Ensuring Our Safety

Security and privacy go hand in hand, and information security is especially important here. Remember the three components of the CIA triad—confidentiality, integrity and availability—which are all crucial to maintain both in a business context and as private individuals.

We have mentioned that the Norwegian National Security Authority describes ICT security in Norwegian businesses as low—though the awareness of the importance of a robust infrastructure is steadily improving.

Human errors and shortcomings are often exploited by cybercriminals. Therefore, it's crucial that each of us knows what measures we can take to ensure our security. Even though digital security can seem very complicated and overwhelming, there are many relatively simple precautions we can take to limit the amount of data we give away and to better protect our data.

If you are good at solving anagrams, you can probably see the word “encryption” jumbled here. But what if we tossed every single letter, every character and space on this page into the air, so that they landed back in random order? You would never be able to put it back together. We haven't removed any data at all, all we have done is move it around—and yet it becomes completely useless.

This is basically how encryption works: Data is shuffled and scrambled, and only those who have the secret key can put it back together in the right order. Even if someone else were to obtain your encrypted files, they would not be able to read or alter them—because the data would appear entirely disjointed and meaningless.

Encryption is usually done using a known encryption algorithm and a secret encryption key—data is locked so that it cannot be read by those who do not have the key.

Through encryption and by not sharing the key with unauthorised individuals or computers, you can maintain the confidentiality and integrity of the information.

In some cases, if you fall victim to ransomware for example, encryption is used against you. Although the data is still on your machine, it has become unreadable and useless to you because an outsider has encrypted it, and you lack the key. The attackers will demand a ransom to unlock it.

Therefore, it is beneficial to have a backup of your files in several locations, such as on an external hard drive that is safely stored offline, out of the attacker's reach.

Also, make sure to use HTTPS when browsing the web (the S is short for Secure). This is a communication protocol that uses HTTP in combination with an encryption protocol to prevent unauthorised access to the data being exchanged. In a web browser, we can typically see if HTTPS is used by checking if there is a padlock to the left in the address field. It is possible to force HTTPS in many browsers.

A term that may not be as commonly known as encryption, but is still good to know, is data obfuscation.

It refers to replacing sensitive information with data that appears authentic, but is in fact useless for those who are unauthorised. This contrasts with encryption, which makes the data unreadable.

It is also possible to mask information with data of a similar structure. When data is masked, the values are changed, for example by swapping numbers with letters or replacing words.

One can also replace data with meaningless values and require that authorised users use an associated “token” for them to make sense. This is called data tokenization.

The purpose of data obfuscation is to make it possible to share personal and sensitive information without the data being misused by others. In this way, a business can run its processes without exposing itself to risk, for example.

You've undoubtedly heard this countless times before, but there's a reason for it. Many people are still too lax when it comes to passwords, which can pose a significant security risk if these bad habits are brought to the workplace. Poor password hygiene makes you an easier target for cybercriminals.

The precautions for good password hygiene are simple:

In addition to having unique, strong passwords, two-factor authentication (or multi-factor authentication) is one of the most important password steps you can take. This alone will stop most attempts to access your accounts.

This provides an additional level of security for logging in, because in addition to the password you must provide a one-time code. This is usually generated by an external app and is only available for a limited period of time. Sometimes a time-limited code is not used, but you’re required to confirm your identity by other means—say, by confirming the login attempt through an external app.

Instead of trying to keep track of every single piece of login information, one can consider using a password manager. These are services that generate and store strong passwords securely, where all you have to remember is a single, strong master password to access your vault.

Thus, you can create unique passwords for each website, and many password managers offer additional security features—such as alerts about data breaches at places where you have an account, prompts for passwords you’ve reused, and support for handling two-factor codes.

Remember that when you reuse passwords, and the password is compromised—like when a website is hacked and all usernames and passwords are made available on the black market, which is known to happen—that single leaked password can open many other doors as well, beyond the website that was hacked.

Many websites offer built-in “Remember Password” functionality. While this is a form of password manager, the passwords here are not necessarily sufficiently secured. Others who use the same machine may be able to see or use the stored passwords. And if you're unfortunate enough to get a virus or other types of malware on your computer, there's a chance the malware will gain access to the passwords.

A VPN (Virtual Private Networks) is a solution that encrypts your data traffic between your own device and the Internet. Imagine that you have a secret tunnel from where you live to various remote locations, so that you can practically appear anywhere without anyone seeing you leave your home. This would allow you to go to the ATM or go shopping without anyone being able to shadow you, peek your PIN number over your shoulder or spy on your purchases.

Similarly, a VPN service will create an encrypted “tunnel” from your device to the Internet, so that other people on the same network cannot intercept the traffic and, for example, snoop on what you type on your keyboard. VPN encryption then comes in addition to other encryption that has been mentioned before, for example HTTPS.

A VPN provides an extra layer of protection and may be particularly relevant when you are using an open network where you do not have control over which other devices and users are also on the network. An important prerequisite for safe use of VPN is that you know you can trust the VPN provider, for example a VPN service provided by your company.