to date

5. Do not click on email or text links – go to the source and confirm the proper URL

6. Do not call numbers from an email or text – go to the source site and ensure that the support number is legitimate

The above are all good suggestions, and I highly recommend we all stay on top of each.

The Tricky

The people who are trying to steal our identity or assets are very innovative. I saw an example of someone stealing a person’s debit card number, charging it, and subsequently sending a text to the victim noting that an amount of $x had been charged to their card. The perpetrator then went on to urge the unsuspecting card owner to ‘call the following number right away’ if they did not authorize the recent charge. After seeing that an unauthorized charge really did occur, the card owner then called the listed number and gave away further personal information (to supposedly authenticate themselves), and, in so doing, enabled even further identity and asset theft. This story not only reiterates the importance of item six from the list above, but it brings to attention the trickiness of authentication questions. I still have companies request my social security number and birthdate to authenticate my identity. My advice? Be careful. Get comfortable saying ‘no’ and asking companies to authenticate via security questions or text pin. Wire fraud is another area where cybercriminals are looking to cheat us out of our money. Fraudsters will try their hardest to get us to route wires to incorrect account numbers – and these are incredibly difficult to get back. Always authenticate directly and confirm funds are going to the intended destination.

Monitoring

Many credit card companies and banks now provide free access to our credit score (viewing via these sites will not affect the score), which can allow us to keep an eye out for fraudulent activity, such as someone opening up a credit card in our name. Most banks and credit card companies also enable alerts – use these! We can set up alerts for every charge or withdrawal over $0 or a low amount; this might result in us getting a notification every time we swipe our card, but it’s a quick ‘delete’ of the notification and it’s certainly worth it to be able to identify a fraudulent charge immediately as opposed to finding out about it weeks later. We can set up similar alerts for our credit score. Monitoring is easy and helps us stay on top of account activity. Free credit reports are available from annualcreditreport.com, which we can use to check for accounts we may not recognize and ‘catch signs of identity theft early’.

Blast Radius

Within organizations, we often talk about small blast radius creation in cyber security, i.e., limiting the potential damage from a cyber incident. It’s worthwhile to consider doing the same for our assets by not having too many funds in one place and setting withdrawal limits. We might also consider using a credit card instead of a debit card to make direct access to cash more difficult. These strategies, combined with the alerts noted above, will help us ‘fix fast’ instead of having our money tied up in the case of a data breach.

What If

If our identity does get stolen, it’s important to move quickly. There are some good sites such as https://www.identitytheft.gov/ that provide guidance on immediate steps to take; some of these include calling the company right away, removing bogus charges, closing/freezing accounts, changing passwords, correcting our credit report, placing a fraud alert on our credit, and double checking the implementation of all the items listed above. For more serious identity theft, there are additional recommendations such as placing a free credit freeze, reporting identity theft to the FTC, filing a report with the police department, stopping debt collectors, replacing government-issued forms of identification, locking our social security number at e-verify.gov/mye-verify, and more. Remember The Tricky section above. Cybercriminals may call us and state they are with the government, but it’s crucial we avoid trusting anyone during this vulnerable time (if someone has our data, they’ll sound very convincing) – we need to authenticate at every turn.

In Summary

It’s sad to have to write about this topic, but the threat is unfortunately very real. We have to change the way we live to protect our hard-earned assets and identity every day. I hope you find some of these suggestions helpful. Thanks to many of my colleagues for suggesting items to include in this blog. Although this issue of the blog is not for the CIO, we owe it to all of our customers to help protect their data – after all, we wouldn’t be here without them.

(1)

• We need to be proactive when it comes to protecting our data. Consider following best practices such as setting up multifactor authentication and using monitoring services to keep an eye out for fraudulent activity. 

(2)

• By deploying strategies, like using a credit card instead of a debit card and setting withdrawal limits, that will make direct access to our assets more difficult, we can limit the potential damage from a data breach.

(3)

• The three things we need to do if our data is compromised? Move quickly. Don't trust anyone. Authenticate at every turn.