What to do if your website home page now say’s ‘The Site Ahead Contains Malware’

If you get to a website and you see the warning “Site Ahead Contains Malware”, you need to act fast.

If it’s not your site, you need to turn around because there could be malware on the website you are trying to access.

If the site ahead happens to be your own site, you need to act fast to fix the situation. This message indicates that your website is either infected with malware and/or has been hacked. Google crawls websites regularly to add new or updated content to the search index. These crawlers also can detect if your site has a malware infection.

If Google or other search crawlers find malware on your site, they immediately flag your site and display this warning to protect users from accessing the web site. This warning has detrimental effects on SEO, site traffic, and your credibility. It can also lead to your web host suspending your hosting account.

Why did your WordPress website get hacked?

Websites get hacked for the following reasons:

  • economic gain
  • drive-by downloads – malware injections
  • black hat SEO
  • system resources
  • hacktivism

How did your WordPress website get hacked?

Malware can infect your site in a number of ways:

  1. Plugins – An infection could have come through the plugins installed on your website. This can happen for several different reasons – a) old plugins without recent updates are prone to vulnerabilities; b) pirate software is free but often contains malware; c) you may have installed a plugin from an untrusted source.
  2. Your Computer Might Have Malware – Often when a computer is infected with malware, uploading a file to a website can lead to a website infected with malware.
  3. Brute-force attacks by hackers – Hackers can use a brute-force attack to guess your username and password and break into your website.

What do you do if your site now say’s “The Site Ahead Contains Malware”?

It’s important that you act fast. You will have to remove the malware from the website and then submit your website to Google for review. Google’s safe browsing policies that you need to follow before you submit your site for review are:

  • You need to log into Google Search Console and prove you are the owner of your website.
  • You need to make sure that your website is clean and free of any malware infections or backdoors.
  • You need to fix the vulnerability that led to the hack. We recommend installing the premium version of Wordfence.
  • If your host has suspended you for malware, you need to contact them and request they remove the suspension. Your website needs to be back online prior to submitting it to Google for review.
  • Call Connect4 Consulting at 202-236-2968 so we can help you with these steps.

How do you prevent “The Site Ahead Contains Malware” from happening again in the future?

If you’ve ever had the misfortune of finding yourself in this situation, it is imperative that you do everything possible to prevent it from happening again. To do that, implement the following procedures:

  • Make sure someone is actively managing the hosting of your website. That means you need to make sure that all plugins and WordPress are updated as soon as updates are available. You can’t just rely on hosting alone.
  • Install Wordfence or Wordfence Premium to protect your website.
  • Update WordPress regularly.
  • Only use trusted themes and plugins – stay away from free plugins or themes – particularly if there have been no updates in the last 3 months or more.
  • Remove inactive themes and plugins – the more elements you have on your website, the greater the opportunities a hacker has to break into your website.
  • Update website passwords, remove inactive users, limit login attempts, install an SSL Certificate.

 

 

 

How to Stop Comment and Contact Form Spam

Comment and contact form spam is a total waste of time and there are few things more annoying than sorting through junk mail to filter out varying degrees of junk email.

And if you don’t take the time to clean up all of the spam submissions (and figure out a way to ultimately stop them) you run the serious risk of damaging your brand’s reputation if these spammy messages ever appear on the frontend of your website.

As a website designer and developer you can rest assured because I can help.

There are ways to combat comment and contact form spam and make your life a little easier. I’m sure we all have things we’d rather be doing than sorting out through form spam.

What is Form Spam & Why Does it Exist?

Form spam happens when people submit unwanted information through online forms to phish or send abusive messages.

Form spam exists because spammers look for vulnerabilities in website forms so they can hijack them and use the website forms to relay email spam messages to others. These emails arrive in people’s inboxes looking like emails you might send. People unknowingly open these emails and click the links thinking they are going to your site only to find themselves on an entirely different website. Often the spammer is also trying to game the system by posting hyperlinks to other websites and products so they can gain link equity and a boost in SEO.

