We all leave a trail of digital breadcrumbs from our adventures in the online world. They might seem harmless but these breadcrumbs can lead others to a digital treasure trove of your personal information.
The websites you visit should respect your privacy and security – but that’s often not the case. That means it’s up to you, the individual, to take steps to cover your digital tracks.
So what should we be doing? Theresa Payton, the first female White House Chief Information Officer and CEO of security consulting company Fortalice Solutions, has a few ideas. She joined Matt Davey on the Random but Memorable podcast to share some simple, practical, and fast steps you can take to minimize your digital footprint.
Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.
Matt Davey: Could you explain what a digital footprint is and why individuals should be aware of their online presence?
Theresa Payton: A digital footprint is like a trail of fairy dust that’s left behind as we’re dancing barefoot through the online world. It’s an absolute record of our daily digital adventures. Everything we do, post, interact with. Maybe you aren’t active online but chances are the people around you are. This record of our daily digital adventures are real footprints. They’re just in the digital realm.
I highly recommend that each of us really mind our digital steps. You want to leave a positive impression in the digital wonderland but at the same time, you have to safeguard your own privacy and security.
MD: What are some practical steps people can take to minimize their digital footprint and maintain a higher level of privacy?
TP: I’ve boiled this down so you can be nearly unhackable in five steps that take 15 minutes or less.
1. Change all of your passwords to your online accounts.
There are some free services, like LeakPeak and HaveIBeenPawned, where you can type in all the different email accounts you use and see if they’ve been in past breaches. Consider using a secure password manager to manage your passwords. We’ve standardized my company on 1Password – I wasn’t asked to say this but it’s a great product!
2. Implement multi-factor authentication (MFA) on all online accounts.
There’s a type of attack called credential stuffing. A study done by Security Boulevard found MFA actually blocks almost 90% or more of the password credential stuffing attacks.
3. Deactivate any dormant and inactive online accounts.
If you’re not sure [what accounts of yours are out there], try doing a search that includes your name and the name of different social media platforms [e.g. “Theresa Facebook”]. You can also do a free search on your name on Spokeo and similar sites. It’ll tell you whether or not it thinks there are some social media accounts you’ve forgotten about.
4. Do a simple digital footprint assessment of yourself for free, or hire a firm.
This is something we do for organizations and individuals but you could do this for free yourself. Pick three of your favorite search engines and search different variations of your name. That can give you a really good assessment.
5. Consider using single use business domains for things like mergers and acquisitions, trade secrets, money movement, and in your personal life use single use emails.
With Google Voice you can get Talkatone and forward calls from your burner number to your real cell phone or email address. That way you’re not handing out your most important email address – the one that’s attached to your most important parts of your life. Or your cell phone number, which is used for MFA.
MD: What do you think are the common pitfalls that are associated with normal social media usage? And are there any steps we can take to safeguard the personal information we’re sharing online?
TP: Before embarking on any of your online escapades or posting something, ask yourself this: “Would I be embarrassed if my beloved grandmother was looking over my shoulder and saw what I was about to post?” If so, don’t post it.
Then on the other shoulder, I’ve got this ominous figure who’s got nefarious intentions. Could they exploit what I’m about to post to hurt me digitally or physically, or the people that I care about? If the answer is yes, don’t post even if you think it’s an encrypted platform and things are going to be deleted.
You should also take advantage of privacy settings.
“You need to opt-in to the privacy that you want."
They have you for sale. These services are all free so they need to monetize you [to make money]. If you want privacy and confidentiality, you must constantly double check those privacy settings and make sure they’re set at the level that you’re happy with.
MD: How do you envision the future of digital footprints, especially in the wake of things like AI?
TP: I’m concerned that when quantum computing is here and matched with generative AI (AI for algorithms) passwords will be unlocked at a pace and scale we’ve never seen before.
“A lot of people don’t realize an encrypted password is nothing but a big old math problem."
The reason why it’s hard to decrypt something is because you have to work out a math problem to undo the lock to the password. My concern with the advent of quantum computing, big data analytics, AI algorithms, and generative AI, is that someone with very little technical know-how can now figure out how to crack the math problem.
Having said all of that, we’re not doomed. We know what’s coming. We have tools that help us take back control. If you implement my five steps that take about 15 minutes or less to do to be nearly unhackable, it does empower you to stand against what is going to be coming at us next.
MD: What do you feel needs to be done in terms of regulation?
TP: Here are three things I would love to see happen:
1. Create international accords and collaborative frameworks.
We need to get government leaders, countries, academia and industry stakeholders together to create more adaptable regulatory frameworks. If we keep waiting for each country to do it on our own, we’re never going to get there.
2. Develop ethical guidelines.
These ethical guidelines need to be clear, comprehensive, and written in people speak, not legal speak, so that you and I know what we’re opting into, what we’re opting out of.
It needs to be done by industry. For example, healthcare may have its own set of ethical guidelines. I would love to see it say for generative AI at this point in time, based on the technology, we will leverage generative AI for transcription services, but we will always have a human being double check the transcription to make sure that patient care is always put first.
We need these ethical guidelines so that each industry can leverage the power of this transformation technology, but do it in a way that takes care of you and me in the process.
3. Keep it dynamic and fresh.
As technology advances and gets enhanced, we have to have continuous assessment and governance. We need to have these international courts and collaborations with these industry-based ethical guidelines written in human speak, not legal speak, we have to have this continuous assessment and governance of how the technologies are going? Are the frameworks keeping up, and do they have some type of a maker-checker rule? Is there some type of governance that says, “You told us you were going to do this, are you really doing this?”
“Why aren’t we incentivizing responsible innovation? We really need to encourage the industry to prioritize these responsible and ethical AI practices."
MD: What were your key learnings from operating at the highest of levels in the White House that you learned from
TP: It always comes down to the human user story.
Everybody wants to do a great job. When you understand the human user story you understand where technology gets in the way of them getting their job done. And where security is actually a blockade that they have to go around in that moment to get the job done. That’s really where they enter the danger zone.
“Chances are the safety nets and security nets that you think are in place are going to be completely bypassed on the path to trying to get their job done for you."
It’s a failure on us, the security industry and the technology industry, not the user. We have something wrong in our design and algorithms. We clearly didn’t understand the human user story and because we didn’t understand it, we didn’t design for the human. And you know who really does understand the human user story, and this is why they win sometimes? Cyber criminals.
MD: Where can people go to find out more about you, Fortalice, or any of your training courses?
TP: People can always reach out to me on LinkedIn. We do have a website with an experts blog where people on our team share their knowledge.