Connected devices are more and more present in our days: at breakfast, we read emails, or we update on social networks; at work, we use PCs or devices that allow us to carry out our activities or interact with employees; and in the evening we enjoy a good movie on the sofa thanks to a smart TV and on-demand platforms. In what has become our hyper-connected daily life, the personal sphere is mixed with the digital one. The sharing of accounts and passwords has greatly increased the risks of cyber security attacks on companies. Let’s now see how to protect our digital identities in a hyper-connected society.
What is a digital identity and why do you need to protect it?
When we post or share personal information online, we create or augment our digital alter ego. By digital identity, we mean the association, with our online name, of all those attributes that serve to define our private and professional personality (e.g., date of birth, health information, address, phone number, account login IDs).
Every time we interact through social media, service platforms, and sites that require us to log in before taking any action, we provide the web with new personal information.
The enormous amount of personal data circulating on the web is a veritable gold mine for cybercriminals. It is information that can be used for fraud, more or less serious, as we will see later.
The motivations that should drive us to protect our online identity are varied, including:
- defend reputation. Even if we do not lose money from possible online identity theft, an attack on our credibility could harm us professionally or privately. The appearance of compromising videos on our social networks, the sending of disparaging emails but also the publication of offensive posts on our company’s social networks could create damage that needs time and money to be resolved.
- protect finances. Accessing bank accounts is not a fraud that we expose quickly, especially if the hackers are professionals acting with silken gloves. Therefore, we won’t see a massive money transaction that will set off the banks’ cybersecurity alarms, and that exposes us to greater dangers.
- protect business information. Digital identity is the key to the digital world and, if stolen, could allow a cybercriminal to act on our behalf. Here’s an example. If we are the company’s CEO, our digital identity could be used to send emails from our email account to employees. Those who receive the message trust us and might accept a hypothetical request to transfer money to the IBAN written in the text of the email. This attack is known as Business Email Compromise (BEC).
Today, digital identity theft, with the sheer number of connected devices and activated accounts, is a widespread crime. Sophos’ annual “The State of Ransomware” survey found that 37 percent of organizations – more than a third of the 5,400 respondents – have been affected by ransomware.
Digital identity is composed of a series of attributes that define a person in the online universe. Understanding what the threats are and how to protect our digital alter ego is critical in a hyper-connected society Click To Tweet
Which are the threats to digital identity?
Every person has value to a computer hacker. There are big fish such as those who hold a prestigious role in government institutions, well-known names in entertainment, multi-billion-dollar entrepreneurs, but there are also smaller, lesser-known, more numerous fish that provide significant gains.
Obtaining access keys to accounts or accounts allows cybercriminals to perpetrate fraud of various kinds:
- Impersonating a user in the account creation phase. During this process, the criminal can create a new account with the real data of a user, in the case of identity theft; or enter with the accesses of a user and use them momentarily to achieve a specific purpose without being detected; or create a twin account with the same personal information as the real user and act on our behalf with our contact network.
- Identity theft of an active account. More frequent and more damaging, there are several types of ransomware in which the hacker steals the identity of an active account. Most of these attacks come via email and are identified as social engineering: there are cases where something is offered in exchange for data entry (Baiting), or the email appears to be sent from an account we know and asks us to log in by entering ID and password (Phishing); or the sender is the company we work for or our boss (Business Email Compromise)
- Reactivation of accounts that have fallen into disuse. Many of us have accounts created some time ago and are no longer used. Mail from previous jobs, accounts of services that we no longer have access to. We forget about them, but hackers could reactivate them and operate on our behalf. Or it happens that criminals take over the data of a deceased person to build a new identity (Ghosting).
How do you protect your personal and professional digital identity?
A hyper-connected society generates many cyber threats, and it is important to implement behaviors that protect our digital identity in private and professional environments.
1 – Change frequently the password of access
We usually change our password when for some reason, we have to enter it, and we forget where we saved it. It would be a good idea to change the password of accounts that contain personal information or allow access to our accounts at least once every six months. Also, be careful not to save passwords online, as even the most secure sites can be hacked.
2- Be careful with Social Login
Many sites allow you to create an account by leveraging your personal social profiles logins (Facebook, Instagram, Twitter, Google). What may seem like a quick method hides an important problem related to privacy. In fact, when you choose the open-standard authorization (OAuth) will be, for example, Google, to send to the site on which we are registering not only ID and password but also a series of information related to our account that, knowingly or not, we have authorized to share. It is always worth reading the privacy policy carefully before accepting.
3 – Read email messages carefully
The preferred way for hackers to target the largest number of users is through emails. Every day we receive several emails and newsletters from colleagues or boss, from home users, from sites we are registered to. In this sea of messages, it is easy to disguise oneself. When phishing is obvious, even if distracted, we manage to trash the email before clicking on the link. If, on the other hand, the sender is a professional, they may have logged in from the mail account of our boss or may have graphically reproduced the structure used, for example, by our electricity suppliers. In this case, everything will look very similar to reality and, if we ignore the details, the risk of falling into the trap will be very high. What are the aspects to evaluate? The sender, the request of the message, and the action that asks us to do. Maybe the sender could be a known person in the case of the ECB, but just pay attention to the link, if present, or the request. No serious company will ask you to log in by clicking on a link or emailing personal information.
4 – Update the privacy settings of your accounts
How often have you logged into a personal account, social or website, and read that the privacy settings have been updated? Well, at that moment, you don’t have to quickly click on “accept all” in order not to waste time, but it is worth stopping and reading carefully. That message is like saying, “Look, we are changing the way we provide your personal information to third parties.” After reading, it’s important to go into your privacy settings and check to make sure that the premises you had set haven’t changed. Another tip for protecting your accounts from intrusion is two-factor authentication.
Many accounts allow an additional verification step to be associated with the login. This can be a phone number or an email to which a notification will be sent to confirm access. This protection is especially effective in the corporate environment with access to our work platforms. In this way, even if they manage to get hold of ID and password, hackers will not be able to access the information.
5 – Protect personal and professional devices and be careful about connectivity
Smart working allows us to work anywhere. We can connect from the coffee shop, from home, in a park, or at client offices with a laptop in hand. Public wifi, however, could be a major gateway for hackers. For this reason, it is essential to protect our professional devices with firewalls and antivirus always up to date. This is generally true, but what should we pay attention to when it comes to digital identity? If our device is not adequately protected, accessing a public network, such as that of the bar or the park, could expose all the information on our PC or our cell phone to cyber attacks. They could sneak into our network and spy on our activities. In this case, it can be useful to use a VPN (Virtual Private Network), which is a system that hides the IP Address and protects incoming and outgoing traffic.
In conclusion, the way to limit personal and professional damage due to identity theft is to focus on user empowerment. Whether they are employees of our company or people we interface within a professional context, it is always useful to check their attention to protecting digital identity. The easy gateway, even today, remains human error, committed by distraction or lack of proper training.