How Does Form Spam Work?

Form spam is performed in two ways:

  1. Manual Spamming – manual spamming happens when a company hires real people to manually fill out web forms with information linking back to companies that need link juice. This type of form spam is difficult to beat because human spammers can get through most anti-spam measures a website owner can put in place on his website.
  2. Spambots – spambots happen when programs are developed to seek out web forms and fill them out with the hope that the message will appear somewhere on the website. Think of a commenting or testimonial form that allows messages to publish automatically on your site (don’t do this) without approval can easily have this kind of spam. This type of spam is easier to combat because spambots aren’t human and have a tough time getting past most anti-spam measures.

Why Comment Spam is Bad

Some people will feel that it’s okay to approve comments they might feel aren’t actually legit. There is harm in doing this for the following reasons:

  • Google is cracking down on bad links. This doesn’t just include sites that buy links. It also includes sites that allow them. The last thing you want to do is degrade the quality of your site by allowing spam comments.
  • Comment spam shows lack of moderation. Comment spam gives users the impression that no one is at home maintaining the website. Suppose you are selling a product or service. Clearly you want prospects to believe you will care for them the way you care for your own website…
  • Your readers might not trust you. If a reader clicks on a link in the comments and is taken somewhere they don’t want to be they might not come back to your website.

Eight Ways to Stop Form & Blog Post Comment Spam

If you want to stop form spam, you have to do everything in your power to make it nearly impossible for the spambots to fill out your forms. At the same time, you have to balance usability and make your forms as easy as possible for real website visitors to fill out.

1. Use Contact Forms – Don’t use email addresses

If eliminating as much spam as possible is your goal, your first task should be getting rid of the email address on your website. Why? Spambots that troll websites looking for forms to fill out also look for email addresses they can harvest and use to spam others. There are ways to hide your email address from spambots, but the best solution is to use a paid WordPress contact form plugin like GravityForms or Ninja Forms.

2. Use Google reCaptcha

Google reCAPTCHA is the remake of Captcha. Remember this craziness? Although it was effective in reducing form spam it also significantly reduced real human traffic because it was so hard to use.

Google reCAPTCHA helps you detect abusive traffic on your website without any user friction. Now instead of having to type text or answer a question, site visitors only have to click a button identifying themselves as human so they can submit their form. The takeaway is that you should use Google reCAPTCHA.

3. Use the Honeypot Method

If you don’t like the idea of using reCAPTCHA, you can use the honeypot method instead. Honeypots are tiny bits of code that are used to catch spambots by presenting a hidden form field that only appears to spambots.

4. Ask a Question

Another technique is to incorporate a question into the form. You might use a text question or ask the user to answer a basic math question before they can submit the form. Here are some examples of questions you could use:

  • What is 5+3?
  • What is the first letter in the word “cat?”
  • What comes first, B or X?

The only thing that matters when you use this anti-spam strategy is that you make the question and answer easy enough for people to actually answer. And if you have a global audience, it’s important to remember to translate your forms into other languages.

5. Don’t Allow Links

One of the simplest solutions for stopping form spam is to stop allowing links on blog comments and forms. This won’t eliminate all form spam, but it will certainly reduce it. There are wordpress plugins that do this or you can add this line of code in your theme’s functions.php file:

remove_filter( 'comment_text', 'make_clickable', 9 );

WordPress doesn’t store plain text URLs as links in the database. Instead it changes them into clickable links on the fly. This code simply disables the filter that makes the URLs clickable. Don’t do this unless you know what you are doing or have someone on speed dial who knows how to help you if something goes wrong.

6. Install the Akismet WordPress Anti-Spam Plugin

Akismet checks your comments and contact form submissions against a global database of spam to protect sites from malicious content. This is not the end-all-be-all solution but it works well to complement some of the other solutions I have mentioned above.

