For many of us, the first week of a new year is an opportunity to reset our lives. We perform brain dumps, create goals, and adopt new habits. We resolve to exercise more and eat less, or improve our health through yoga or meditation. We might even decide it’s the year to seek different employment, get married, have children, or adopt a rescue dog or cat.
The new year is also a perfect time to perform a cybersecurity reset at home. That’s why, as we welcome 2021, I’ve decided to start the year with a two-part series. This week I’ll discuss device and account security and provide a checklist you can use or share with your family and friends. Next week, I’ll turn my attention to data.
Generally speaking, routers have an average lifespan of five years, while computers will last three to five years. The average lifespan for smartphones ranges from 18 months to about 2.5 years.
The Cyber Chair
Start your cybersecurity reset by taking an inventory. Identify your devices and then consider:
- Their age
- Whether their firmware is up-to-date or can be updated
- Whether you still use the device(s)
- Whether the device(s) contain data
Generally speaking, routers have an average lifespan of five years, while computers will last three to five years. The average lifespan for smartphones ranges from 18 months to about 2.5 years.
That doesn’t mean some devices, like a well-maintained laptop or tablet, won’t last longer. I still have my first Samsung tablet and it boots. Officially, it’s pushing almost ten years old. However, following the logic of just because you can doesn’t mean you should, the days of connecting that tablet to the Internet ended years ago.
Devices that can no longer be updated, have known security vulnerabilities, are no longer supported by manufacturers, or are broken or no longer used, should be discarded, recycled, or replaced. Don’t forget to also consider Internet of Things (IoT) devices. Do you have any devices from Amazon, Roku, Ring, or anything similar? What about game consoles or wearables? Take care to not limit your inventory to computing devices since any device that connects to the Internet has the potential to be exploited if it isn’t able to be properly configured or maintained.
Before discarding or recycling any devices, you will want to ensure they don’t contain any of your data. Watch for more on how to properly prep a device for disposal or recycling when I discuss data next week.
Devices that can no longer be updated, have known security vulnerabilities, are no longer supported by manufacturers, or are broken or no longer used, should be discarded, recycled, or replaced.
TheCyberChair
Next, consider the accounts that you have for email, with online merchants, to access social media, and more, like subscription services. Then, answer the questions below:
- When did you last log into the account?
- Are you still using the account? If not, do you plan to use it in the next six months?
- Is the password on the account “strong”?
- Are you using a second (2FA) or multi-factor authentication (MFA) to access the account?
- If the account is accessed via a password, does the website or vendor offer the option for adding another means of authentication?
As part of your cybersecurity reset, close accounts that you no longer use or don’t plan to use in the near future. Also, consider closing accounts that don’t support 2FA or MFA. Lastly, reset passwords that aren’t at least 12 characters long and are used to access more than one account. Ideally, passwords should be 16 or more characters long, and even longer for privileged accounts, like those accessing protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA). And, of course, passwords should be kept in a secure location.
Keep in mind that accounts you haven’t accessed in a while may no longer be accessible with the credentials you have on file. When organizations update their information systems, sometimes old data isn’t migrated. That doesn’t mean you should assume old accounts simply “go away.” If you really want to be sure an account is closed – either because you no longer use it or you can’t access it – I recommend contacting the company, website, or organization for confirmation, especially if the account involves a subscription service that auto-renews.
If one or more of the accounts you want to close is for email, don’t forget that other accounts, especially those created years ago, may use that email address as a username. If you close an email account, you may lose access to recovery options for other accounts. While some vendors will allow you to create new accounts, doing so may mean you lose access to data, like order histories, that you may need in the future. Many companies are unable or reluctant to migrate account data.
Keep in mind that accounts you haven’t accessed in a while may no longer be accessible with the credentials you have on file. When organizations update their information systems, sometimes old data isn’t migrated. That doesn’t mean you should assume old accounts simply “go away.”
The Cyber Chair
Next Week: New Year’s Security Checkup (Part II)
2021 Security Checklist
To verify the integrity of the 2021 Security Checklist, use a hash generator to create a SHA256 hash value. Then, compare the value that you generated to the one here. If the hash values match, then the file that you downloaded has not been altered from the original.
On a Windows 10 PC, you can use Powershell to obtain the hash value. Open Powershell and then type the command below.
get-filehash C:\Users\yourusername\downloads\2021SecurityChecklist_Device_Account.pdf
where yourusername is the username that you use on your PC. Then hit Enter. Please note there is a space after get-filehash and that the example above is using the default location for downloads. If you downloaded the file to a different location, you need to use the file path for that location.
Hash Value
SHA256 af4e17cdae57d584dfbda27344f3428e76cbde41cb87bfae9a8b46a35901f6fe