editione1.0.0
Updated October 9, 2023🚀 As explained by Erica
Now it’s time to secure the rest of the accounts on your list. You will want to:
Re-save passwords and enable 2FA. Reset and save passwords into your password manager, and enable 2FA.
Delete old accounts. Delete and remove data from any accounts you no longer need or use.
Be deliberate about privacy settings. Restrict and balance what data others can see by configuring privacy settings.
After resetting and re-saving our email account passwords into a password manager, the same needs to be done for these other accounts. I will admit that I have previously created poor, easy-to-remember passwords just to see what the service is like; only to later forget to reset the password when I started to load my data into the service. Now is a great time to reset those passwords to new, unique ones and re-save them into your password manager. Again, don’t worry too much about being able to manually type out these passwords, as your password manager can often generate and plug them in when needed.
For 2FA, you can be a bit more loose depending on the data being stored within the account, compared to how we selected the method used for your email. Some of these accounts won’t give many options, and you might be stuck with just SMS. You might also find yourself with a service that doesn’t give any option at all. This is where you need to balance out the data kept in that service with the risk it carries.
The best way to do this is to think about the data inside the account, and weigh it against it getting leaked to others, or the account being used to cause harm to others. For example, an email marketing campaign account might have limited data stored inside, mostly business names and email addresses that are already quite public. However, an attacker can use your campaign account to craft scam emails and send them to your contacts, breaking trust and causing harm. These types of accounts need to be protected with 2FA, and any second factor is better than none.
If you have accounts on your list that have sensitive data or the potential for harm, and don’t offer a two-factor option, then it is time to look for a competitor that does. A great website to find alternatives is 2FA Directory. It is an open-source, managed list of different websites that do and do not provide 2FA.
It is 2 a.m., do you know where your data is? Probably not, because even I struggle with tracking all the websites and accounts I have signed up for. You need an account to use most websites, and my password manager is starting to look as thick as a phone book.
On your list, you might have been forced to think about accounts that you have forgotten about. If you no longer use an account or social profile—delete it. Although you can’t guarantee 100% removal of your information, it is the one small action you can take to try and limit the data sprawl and information footprint you have online. If that account provider has a breach and accounts are accessed, you have done as much as you can to reduce your personal risk. A lot of us don’t have the time and energy to track down all these accounts that have been long forgotten. Heck, I forgot I even used LiveJournal until I was notified about a recent security breach. Wherever there is a time-consuming process, there is a company out there providing that process as a service. Services like DeleteMe are great for those of us who need an extra hand in finding which accounts we might still have out there, and an extra hand in getting them shut down.
This also applies for all those Software-as-a-Service (SaaS) accounts you signed up for as a free trial (to vet it for use in your business), uploaded some data to play around, and then moved onto something else. We will dive into a bit more detail around picking the right SaaS tools for your business later. For now, being conscious of the accounts you create and the data you store in them is what you need to do. If any of that data has value, it needs to be protected with a unique, long password and 2FA.
Being the key business ambassador, you want to be visible. You want to shout to the rooftops about all the amazing things you are doing and accomplishing, in hopes it gets picked up, goes viral, and causes business to boom.
But every public profile, tweet, post, blog, and even list of connections and people you know can be used against you too. While this book is focused on security, privacy and security often go hand in hand and we would be silly to not mention it.
The passive and active information we share on social media can be used by others to start to put together the pieces of an attack. While you are unlikely at this point to have an attacker that seeks you out, there are still some easy and automated attacks that you could fall for.
danger If your social accounts have relaxed privacy settings, and you tend to be loud about your customers and partners you work with, an attacker can scrape that data and use it as an easy impersonation point. It is common for attackers to scan through and create fake profiles on social media accounts, mirroring the real one, and attempting to message you with strange requests. By keeping lists like these private, we prevent ourselves from falling for some of the low-effort type attacks like these.
Finding the right balance will always depend on the public brand you are trying to promote. For me, it means having all my personal social profiles locked down as far as they can go. For business social profiles, I lock down my connections and historical information unless we are contacts. I am also pretty mean and reject most connection requests unless I have met someone in person and it is the right platform to be connecting with them on. Everyone else can always find me on my business blog and business email. This balance will look different for everyone, and you shouldn’t feel like you are missing out on important brand opportunities by protecting your information. The right people will go through the right channels to reach out; anyone else should be judged with some healthy skepticism.
One of the more helpful features of password managers is the ability to share passwords with teams. It is an inevitable part of running a business with digital accounts. Some accounts only allow you to have one user, such as Twitter, and you might need a hand in managing the account. Or you might need to share accounts to manage account costs.
For example, if there is an online account you use for creating digital content like banners and images for sharing on social media, you might get help from a few people on the team to get these made, and they never have to use the account at the same time. However, the cost to have an account per user could be way out of the budget if you run a small team and business. Just because your business chooses to share a single account doesn’t mean the security of that account has to go outside the door. Setting a unique password in a password manager, and sharing it within your password manager with others on the team, is a great way to keep the account safe.
confusion When you go down this path, checking the terms of the account that you are looking to share is important. This of course reduces revenue for the software company, so most of them are not keen on people sharing accounts. Software companies explain (though it is often clear as mud) their rules around sharing accounts in their terms of service.
What I do to protect my information and accounts will look similar to what you’ll be doing:
For every account I create, I have my password manager auto-generate and store it for me using password manager browser plugins. If I find myself creating a password without it, I pick five random words and string them together so I can easily remember how to store it later.
Before I start putting more data into these accounts, I enable 2FA. I aim to always do push notifications or one-time passwords where I can, and settle for SMS where I can’t use any other options. A good example here is Twitter, which only updated their two-factor options in 2019.
I often hear about password breaches at websites and online services via social media or email, and I respond quickly with a password reset. Since I work in security, my news and Twitter feed are littered with news like this. This news can also come via email, but I often do a quick check to make sure that email is legitimate before acting on it, in case it is just a phishing email in disguise. I do this by going directly to the account’s website myself, and checking if there is any news about a breach.
🚀 As explained by Erica
confusion Not sure if you’re a small business or a startup? Check out our guide in the introduction.
The speed of adoption of technology that helps us sell more things (from point-of-sale systems to websites) has always been faster than the adoption of technology that protects our systems, data, and selves. The gap makes sense. There are a lot of small businesses—the local brick-and-mortar shops, the online shops run out of houses or small offices, the side hustles run on established e-commerce websites like Etsy. And when you think about security, you recall the bad news about that big corporate or global enterprise that got hacked. You don’t often think about those small businesses getting hit.