Monday, March 29, 2021

NEW INC. MAGAZINE COLUMN BY HOWARD TULLMAN

 

In an Ever More Remote World, It Pays to Protect Your Data

We've all been busy coping with being cooped up and dodging a deadly pandemic to concern ourselves with mundane things like password security. But the threat is bigger today. 

BY HOWARD TULLMAN@TULLMAN


We've been home for more than a year now and things are finally starting to look up, which is great news. Some of us gained new skills, some of us grew new appendages, some of us thought about all the things we were gonna do and didn't. And many of us dodged a different and very scary bullet that we probably didn't give five minutes of thought to the entire year: Being hacked and having our identities stolen. 

Amazingly, even though tens of millions of us worked from home and shared our devices (willingly or otherwise) with wives, kids, relatives, friends, neighbors, co-gamers and visitors, we didn't have the enormous wave of password and identity theft, ransomware, and related frauds that have been anticipated. Some 80% of data breaches are due to poor password security - we reuse the same, easy-to-guess password on multiple websites, and we rarely if ever change the passwords.

As the saying goes, the world's divided into folks who have been hacked and folks who don't know that they've been hacked. Current estimates are that more than 20 billion stolen logon credentials are presently floating around and being bought and sold on the Dark Web by cybercriminals.

Whatever your current status--confusion, indifference, ignorance or avoidance - now is exactly the right time to protect your passwords. Being forewarned is a great way to be forearmed and insulated from risks like these, but only if you heed the warnings. Get some password protection - get it organized and installed of all your devices (and those of your family members) - and do it now because it's no longer a question of if you'll be hit, it's just of question of when and how hard.

This isn't Chicken Little stuff -the Russians just pulled off a remarkable hack of FireEye, a supposedly top cyber security firm, to breach the Treasury Department and God knows what else.  Just ask anyone who's been a victim about the time, pain, cost and grief associated with having your devices compromised, your passwords stolen, and your credit and identity ripped off.  And remember that the most likely people to leave the doors open for the bad guys are you and those closest to you - your own family and your employees. It's not because they're bad people obviously, it's just that these kinds of things aren't top of mind for them or even in their heads. So, it's all on you.

And a word to the wise: be careful which data protection program you pick because you will be investing some amount of your scarce time in the set-up as well as entrusting your very sensitive information to a third party. Make sure your pick will be here for the long run with the team, talents, resources and tools to keep up with the continual threats and new technologies and provide the necessary support and infrastructure to grow with the market as well. You want a company that's a keeper.

More technology-based, early-stage businesses with a real product or service fail because they can't manage their growth than starve for lack of business and opportunities. You want a privacy and protection "partner" who's been around 5 or 10 years, has a demonstrated record of success with both consumers and enterprise customers, is highly rated in the app stores (where people put their money where their mouth is), and has grown steadily and consistently and reached a million or more current users.

Online reviews can be somewhat helpful guides especially in a world where there are constantly new entrants of uncertain and largely unknown backgrounds. Many of these aspiring players have unclear chops and modest financial resources and won't be here in a year or two. But I've been consistently under-impressed with most of the mainstream computer press articles which try to rank the major vendors. The rating sites like TrustPilot  and G2 Crowd are a much better bet.

I don't want to fall into the same advice trap although I believe that there's a clear winner in this particular race. What's more useful is to give you a short checklist - in addition to the concerns and issues I have mentioned above - to compare the various providers so that you can make a careful and informed choice. You won't find me talking about cost because (a) the costs are trivial and (b) just avoiding the financial risks to you, your family and your business is worth many multiples of whatever you end up paying. This isn't something that you try to do on the cheap. Decide who's the best and best-suited for your needs and go from there.

Here's my short list of critical criteria.

(1)   At least a million or more paid annual users. Trial is easy - forget it. Subscriptions are hard, sticky, and mean something serious.

(2)   Strong, positive user ratings, especially across all the app stores and, of course, the offering needs to be multi-platform.  

(3)   A solid balance sheet and firm financial backers. Startups come and go - you want to trust your security to a solid, well-funded organization that will be here for the long run. One that plans and advances development over decades. Think Google, not GameStop.

(4)   A technical solution based on Zero Knowledge (end-to-end encryption) so that no one - inside or outside the organization - knows anything about the data and information stored on their servers. Startups turn over - tech company employees are notorious for job hopping - and all it takes is one depressed or disgruntled employee to put your data at risk unless the provider is committed to, and consistently enforces, this type of vault security.

(5)   A demonstrated commitment to innovation, iteration and continuous improvement without which the world and the emergent technologies will quickly obsolete their products and programs.

(6)   And finally, independent, third-party security vetting and certifications (NCC Group, ISO, etc.) coupled with systematic public disclosure protocols for vulnerabilities and an ongoing program to encourage and regard bug discoveries.

Bottom line: you've been warned. The smart money always bets on prevention rather than cure. You don't want to be the next poster boy or girl for "too little, too late".

MAR 30, 2021