Online data breaches are just an unfortunate fact of life now—as the New York Times put it, you might as well assume that your personal information has been taken, because cyberattacks happen all the time.
That’s why we recommend identity theft protection which includes identity-recovery coverage, which may be available to many homeowner insurance customers.
It’s best if you don’t have to use that coverage—but many people don’t take even simple steps that would make it harder for thieves to gain access to banking details, Social Security numbers and other sensitive information. And even those who have been victimized previously can find themselves falling into old habits.
Fortunately, there are several things you can do, quickly and easily, to keep your data more secure. And while a really determined and skilled hacker could still find a way in, putting up a few roadblocks might encourage them to move on to a different target, similar to a burglar choosing an obviously unoccupied home instead of one with the lights on.
Here are five things experts recommend to better protect your personal information:
Use a stronger password. People have some truly awful passwords: The worst of 2017, as compiled by password-management company SplashData (using data leaked in various breaches), included “123456,” “qwerty,” “letmein” and the ever-popular “password.” You should try to create complex passwords using a combination of special characters, numbers and odd phrases that aren’t easily guessed. Instead of “mike2013,” for example, remember something like “In 2013, Mike broke his leg in Omaha” and translate it into “i13MbhliO!” Password-management software can help, too; these programs generate strong passwords for you and require you to remember just one master password.
Better yet, use multi-factor authentication. Many companies and online service providers offer this feature, which forces you to provide verification beyond a password to sign in. You might be required to enter a code that is sent to your mobile device, or answer security questions. Beware the security questions, however—thanks to publicly available information, including posts on social media, these can be easy to guess. (“What is your favorite food?” is not a great question to use, particularly if your answer is “pizza.”) So make sure your answers are things only you would know. If multi-factor authentication is available, you should use it, especially for sites with your most sensitive information.
Watch out for phishing attempts. If someone happens to send you an email that is plausible because of your present situation, take a moment to double-check its authenticity, particularly if the message encourages you to click on a link or web address. Unless you’re absolutely sure about the person or company you’re dealing with, don’t give out personal or financial details on the phone or via email. If you have a question about someone’s authenticity, type the organization’s web address into your browser. Then call or email back using the information on the actual website, or get the correct contact information from your account statement. Don’t click links in an email unless you are absolutely certain of the sender's authenticity. Look for misspellings or unlikely formats in web address links, or hover your mouse over any link or web address to see if the revealed address matches the address you see in the email.
Back up (or wipe out) your data. Not only is this important in case your device is stolen, it also can save you in the event of a “ransomware” attack, where someone blocks access to your data unless you pay a fee. Some devices and platforms have a feature that allows you to erase everything remotely if needed, so consider enabling that feature if it's available. And remember to always fully wipe old devices before selling or recycling them. Simply deleting files isn’t enough—check with the manufacturer and learn how to completely erase all of your information.
Watch where you go online (and where you’re connected). If you’re making a purchase online, don’t enter your credit-card information (or other sensitive details) unless the site’s address begins with “https.” And it’s best to avoid entering this type of data when you’re on a public network, especially if it’s unsecured.
Of course, nothing can completely protect you from all risk online. Even the founder of LifeLock, a data-security company, famously had his identity stolen multiple times. (To be fair, he did use his actual Social Security number in an advertising campaign, which in hindsight wasn’t the best move.) But if you use the steps above, you’ll be ahead of most people.