Akismet’s top features are:

  • Automated checks of all comment and contact form submissions for spam
  • Automatically filters out submissions that look spammy
  • ‘Unspam’ feature for mistaken spam flagging – when something that isn’t spam is identified as spam

7. Turn Off Trackbacks

Trackback spam is often worse than comment spam. Trackbacks are manual notifications by one blogger that they have linked to your blog post within theirs. Pingbacks were created to automate this process.

8. Turn Off Comments After 30-60 Days

People who comment for link building purposes (SEO spammers) typically look for blog posts with high PageRank – Google’s 1-10 scoring of authority. Typically blog posts start out at a PageRank of 0 and only gain PageRank after a few months. This means that SEO spammers will be targeting your older blog posts.

Conclusion

There is no perfect solution for combatting comment and contact form spam. Whatever you do, don’t rely on a single strategy to stop all the spam on your website.

 

Best Online Password Managers

Many people make the mistake of using the same password for all of their accounts, risking having them all hacked if the credentials of just one are hacked. Many people also keep track of their passwords in a document on their computer or on a piece of paper in their office. What happens if your computer is hacked? Or if your computer dies and isn’t backed up? Or if your backup isn’t complete and doesn’t include your password list? What happens if someone sees your password list and you don’t even know it?

If you do anything online in 2020, you have more passwords than you can safely remember. So you need a strategy and you need to commit to the strategy.

I’m going to talk about the best online password managers, but before I get into that, there is one other viable approach that is also the safest – but only if you have a strategy and stick to it.

Password managers store all of your valuable login information and help you generate secure passwords. Companies that create password managers are aware of the importance of keeping your data safe so all of the data is stored in highly secure data vaults.

As of January 2020, these are the best online password managers. Each have pros and cons but I hope this article will provide you enough information to make an educated decision based on your budget and your needs.

Best Online Password Managers

Dashlane

Dashlane is a full-service password manager that is packed with features. It works on mobile as well as desktop devices and operating systems such as Windows, macOS, Linux, Android and iOS. In addition to being a password manager, Dashlane is also a VPN enabling you to browse the internet more securely. Like most of the password managers on this list, Dashlane is available in a free version allowing for password storage up to 50 accounts. However, this is useless for most people since most of us have far more than 50 accounts. The most popular option is the Premium Plan which stores an unlimited number of passwords and syncs across unlimited devices (this is what you want so that passwords stored on your PC also work on your laptop and other mobile devices). The Premium version costs $4.99/month, billed annually for a total of $59.99. As with any online purchase, use something like Honey price tracker to figure out if there are applicable coupons for your purchase.

LastPass

LastPass was my first choice for the last few years, and I would have continued with it had they not significantly increased the price of the Premium version. If you don’t need to sync across multiple devices, the free version of LastPass might work just fine for you. Once you create a master password, LastPass allows you to easily import all saved login credentials – passwords and usernames – from any browser. The user interface is friendly and the premium version is chock full of features. It should be noted that LastPass has experienced major security flaws in the past.

1Password

1Password is a password manager with options for families and businesses and reasonable pricing for both audiences. The family password option  secures unlimited passwords, credit cards, secure notes, provides 1GB of secure document storage, and can be used for a family of up to 5 people. The business option is slightly more expensive but is designed to work for teams.

1Password’s most significant drawback is that there is no free version. Nearly every other online password manager has some level of free service.

Zoho Vault

Zoho Vault has both free and paid versions. Like most of the other online password managers, the system allows you to securely store all your passwords and organize them for easy access and management. Passwords are encrypted with the strongest encryption standard (AES-256). The paid version includes password sharing, user management, and automated backups while the free one doesn’t.

Keeper Security

 

Keeper Security is the top-rated online password manager with high praise from both PC Magazine. According to PC Magazine’s review, “The main reason to use a password manager is to create varied, strong passwords for every website and app you use—ones that you don’t have to remember for yourself. However, it’s also important that you can access your passwords from every one of your devices without difficulty. Keeper Password Manager & Digital Vault delivers an excellent experience across a ton of platforms and browsers. It also offers top-notch features such as robust two-factor authentication support, good sharing capabilities, and full password histories. Keeper is an Editors’ Choice password manager alongside Dashlane.”

