Helping online users break the data breach cycle

From a cybersecurity perspective, the last two years will go down as a historical turning point. Starting with the large-scale retail data breaches that led to a massive loss of consumer credit card numbers in 2013 to the more recent U.S. Office of Personnel Management’s data breach exposing millions of current and former government employee records, these attacks have reached a pervasive scale, more deeply impacting millions of American lives.

In between we experienced the Sony email scandal, the infamous Ashley Madison hack and several data breaches at health insurers revealing people’s most intimate medical information. These cyber incidents captured the attention of the media and general public, but they tell only a fraction of the story – even more sobering, more than 675 million of our online records were exposed between 2005 and 2014, according to the Identity Theft Resource Center.

This onslaught of attacks and massive amounts of stolen data flowing to cybercriminals leave many people with a sense that there is nothing they can do to protect their online personal information and guard their financial resources.

But the truth is many of these incidents – including a major breach at JPMorgan in 2014 are the result of a significant vulnerability that is quite easy to fix and provides a significant increase in online security.

The Internet has outgrown the primary form of online account security a username and a password. Cracking user names and passwords is not difficult for cybercriminals, and our reliance on these two markers is an invitation for crime to take place, data to be lost and harm to come to individuals and businesses.

Those of us in the cybersecurity education community have repeatedly championed long, strong and unique passwords as an essential element in personal cybersecurity. But it’s time we faced the facts: Last year, according to a Pew Research Center study, 21 percent of Internet users over 18 had an online account compromised. Passwords are simply not enough when most people juggle several different online accounts each requiring a unique, complex and hard-to-remember password.

For all our good intentions and awareness efforts, computer users have continuously demonstrated that they have no intention of following our advice. “Password” or “123456” remain the most common passwords making it incredibly easy for cybercriminals to pick the locks of our online accounts.

In the real world, crime prevention involves many small steps “seeing something, saying something,” installing better lighting, using low fences to increase visibility that can quickly improve the safety of a home or neighborhood.

The digital reality isn’t much different. Two-step authentication (or multi-factor authentication) is a vastly underused method for keeping our personal information secure online. In addition to requiring a password to log in, two-step authentication incorporates another factor such as a code sent to your phone or the use of physical device to make sure it’s really you logging in, not someone who has stolen or guessed your password. This system of using two measures of authentication allows you to log into an email account, check bank statements or open up your social media channels with more peace of mind. This isn’t some future invention – it’s here now and can be easily implemented in most of our online activities, from accessing email to social networking to online banking.

There is no such thing as perfect security when it comes to our online networks. But two-step authentication is a step in right direction.

This story was originally published September 18, 2015 at 4:21 PM with the headline "Helping online users break the data breach cycle."