Personal Information Security For Business Leaders - Part 1

If you are a smart executive, your organization has solid cybersecurity talent ensuring that your systems, data, and operations continue safely, that your own technology won’t work against you.  The risk to small and medium enterprises (SMEs)  in particular has been rising lately.  AI has made once labor-intensive attacks cheap and repeatable, and as federal agencies and big multinationals shore up their defenses, SMEs are becoming targets of choice.

Executives’ personal information, accounts, and technology provide a lucrative and often overlooked target.  Without a professional IT and cybersecurity staff to mind them, one’s personal things are an easy point of entry, whether an adversary is after simple profit, or a foothold in the executive’s organization.  If you want to preserve your family’s financial security, and avoid being your company’s weak link, these easy steps will get you well on your way.  16 steps split into two lessons make the advice easy to adopt.

Lock your credit reports, and those of family members.

Identity theft is a danger for everyone today, but more so for business leaders.  Your position can let attackers guess that you have assets.  You likely have excellent credit.  Cleaning up an incident of identity theft would be hard on you and your family, but it could also negatively impact your company’s credit, as well as any clearances needed for government contracts.

Locking your reports with the three credit bureaus – Equifax, Experian, and Transunion – prevents anyone from opening new credit accounts in your name.  When you’re ready to refinance your house or change banks, go online and unlock the report for only as long as it’s needed.  Go a step further, and do the same process for each of your children.  Children are especially vulnerable to identity theft, because they aren’t seeking employment or opening up credit accounts themselves.  Identity thieves know they have a few years in most cases before their activity would be noticed.

Bank and receive bills digitally, avoid checks.

Your financial life’s weakest link is often at the mailbox.  Pinching a bill or a bank statement requires much less sophistication than attacking an encrypted system.  By switching to online billing for every bill, and using online payments rather than paper checks, you remove a large attack surface.  We’ll all give in to the paper check from time to time: that niece’s PTA fundraiser where they haven’t learned to take card payments, or mailing some graduation money to your nephew. Those occasions don’t come up nearly as often as your water bill, though, so you’ve still made yourself safer by greatly reducing the number of checks in circulation.

Use a password manager.

As the number of online accounts we each have grows, it becomes tempting to use weak passwords or to re-use the same password for more than one account.  A good password manager makes it easier for you to log in by securely storing your passwords and, in most cases, entering them for you, too.  You can use it to generate random, strong passwords, and to confirm you are entering them on the right site, rather than an imposter, as well.  I use 1Password, but Bitwarden also has a good reputation.  If you use Apple products, Apple Keychain is built in.

An additional up-side of a password manager is that many offer family accounts with the ability to securely share credentials.  For those of us managing our own affairs, our businesses, and assisting college-age children or family elders at once, this can make everything a little easier.

Use MFA across all valuable accounts.

Multi-factor authentication – a situation where you need both your password and something else, such as a time-based code from your phone, a Yubikey, or a prompt from an app to log in – raises the bar for breaking into your accounts.  I use this wherever I can, especially on any account that touches money, health information, communications, or my reputation.

Text prompts are the least-secure method for MFA, but still better than nothing.  Email prompts are a step up from that.  An app prompt or TOTP (those numerical codes that change after a minute) is next-best.  Top of the line is FIDO2, a protocol used by many hardware tokens such as a Yubikey.  This is the most secure option because the key isn’t a file stored on your phone or computer, it’s part of a physical device and cannot be copied.  When it’s time to authenticate, just plug in the key to any USB port and touch the contacts.

Minimize contact between work and personal devices and accounts.

Your business is managing risks across its IT infrastructure. When you connect something from outside that infrastructure, you add risks that your IT department doesn’t know about and can’t manage: risks to yourself and to the business.  For example, the breach that rocked LastPass in 2023 happened because an employee stored work credentials on a personal machine that acted as his in-house TV streaming service.  Much of the tech in our personal worlds was simply not designed to protect what matters most to your organization.  On the flip side, I know cybersecurity analysts who have been horrified to find that the monitoring systems they operate have picked up personal health information from executives who used their work computers for personal business such as logging into an electronic medical records system and downloading test results.  Do you really want the night security analyst to get your STI screening results or your pregnancy test by accident?

There are cases that cross over.  I read the news on both work and personal machines, so those credentials (which are not tied to my corporate SSO or other valuable logins) show up on both work and personal machines. It’s a newspaper I read, not a system with important personal or business data on it, so low risk.  Some companies allow corporate email and calendars to be accessed from personal devices, and some do not.  Talk to your cybersecurity department about the decisions made here and the controls in place.

Your personal laptop and phone should be one-user devices; consider a separate gaming device.

We’ve all heard the plea of a kid who wants to use mom’s or dad’s computer.  If you are a business owner or executive, you can afford to get them their own.  When you share your laptop or your phone, you don’t really know what’s installed on it.  One executive I know had his personal bank accounts drained because his middle schooler had downloaded a game mod (modification file) that came with a data-exfiltrating bit of malware.  Attempts were made against his business accounts as well, but those were fortunately protected by FIDO-based MFA.

I go a step further and keep a “toy” computer that’s separate from my main laptop.  (Andrew’s note: Games like Roblox and Minecraft have huge hacker communities who target players) I use my business laptop for Stoic Cybersecurity work, but my primary personal laptop is full of banking and tax information, data regarding family members’ small businesses which I help with, health information, and information related to the nonprofits I serve.  Video games and dodgy software live on a third laptop, which I readily share with my nieces and nephew, and just don’t worry about because it’s not touching anything critical.

Use location sharing with caution.

Rule #1 in pentesting a business is to figure out which exec is on vacation and impersonate them.  If Strava is publishing your runs, if you’re posting vacation plans, stories, or photos to social media before your return home, if your family is posting, that makes it easy for attackers to know how and when to exploit your absence.  

Message safely.

American telecommunications companies have been under ongoing attacks by a range of players, including China’s prolific Salt Typhoon group.  We’ve long known that unencrypted communications weren’t private or safe from impersonation attempts, but now we must consider anything open to a telecommunications provider – i.e. all texts and telephone calls – as compromised, even if using an encrypted protocol like RCS.  Never use email for confidential information.

Set up the Signal app for encrypted texts and voice calls.  Encourage your loved ones and colleagues to do the same.  Even when the communications seem inconsequential, AI makes what used to be a fine art – profiling an individual or family based on countless tiny bits of information – cheap and accessible.

Part two in this series on Personal Information Security is coming soon.

Now you’ve got eight steps.  Get started today, and keep an eye out for Part 2 of Personal Information for Business Leaders here on the Stoic Cybersecurity blog to get steps 9-16 soon.