We kick off Cybersecurity Awareness Month with 10 simple ways in which employees can improve their individual cyber security for themselves and by extension, their businesses. It’s worth noting that most potential attackers don’t target a specific individual (unless of extreme wealth!) as it’s doesn’t represent a good ROI for them and so will normally use bulk techniques, including ‘credential stuffing’ based on previous breaches and the equivalent of mass marketing. This means that taking relatively simple steps can massively reduce your risk of having your details compromised.
Some of these tips will be extremely obvious to most people, some maybe not so much and others you may know you should be doing but ‘haven’t got round to it yet’ and hopefully this post reminds you that it’s worth making the time to make the change(s)!
Our top 10:
1. Use unique passwords for every application and account
Attackers know that a lot of people use the same email address and same password for multiple accounts. This means that all they need is to have your details from one breach and they can try ‘credential stuffing’ to gain access to other accounts. By using a unique password for each account, you minimise this risk and mean that if one account is compromised, they can’t get access to others. It should go without saying not to use simple passwords, three random words are a good way to keep it more memorable. Equally, consider using biometrics for ease of access, but be aware they aren’t completely hack proof. This will greatly improve your individual cyber security.
2. Use a password manager
Password managers mean you can easily create more complex passwords for each account and not worry about remembering them, making the accounts more secure. There are a range of free and paid-for options available, from web browsers, device manufacturers and specialist password managers.
3. Use multi-factor authentication (MFA) wherever possible
Alongside strong and unique passwords, activate multi-factor authentication where you can to aid individual cyber security. You can usually find this in the privacy and security settings of apps and websites, where it typically comes in the form of a text or email message with a one-time code or through the use of an authenticator app. It’s important to note that no form of MFA is completely unbreakable—Coinbase users were impacted by a flaw in their SMS (text) MFA—but setting it up is simple and often enough to prevent an attacker from targeting you, especially when easier targets without MFA are available.
4. Trust no-one
Or more specifically, think critically about every email, text, phone call, social media message, google ad and website you read and visit. There are a few questions you can ask yourself and steps you can take before clicking links to verify if it’s legitimate:
- Am I expecting to receive this message, from this person and is what they’re asking a normal thing to ask?
- Is it from an email address / a website I recognise?
- Does it sound too good to be true?
- Is the spelling and grammar poorly written?
Hover over hyperlinks to see where it’s actually heading – or better still, always go to the official website directly using the url you know / a search engine to log in if you’re unsure
Be cautious of search engine adverts (images below) – these appear at the top of the page and whilst always taken down eventually, can lead you to a fake webpage – it’s much easier to get a fake advert up for a few hours than to get their on the legitimate, organic searches (i.e. non-paid for), so you’re best off looking for the ‘organic’ searches or, if you know it, going directly to the website
Call the person who allegedly sent the message first if you’re unsure
5. Update your devices
Hardware and software manufacturers release device updates that contain critical security patches for recently discovered flaws, whether it’s your mobile phone, laptop, or IoT device. Ideally, set it to update automatically, but if not, manually push the update as soon as it becomes available. Be sure to only do this via your device settings and know what an update notification should look like – you’ll be able to find how to do this easily with a simple online search.
6. Think about how you use social media
Both in terms of your privacy settings (i.e. how much can people who don’t follow you/aren’t friend with you see), but also consider what you post. A good example is people commenting on posts (usually on Facebook as is the nature of the platform) that ask seemingly innocent questions such as “name a tv show that younger people won’t know about” or “it’s national teacher’s day, name a teacher that made a big difference to you as a child”. Whilst the poster may have no malicious intentions, these can often help potential hackers with critical information to unlock your accounts. Remember point 1 – if you don’t have a unique password and they manage to get hold of an older account you’ve forgotten to update, they can often get hold of more useful accounts.
7. Check whether attackers have found your data in a breach.
Visit haveibeenpwned.com to check if your email accounts or phone numbers have been compromised. If so, try to get them back and definitely change any passwords that may have been common on other apps.
8. Delete apps and accounts you no longer need
Reduce your digital footprint by deleting any apps or accounts you don’t use regularly – it’s never much hassle to create a new one later should you need it, but by getting in the practice of deleting old accounts you reduce the risk of them being compromised. It’s quite often the case that people historically used common passwords with no MFA and forget to go back to some accounts as they learn and improve their security.
9. Exercise your right to be forgotten
If you’re in the EEA, GDPR gives you the right to know what information organizations hold about you and the right to have that information deleted. Linked to point 8, if you’re not sure, ask companies to delete your information. This also applies to the UK as whilst they are no longer in the EEA, The UK GDPR and Data Protection Act 2018 keep this a legal right. If you’re outside of the EEA, check your rights on this matter and exercise them!
10. Lock your devices
A very, very simple one, but often overlooked. Get in the habit of locking your devices whenever you’re away from them, even in your own home as it will reinforce the habit and make you more likely to lock it when it matters (e.g. in a shared workspace). On a Windows device you can quickly do this by pressing Windows + L, on a Mac it’s Control + Command + Q and on a Chromebook it’s Search + L.
Summary
Let us know if you have any that you’d add to this list and look out for our next blog in the series, sharing tips on how organisations can make themselves more secure.