My own experience is inline with PC Magazine and I recently switched from LastPass to Keeper Security. Keeper Security:

  • Supports all popular browsers and operating systems
  • Two-factor authentication
  • Secure password sharing
  • Optional secure file storage and messaging
  • Retains the history of passwords and files

As with Dashlane and others, there’s a free version of Keeper if you’re willing to restrict your usage to a single device. There’s no limit on the number of passwords.

If you want to use Keeper across all your devices, you pay just $29.99 per year for a personal subscription. This is a good price considering that LastPass Premium costs $36/year and Dashlane costs $59.99/year.

The Bottom Line

The bottom line when it comes to passwords is that we all have far too many. Hopefully this is a problem we won’t have ten years from now, but for now it is clear that you need to adopt a strategy and stick to it. That strategy either has to be creating your own formula for keeping track of passwords or using one of the online password managers I have reviewed above.

Alternatives to Password Managers

Password managers are software applications that automatically fill-in your passwords on websites, e-mail accounts, and portals that you use. With a password manager, you typically only have to remember one master password or passphrase to the application, rather than all of the individual passwords to your accounts. Password management apps include:

  • LastPass
  • Dashlane
  • Keeper Security
  • 1Password
  • Password Boss
  • Sticky Password
  • bitwarden
  • LogmeOnce

Neil Rubenking’s article in PC Magazine discusses the best password managers for 2020.

Most browsers also have settings that allow you to save your passwords. If you have an iPhone, this is called Apple Keychain password manager.

Where are my passwords stored?

Most of these password managers store your passwords in the cloud so they are accessible anywhere. Some password managers – like Apple Keychain – save to a physical computer or device but can be uploaded onto iCloud.

If applications do get compromised, on occasion, is it safe to use a password manager?

The downside to the password manager approach is that applications in the cloud do get compromised, and your computer is only as secure as you allow it to be. You can keep your identity safe by considering alternatives to password managers. This new approach is completely free but it requires some thought on your part. However, if you follow this approach, you should be able to generate complicated passwords that you can remember and not have to create more than 20 passwords for all your accounts.

Never use the same password for multiple accounts

This is the cardinal rule in cyber security. While this is generally excellent advice, it also assumes that all accounts share the same password severity impact. Think about it this way, what do you value more? A compromise of your online bank account is not the same as a compromise of your Instagram account.

Password Severity Impact

The first step in this alternative to password manager approach is to divide passwords and accounts into three groups, depending on password severity impact.

Severe Impact Rating

Rate your impact as severe if:

  • Financial loss or personal information exposure could damage your reputation
  • Any adverse effect would require sustained effort to fix the situation

Types of Accounts:

  • Online banking accounts
  • Healthcare portal
  • Main business account – especially if it contains confidential information about your company

Serious Impact Rating

Rate your impact serious if:

  • Unwanted access could result in loss of credit card information
  • Unwanted access could compromise your business network
  • Any adverse effect would require some effort to remedy the situation

Types of Accounts:

  • Accounts containing credit card information (any online shopping account)
  • Accounts containing your main personal or business email account, Facebook, or Google accounts

Limited Impact Rating

Rate your impact as limited if:

  • Loss or compromise of information is meaningful only to you

Types of Accounts:

  • News feeds
  • Spam e-mail accounts
  • Social networking accounts (note: on social media, never post any information that would answer password security questions)

Create Strong Passwords in Three Easy Steps

Step 1: Group Accounts by Severity Impact

Once you group your accounts by severity impact, you should have unique passwords for every account in the severe impact category.

