A cybersecurity chief's 8 tips on how to protect yourself online as data breaches continue

Encryption is viewed by many as "bulletproof" technology to protect data from cyberthieves. Organizations swear by it, and consumers feel overly confident knowing that their recent transactions and personal data are encrypted. Despite the confidence around this "go to" technology, time has shown that encryption is just not enough. In fact, it's failing us.

High-profile data breaches, including Thursday's DoorDash breach, continue. While the details of the Doordash incident — which included the last four digits of payment cards for some consumers, as well as names, emails, delivery addresses and phone numbers — require further analysis, other recent corporate hacks shows us that encryption either did absolutely nothing to prevent hackers from infiltrating systems or, worse, helped disguise cybercriminals while wreaking havoc in organizations' systems.

Doordash is just the latest in a string of cybersecurity incidents affecting hundreds of millions of consumers. In September 2017 Equifax announced a data breach that exposed the personal information of 147 million people. During the incident, an attacker was able to crack into Equifax's system in mid-May and hide within encrypted traffic until the end of July — more than two months without anyone noticing.

In November 2018, Marriott disclosed a data breach that affected 327 million customers, which in my opinion was based on a false sense of security in encryption. Hackers had been hiding in Marriott's system since July 2014, gaining access to a whopping 25.6 million passport numbers in the breach, of which 5.25 million were unencrypted. While it seemed Marriott believed encryption would save the day, the technology was ultimately implemented incorrectly, leaving the organization blindsided during the breach.

Most organizations today invest in encryption due to regulatory mandates, yet they fail to understand that encryption is not "bulletproof" — rather, it should be viewed as a steel tunnel with two locked doors on either end. The keys for these doors can and will be stolen. It's a basic defense that protects data while in transit or at rest, but it shouldn't be the only thing protecting our medical records, credit scores, bank statements and other digital documents that only we — and the vendor we choose and trust — should be allowed to see.

Think of a criminal breaking into a home. A basic lock on the front door alone won't stop them from accessing what's inside. Instead, they look for alternative routes — side doors, open windows, garages or even try a skeleton key on the front door. Mistakes are made in not protecting the master keys. The cybercrime wave of 2019 is flourishing due to the misconception that encryption is foolproof.

Unfortunately, we as consumers don't have much control over the types of security defenses vendors are using. It's a flawed trust system where we can assume organizations have multilayered defenses, beyond just encryption, that will keep hackers at bay. One can guess that large, well-known entities have better protection controls (and a higher cybersecurity budget) than smaller vendors, but as we saw with recent breaches, this doesn't always mean tightened security. In addition, these large corporations are being targeted by elite hackers of the dark web, which marginalizes any proactive security posture.

When doing business online, there are a few best practices to implement to better protect your information. Make it a point to only share sensitive information if it's a reasonable request — for example, an online retail store shouldn't be asking you for passport details. If they are, it's a scam. When inputting personal details, ensure the website has "https:" in its web addresses, as the S stands for secure. You also may want to do some homework to ensure the vendor hasn't had any major security issues as of late and has been recognized for its security.