Welcome to “Ask a security trainer,” the column where the digital security training team at Freedom of the Press Foundation answers your burning questions at the intersection of journalism and security. Submit yours here! Let’s jump right into this week’s question.
Dear DST,
I’m a reporter and have picked up a number of security tips from your trainings. I recall a conversation about how security is a “team sport” — that is, protecting oneself also helps to protect others by preventing their information from being leaked. But realistically, I don’t think most of my colleagues will do everything that we might hope they would do. If you had to convince someone who did not feel too invested in learning about digital security, what would you say are the three simplest security steps you’d recommend?
Signed,
Canary in the Coal Mine
Thanks so much for this excellent question, Canary — we hear this a lot. The short answer is to tell them to 1) enable two-factor authentication on all of their accounts; 2) use a password manager like 1Password; and 3) run their software updates. Want to know why? Keep reading below.
Let’s start with two-factor authentication. With about 86% of breaches involving the use of stolen credentials, account security is likely the most common and urgent issue we see facing both organizations and the general public. Two-factor authentication is one of the easiest ways to slow down or stop an attacker in their tracks, even if they have your password. Most people are familiar with two-factor authentication or 2FA — the second piece of information required when you log into an account, such as a code sent to your phone — even if they don’t know exactly what it’s called. If you have a bank account, chances are this is required when you log in. For those interested in learning more about 2FA, read our guide. We’d recommend setting this up first on any sensitive accounts you have, but particularly your primary email address, because it’s the one you’d typically use to recover other accounts.
Next, let’s talk about password managers. If you are like me and have hundreds of accounts, it’s hard to memorize more than a few passwords. That’s why people often reuse their passwords on various websites. The problem is this: When we reuse passwords, if that password is ever breached (and unfortunately, this is quite common), an attacker with access to that password will try it on various websites. In effect, it’s not a breach of one website — it’s a breach of countless websites you have access to. Ideally, you want to have a unique password on every website to minimize the impact of a breach, isolating it to just the breached website. Password managers are designed to help solve this problem. While using a password manager is a long-term practice, like brushing your teeth, they’re easy to start using. Just like with 2FA, start by using your password manager to create a randomly generated password for your most sensitive accounts. Later, slowly but surely, try adding more passwords. The password manager makes this much easier to do on all of your devices and browsers. Our guide to choosing a password manager can help.
Finally, picture this: A company’s engineers learned about a vulnerability in their code that is now being exploited in the wild, and they are running around with their hair on fire to change the code and push you to the safer version. We’ve just described to you the process behind your software security updates. While the general public might think this is best solved with antivirus software, the expert consensus is that you want to lean on software updates because they contain valuable patches for vulnerabilities that we find constantly. Read the story inside your software updates.
If we could only choose three things to start, that’s what we’d pick!
Securely yours,
Martin Shelton