Step 2: Use easy to remember passphrases to develop initialized passphrases

Do not use traditional passwords. Instead, use easy to remember passphrases related to each account. For example:

  • Healthcare – Health-related phrase – “A spoonful of sugar makes the medicine go down” becomes Asosmtmgd
  • Finance – Money-related phrase – “A penny saved is a penny earned” becomes Apsiape
  • Personal – Memorable personal event – “Tom and Jane met at Johnny’s Bar” becomes Tajmajb

Step 3: Insert special characters and numbers

Next, insert a special character. Then add a date that is significant to you as long as it’s not your birth date, anniversary, or any personal date that is commonly known. For example, assuming Flag Day is June 14th and my special character is #, my Healthcare password becomes: Asosmtmgd#0614.

Examples of Strong Passwords:

  • Healthcare – Health-related phrase – “A spoonful of sugar makes the medicine go down” becomes Asosmtmgd. Date of surgery was January 14. Original passphrase becomes Asosmtmgd#0114.
  • Finance – Money-related phrase – “A penny saved is a penny earned” becomes Apsiape. Business was created in September of 2009. Original passphrase becomes Apsiape#0909.
  • Personal – Memorable personal event – “Tom and Jane met at Johnny’s Bar” becomes Tajmajb. Date Tom and Jane met was 3/3/11. Original passphrase comes Tajmajb#030311.

Depending on your accepted level of risk – and remember that any part of this approach is more secure than what you were doing in the first place – you will only need to create a few groups of passphrases. There are also variations of this approach.

The key is to create your own password key and stick to it. So, for example, another approach might be to use the last two letters of a website, Capitalize the second letter, add a special character, and then a set of 6 numbers that are meaningful only to you, and finally another special character. So your Amazon password could be: nO$13579!. And your Ebay password would be: yA$13579!. And your Washington Post password would be: tS$13579!.

The Equifax Data Breach: What To Do Now

News broke this week of yet another major data breach. Equifax, one of the main credit reporting companies, was hacked back in July and sensitive personal information for more than 143 million Americans was exposed. If a credit report has ever been run for you, chances are strong that your data has been compromised in this hack. The three big credit agencies have a very high duty to keep customer information safe, and they failed outright.

According to Equifax the data breach lasted from mid-May through July. Hackers accessed names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people.

Equifax has set up a website so that people can check and see if they have been hacked. I strongly urge against this. Equifax’s website is filled with security holes. Their executives reportedly sold Equifax stock in the five weeks between the discovery of this data breach and notifying anyone about it.  Equifax is also pushing their own credit monitoring service. Why trust someone twice with your valuable information? This is like asking the guy who robs you at gunpoint to watch your kids for you. 

Here’s what the FTC suggests you should do to protect yourself after a data breach:

  • Check your credit reports from Equifax, Experian, and TransUnion — for free — by visiting annualcreditreport.com. Accounts or activity that you don’t recognize could indicate identity theft. Visit IdentityTheft.gov to find out what to do.
  • Consider placing a credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name. Keep in mind that a credit freeze won’t prevent a thief from making charges to your existing accounts.
  • Monitor your existing credit card and bank accounts closely for charges you don’t recognize.
  • If you decide against a credit freeze, consider placing a fraud alert on your files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you.
  • File your taxes early — as soon as you have the tax information you need, before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.

How Not To Get Hacked – Six Easy Steps

There’s been a lot of talk about Russian hackers these days, and while the thought of getting hacked by the Russians (or anyone else) often conjures up thoughts of Jason Bourne, most incidents of hacking are actually much less sophisticated. Let’s face it, hackers, like us, often take the easy way out and go for low-hanging fruit. The good thing about this is that it’s relatively easy to avoid getting hacked. What follows is a simple primer – how not to get hacked – six easy steps.

How Not To Get Hacked Step 1:

Create Strong Passwords

The first and most important rule is to never use the word “password” for your password. Don’t use these passwords either:

  • 123456
  • 123456789
  • qwerty
  • 1111111
  • 123123
  • qwertyuiop
  • 123321
  • 666666
  • 1q2w3e4r5t
  • google

These were the most commonly hacked passwords in 2016.

