Dec 30 2015

What’s the deal with LifeLock?

I often get questions from friends and family about LifeLock, an identity theft protection service – what it’s all about, whether I use it (I don’t), how effective the LifeLock services are, etc. Ironically, about a week and a half ago, LifeLock agreed to pay $100 million (see here) for allegedly breaching a FTC order by:

  • “Failing to establish and maintain a comprehensive security program to protect its customers’ sensitive personal information, including Credit Card, Social Security, and bank account numbers;
  • Falsely advertising that it protected its customers’ data using the same high-level safeguards as financial institutions;
  • Falsely advertising that it would send alerts “as soon as” it received any indication that a consumer may be a victim of identity theft; and
  • Failing to meet the 2010 order’s record keeping requirements” (this isn’t the first time LifeLock has run into trouble with the FTC).
Despite this negative press about one of the industry’s most notable organizations, it’s still worth checking out the variety of other identity theft protection services available in the marketplace, however, signing up for one of these services doesn’t mean you and your information is bulletproof. While there’s some value to be had from signing up for identity theft protection (aside from LifeLock’s questionable service offerings, as per the FTC), there’s nothing that can protect your sensitive information more effectively than by practicing good cyber hygiene.


In case you didn’t know, cyber hygiene is defined as a person’s (or organization) practices to defend themselves from malicious activity when using electronic devices such as a laptop or smart phone, or working with electronic data when at work, home, or traveling. An example of cyber hygiene is a person’s behavior when using their web browser. A person who minimizes their risk of compromising their data or access to their protected network is considered to have excellent cyber hygiene. A person who does little to protect themselves online (whether through naivety or negligence) is considered to have poor cyber hygiene.


One of the key principles we emphasize during our information risk assessments is that people are the most integral component of defense against attackers. For instance, you may have a robust set of technical safeguards in place – firewall, intrusion detection/advanced threat detection systems, anti-virus, etc. – but it would all be for naught if you click on a ‘bad’ link in a spear-phishing email. When you look at a majority of the high profile breaches that occurred over the past couple of years (Target, OPM, Anthem, etc.) they all share a common theme – a person was exploited in the attacks, mainly through social engineering. Most of these organizations likely had high-end technology solutions implemented to prevent intrusions, yet, at some point along the timeline, they were breached.


The idea here is that even though there are a variety of innovative solutions available on the market such as identity theft protection, active threat detection, etc., you can’t fully rely on them to keep out the bad guys. You know the saying “if there’s a will, there’s a way?” That phrase is alive and well when it comes to attackers attempting to penetrate your defenses, especially from a technical standpoint, but it’s far more difficult to get outsmart someone using social engineering methods when that person practices proper cyber hygiene.


The key takeaway from all of this? Train your people, keep them informed of new information security threats, and remain vigilant.