What are you doing about data security?

The ERGO Risk Report showed that many of the over 3,000 people interviewed in Germany could do more about their data security. But just what? We put this question to our IT security expert Sebastian Spooren.

The ERGO Risk Report is a study carried out across the whole of Germany looking into the risk expertise and personal responsibility of the German people. A representative sample of more than 3,000 people was interviewed about health, security, money, digitalisation and age when this Report was being prepared. The subject of age was the focus of the Report but one section of the questions was about data security so we interviewed Sebastian Spooren of the ERGO IT Security Department about the findings of the Report.

Sebastian Spooren, what is your reaction when you hear that only about a third of the people interviewed regularly change their passwords?

Spooren: The frequency with which I should change a password depends on the security requirements of the information protected by the password. If someone attempts to spot my password by looking over my shoulder or steal it using special programs I often know nothing about it, or only when it's too late. If the password is to a newsletter I subscribe to, in my opinion that's not critical. On the other hand if the password to my email account gets into the hands of other people, someone can take over my identity and do a lot of harm using my name. This means that the more my information needs to be protected, the more frequently I should change my password.

As well as changing passwords, I think it is all the more important to have different passwords for different services. But for the sake of convenience many people avoid this. For example, if a criminal gets hold of my access data through a vulnerability in a newsletter service, he can very quickly access my accounts at Amazon or Ebay and place orders in my name.

What criteria should passwords meet to be really secure?

Spooren: As things stand today, to have a good password (or strong password as it's called) I should consider the following criteria:

• at least 12 characters
• a combination of upper and lower case letters as well as figures and special characters
• never use anything as obvious as given names, standard phrases or personal information such as birthdays or company names.

The more I follow these criteria (more characters, expanded range of characters) the more my password is able to resist attacks.

The study showed that 80% of the people surveyed had a virus scanner and 71% had a firewall. Are antivirus programs and personal firewalls adequate? What do you recommend to protect a private computer? 

Spooren: Modern virus systems often contain both an anti-virus program and a personal firewall. But in my opinion relying on these two items is not enough. Firstly, commercial solutions are available as well as these free protection programs. The commercial programs often provide a more extensive range of protection and, for example, can also warn the user of certain types of scams such as fraudulent online banking portals. Secondly, it is essential to upload security updates as soon as they appear. This applies both to updates to the operating system as well as to the applications installed on the computer.

We all use smartphones - everywhere. What must we do so that information on the smartphone is not hacked?

Spooren: Smartphones and tablets are, to a certain extent, pocket-sized computers. Their operating systems are in general designed in such a way that cyber-criminals only have limited possibilities of installing malware. Additional protection such as virus protection solutions from third party manufacturers in the form of an app is normally not necessary. However, it is essential that security updates to the operating system and apps are regularly installed. I more often carry a smartphone rather than a PC with me. This increases the probability that it is stolen or lost. It is therefore particularly important that the device has suitable access protection so that other people cannot access sensitive information. You should therefore make sure that you select a password which is as strong as possible and that the screen automatically freezes after as sort a period of inactivity as possible. In addition, modern smartphones offer both encrypted storage of all my information as well as the facility for all content to be automatically deleted after a limited number of unsuccessful attempts to unlock the phone. Settings like these are sensible to protect my data and you should take advantage of them in addition to regular data backups.

Security in WLANs: What's important here? And what should you be careful about when using public WLANs?

Spooren: In an ideal world connections to a WLAN are encrypted so that third parties have no opportunity to look at or manipulate your data. The provider should use the "WPA2" encryption standard and have a password to it which is as strong as possible. If I were to provide a WLAN myself, the WLAN's identifier should allow any conclusions to be made about technical details such as the device's model name, places or other names. In addition, the access to the administrative interface of the WLAN access point should also be protected by a strong password.

Public WLANs can generally be used if you always bear several points in mind. Be aware that:

• you are not alone in a public WLAN cyber criminals wait to "catch someone in their net".
• a smartphone or notebook lacking the latest security updates is potentially vulnerable and can be successfully attacked in a public network.
• confidential information such as personal data entered in forms should always be transmitted using "https" otherwise it can be easily read by criminals.
• applications and apps often permanently exchange data in the background. For example, if your emails are downloaded in an unencrypted form it is very easy for an attacker to take over your email account and therefore your digital identity from then on.

By Ursula Lindenberg