What all of these have in common is that they are painfully obvious. It is very important to choose your passwords carefully. Don’t use the name of your dog or cat or children. All of these are easily guessed. Strong passwords are cryptic – a meaningless string of numbers, letters, and characters. It’s also important to not use the same password for everything. Your Gmail or Yahoo password shouldn’t be the same as your Facebook password and that shouldn’t be the same as your bank password. Imagine if you were one of the billion or so Yahoo users who were hacked! The hackers would suddenly also have access to your bank account and your social media presence. They could learn everything about you at once.

Check HERE to see if any of your email account passwords have been compromised. If they have (and they probably were), make sure you go change the passwords at the sites where you have an account (or you set up an account eons ago).

How Not To Get Hacked Step 2:

Stop Trying To Remember Passwords…Get A Password Manager

As a website designer I need nearly 1,000 passwords in order to get my work done. Even if I had a meaningful and secure logical way of producing passwords, I would never remember them all. For the past 4 years I’ve been using LastPass. Basically LastPass creates extremely complex passwords (more than 20 characters if I want) and then remembers them whenever I go to a website. All I have to do is create one very long strong password that works as a master password. The master password will then unlock a secure, encrypted vault that contains each unique password for all of your accounts. Password managers also integrate seamlessly into Web browsers, so you can quickly log into any of your accounts from any of your devices. The basic version of LastPass is actually free. If you want to use LastPass on your mobile devices, then all it costs is $1/month.

How Not To Get Hacked Step 3:

Use Two-Factor Authentication

Two-factor authentication requires you to enter a password and choose whether to receive a second code via email or your cell phone.  Then, that second code is either texted to your cell phone or sent to your email so that further authentication steps will be required. The exact methods may vary, but two-factor authentication is a much more secure way to prove that you’re you.

How Not To Get Hacked Step 4:

Be Wary of Public Wi-Fi

If you take the right steps to secure your Internet connections, you will probably be okay with public wi-fi. However, avoid doing the following things while on public wi-fi:

  • Don’t check email.
  • Don’t access your bank accounts.
  • Don’t shop online.

In general, whether on public wi-fi or not, seek out websites that start with https:// instead of http://. That extra “s” is a critical level of security. Legitimate shopping, bank, and email websites all use SSL encryption.

For more information about the danger of public wi-fi, check out Norton’s post on the risks of public wi-fi.

How Not To Get Hacked Step 5:

Be Defensive and Watch Out for Phishing Tactics

Spoofs are cyber criminals who try to steal passwords from people who actually know how to come up with complex passwords. This is also called phishing. They’ll get you to click on a link leading to a spoofed website that looks exactly like the one at which you have an account. When you “log in” to the spoofed website, your user log-in credentials are stolen. Do not click on the link. Instead delete the phishy email.

How Not To Get Hacked Step 6:

Trust Your Instincts

If an email or website seems suspicious in any way, delete it or don’t visit it. Many of the attacks – an email phishing campaign for example – attempt to take advantage of our caution and reason by appearing to come from an authoritative source – like our banks, credit card companies, or even the IRS. But in reality, most of those entities will mail you multiple letters before any action is taken. If something – even mailed to you – looks suspicious, pick up the phone and call your bank. Don’t use the number on the suspicious mailing or email.

How To Avoid Phishing and Spear Phishing

Phishing is when someone sends you an email that looks like it came from a bank or service you trust. They try to get you to open an attachment that compromises your device or to click on a web link and to sign in on a malicious website.

Spear phishing is the same as phishing, except the email you receive is especially crafted just for you. The attacker has researched you well and knows who your friends, family and associates are. They may know who you work for and what you are working on. The phishing email received in a spear phishing campaign looks much more authentic, appears to come from someone you know and may refer to something you are working on. Spear phishing attacks have a much higher success rate.

