We asked our IT experts to help answer 10 questions posed by the National Cyber Security Alliance, suggesting ways that both organizations and individuals can participate in a “digital spring cleaning.” Although these questions are focused around the spring season, our tips can be used year-round to ensure that you’re practicing safe methods to protect your identity and your organization.
- Why is it important to clean up your information and devices regularly and what can a digital spring cleaning do for you and your organization’s identity and online presence?
A digital spring cleaning has many potential benefits for you and your organization, including:
- Former credentials, which are unused but contain potentially-sensitive data (e.g., account numbers or check scans) can be deleted, purging their contents from memory and out of the hands of potential malicious actors.
- Archiving old emails, social media posts, and other old digital information off your device(s) creates additional memory for applications to run faster.
- Archiving old posts on your personal or corporate social media page can bring a fresh look to your brand and maintain its focus.
- What are the potential consequences of having sensitive data and devices compromised – especially during this tax season?
User credentials to online tax completion sites (think TurboTax) are in high demand, and with them, malicious actors could impersonate legitimate users and redirect refunds to their own bank accounts. Alternatively, they could fraudulently state a much higher income than the user really makes, sticking them with a large amount to pay to the federal or state government. To prevent this from happening, keep credentials for those sites in a secured space (in your head, or in a digital password vault), and don’t share them widely.
- What are the top online scams to look out for at this time of year?
The IRS’ tax time scams website has great descriptions of common, insidious scams people have fallen prey to over the years. Review this list so that you don’t fall victim to some of these widely used tricks.
- What are your top tips for securing online accounts?
Online accounts can be secured in a number of ways:
- Sign into your online accounts using only devices you trust – and on networks you trust – and tell others to do the same. It’s difficult to tell if a friend’s phone or laptop is potentially compromised, so why risk your important personal or business data to theft or misuse?
- Many large service vendors (e.g., well-known banks, social media, email providers, etc.) now offer multi-factor authentication (MFA) as part of their login procedure. Enabling MFA through text messages, tokens, one-time passwords, or callbacks means the bad actors have a much lower chance of grabbing your data/funds or impersonating you.
- Make sure websites where you store sensitive information are appropriately encrypting their traffic in-transit between their server and your browser. You can usually tell if encryption is enabled and properly functioning when the first letters of the address read https:// in green-colored text, similar to the below:
- If you’re really worried about how your data is protected while on their server, call their customer support/tech support line and ask if the data you’re concerned with is encrypted at rest.
- If you receive email or a call from an institution that you do business with saying they’re with a “company tech support team” asking for a password, account number, PIN, or other credentials to one of your accounts to “protect your computer” or fix some other scary-sounding issue, DO NOT give this information away. Forward the email to the Federal Trade Commission’s Spam Box at firstname.lastname@example.org, contact your IT team with details of the email, and ask your team for additional guidance. Don’t be a statistic.
- What should individuals and businesses do to declutter their mobile devices and protect their tax-related mobile info?
Decluttering is a difficult but necessary task when it comes to data at home or at work, and in paper or digital forms. Digital tax-time protection and decluttering can take a few forms:
- For all mobile devices, make sure your device is encrypted at rest (most phones running a recent operating system are covered here). This will ensure that if your phone is stolen, the thief can’t take any tax information directly off your device without knowing your password, using your fingerprints, or otherwise getting your help to open it up. Also, remove apps and services from your phone you don’t need, as this will have the double effect of making your phone run a bit faster, as well as removing some potential vectors for malicious actors to exploit.
- If you’re in a regulated industry, don’t keep paper assets around longer than policy dictates, and then archive, digitize, or otherwise securely dispose of it as required, making sure a proper chain of custody is maintained.
- For SMBs/non-regulated industries, talk with the person(s) responsible for finance or accounting about any policies for paperwork maintenance or disposal and follow them.
- For home decluttering, use your best judgment. Do you really need 10 years of receipts to itemize your deductions?
- What tips do you have for securely disposing of old messages, files and digital devices?
Total data deletion is tough with today’s cloud. “Secure, delete, or wipe” is the term, and it should be always used for local resources. This is a good how-to for wiping a hard drive: https://www.lifewire.com/how-to-wipe-a-hard-drive-2624527
- What about social media? What tips do you have for completing a thorough social media scrub?
This requires searching for the “really, really delete my data options.” Google has it, but Facebook may not. Think of social media as standing on a street corner and telling everyone that passes your personal life story in detail. In other words, think twice before choosing to post something that contains potentially sensitive data or information that could be leveraged against you.
- What should everyone keep in mind when filing taxes or dealing with other sensitive digital info online or over WiFi networks?
Never accept third party links and instead work directly with your institutions. Phishing scams are becoming incredibly detailed and sophisticated, requiring us to be vigilant of what we accept/click on. Be sure to only use reputable software, and never use public WiFi since you don’t know who else is on the network and if they’re using it to access your device.
- What should someone do if they think their identity has been compromised?
The first step is to carefully review your credit report, purchases, and charges for anything that looks abnormal. If it’s been determined that something isn’t right, consider placing a freeze or fraud alert on your credit reporting. This resource provides information to “help you report and recover from identity theft.” https://identitytheft.gov/
- What resources do you recommend for learning more about digital spring cleaning and secure device/data disposal?
A good place to start is the Department of Homeland Security: https://www.dhs.gov/stopthinkconnect. Additionally, many office suppliers shred documents for free, and some offer device shredding as well. For items that can be recycled, search for secure recycling organizations. Businesses should invest in a paid, chain-of-custody guarantee destruction service to ensure proper disposal.