Follow these two simple rules to avoid a phishing or spear phishing campaign:

  1. Never open an attachment unless you are 100% certain that someone you trust sent it to you. If you have any doubt at all, pick up the phone and call the person.
  2. Never click on a website link unless you are 100% certain that the person or organization that sent it to you is someone you trust. When you do open the link, check your browser location bar at the top for the following:
    • The location should start with https://
    • The part after https:// should be the domain name of an organization you trust. For example, it should say paypal.com and not paypal.com.badsite.com. Everything from the first forward slash to the final forward slash in the location should be a name that you trust.
    • The https:// part should be green if you are using Chrome and it should also say “Secure” to the left.

If you receive an email that looks suspicious in any way, just delete it. Then pick up the phone and call the person who sent it to you. They may not know their email account has been hacked.

How To Avoid Social Engineering

Social Engineering is what happens when someone phones you and pretends to be an organization or individual that you trust. They will try to get sensitive information out of you including passwords, usernames and a description of systems that you have access to.

This kind of attack is common and is used to commit tax refund fraud. It is also used to gain access to your bank accounts. You will even find attackers trying to get access to your workstation by telling you that they have found something wrong and asking you to install their software to fix it.

You can use a simple technique to avoid social engineering scams. Usually the individual will claim they’re from a reputable company or organization. Simply hang up, find the organization’s central number, call back and ask for that individual or someone in the same role.

Using the callback method is an effective way to defeat social engineering.

Staying Safe Online: The Connect4 Cyber Security Survival Guide

Today I’m publishing a guide that I hope will help improve your personal online security. This guide focuses on the basics – how to reduce the life-altering risks we face as we navigate the internet.

This is a Cyber Security survival guide. I’m going to start by giving you a clear picture of the current state of Cyber Security. Then I’m going to prioritize what you should be protecting. I’m going to focus on the biggest risks and I will explain how to reduce the risk for each category.

If you find this useful, please go ahead and share it extensively.

Current State of Cyber Security

Would you believe it if I told you that there’s a 66% chance that your data has already been stolen and will be stolen again and again? Unfortunately, it doesn’t matter whether you use secure passwords, two-factor authentication, are young or old, or which websites you visit or businesses you do business with. At various points in your life, your data will be stolen. And in all likelihood, it will be stolen repeatedly.

Today, 64% of Americans have already had their data stolen through data breaches. That is almost 2 out of three people.

In the past 3 years we saw the first data breach of more than 1 billion user accounts with the Yahoo breach. That breach affected 1 in 7 people on our planet! In the United States, the OPM breach included the data of our top spies, including their fingerprints and personal data. Even our intelligence services can’t protect highly confidential personnel data.

Data has been stolen from private companies, intelligence agencies and the military. Even cyber security companies have had their data stolen.

How Data Is Stolen

Even if you use a strong password, two factor authentication and best practices for security, your data will still be stolen because the companies whose services you use in some cases will fail to protect their own networks and systems.

How to Prioritize What to Protect

If data breaches are the new normal and if you accept the premise that they are inevitable and unavoidable, the problem we need to solve in our personal and business lives becomes “How do I reduce the risk and the impact of a breach?”

It’s helpful to start this conversation by trying to prioritize what we need to protect. I’m focusing on the really important, upper level things and this is my prioritized list so it’s possible your list could be in a different order.

  1. Information about us that could help criminals target us in the real world.
  2. Our financial means – savings accounts, ability to borrow, and our assets.
  3. Sensitive personal information – medical records, tax data and other private data.
  4. Our ability to earn an income through our reputation and our ability to provide products or services to people.

Preventing Criminals from Targeting Us in the Real World

In most of the developed countries, it is rare to hear stories of real-world targeting of individuals through information they have ‘leaked’ into the cyber realm. But in developing countries where there’s a greater disparity of wealth, or if you happen to be a superstar or athlete in a developed country, it might be good to:

  • Never show high value items (like jewelry or cars) online.
  • Share your location in general terms, and if you want to share a specific location, do it after you have left that location.
  • Don’t share information that may indicate when or how much you’ve been paid.
  • Consider making social profiles only available to people you have approved.
  • If you work for someone or some entity with access to highly confidential information, avoid disclosing who your employer is and what your job title is. This includes public websites like LinkedIn.

Protecting Your Financial Means

I’m not concerned with credit card fraud in this section. That risk falls on the vendor and transactions can be reversed. Instead, I’m focused on the kind of risk that can have a permanent impact on your financial well-being.

If an attacker is able to authorize a wire transfer from your savings account, they can empty your bank account and the funds may never be recoverable. This risk applies to savings accounts, checking accounts and investments like brokerage accounts and money market accounts.

If they are able to borrow in your name, it can permanently damage your credit score and your ability to borrow money to buy a home, for example.

I suggest taking the following steps to reduce the risk of large scale financial fraud:

  1. Make a list of savings and investment accounts. Audit each account to determine how you prove your identity when transferring funds and get a clear idea of what an attacker would need to do to commit fraud on each account.
  2. Implement any additional security provided by your banks or brokerages:
    1. callback to a predetermined number.
    2. authorization from multiple parties prior to transferring funds.
    3. two factor or hardware-based authentication.
    4. limiting transaction size when not in person.
    5. real-time alerts.
  3. Monitor account statements weekly. Make this a routine.
  4. Place a credit freeze on your credit report if you are in the U.S. This restricts access to your credit report and makes it difficult for thieves to open up accounts in your name.
  5. Place a fraud alert on your credit report – also if you are in the U.S. This lasts 90 days and forces businesses to verify your identity before issuing you credit.

In all of these cases above, if you are able to choose a password, choose one that is complex (more than 12 digits and including uppercase, lowercase, numbers, and other characters), and use a password manager.

Protecting Your Sensitive Information

Sensitive data that you need to protect includes your medical data, tax data, and social security number. There are two surprisingly easy ways of protecting this information.

First, try to avoid creating data about yourself. If it doesn’t exist, you don’t need to protect it. You will frequently find forms that ask for your social security number or equivalent. Most of the forms don’t actually require it. Don’t provide it if it’s not required.

Second, the best way to protect data is to delete it. Once again, if it doesn’t exist, it doesn’t need to be protected. Don’t hoard sensitive data. When you do need to store and protect your sensitive data, encrypt it and use strong device passwords.

Protecting Your Ability to Earn an Income and Protecting Your Reputation

Most of us rely on some type of IT infrastructure to earn a living. Whether you are an architect, photographer or computer programmer, it is important that you secure the systems you use. Here are a few tips to secure your own systems and the services you use:

  • If you have a WordPress website, make sure that you have a malware scanner and firewall in place, and look into upgrading your security by using SSL.
  • Use a password manager like Last Pass to automatically store and generate long complex passwords that are different for each system you access.
  • Secure your phones, tablets, laptops, and PCs by using disc encryption when available and use complex passwords for device access.
  • Avoid adding data to systems that you need or use.
  • Enable two-factor authentication on all systems or services you use.
  • Keep backup drives in a secure place and destroy sensitive data that you don’t need. Never simply throw backup devices in the trash without either using a secure wiping software or physically destroying them with a large hammer.
Protecting Your Online Reputation

If you use social media, never simply ‘Share’ or retweet someone else’s post until you have fully read it, understood it and also understand any context around it. If you accidentally share something that is highly controversial without fully understanding what you’re sharing, you may find your professional reputation severely damaged.

Secure any social media accounts that you own. If your account is hacked, it may be used for spam which could damage your online reputation.

Secure any websites that you own. If your website is hacked, it will damage your search engine ranking and infuriate your customers if their data is stolen. This can have a severe impact on your reputation. If you use WordPress, install Wordfence which will help prevent a hack.

When installing apps on your smartphone, avoid apps that are aggressively viral. Some apps gain access to your contacts list and can SMS, private message or email your contacts a message from you that suggests they also sign up for the service.