How to improve your individual cybersecurity
We kick off Cybersecurity Awareness Month with 10 simple ways in which individuals can improve their cybersecurity for themselves and by extension, their businesses. It’s worth noting that most potential attackers don’t target a specific individual (unless of extreme wealth!) as it’s doesn’t represent a good ROI for them and so will normally use bulk techniques, including ‘credential stuffing’ based on previous breaches and the equivalent of mass marketing. This means that taking relatively simple steps can massively reduce your risk of having your details compromised.
Some of these tips will be extremely obvious to most people, some maybe not so much and others you may know you should be doing but ‘haven’t got round to it yet’ and hopefully this post reminds you that it’s worth making the time to make the change(s)!
Use unique passwords for every application and account – attackers know that a lot of people use the same email address and same password for multiple accounts. This means that all they need is to have your details from one breach and they can try ‘credential stuffing’ to gain access to other accounts. By using a unique password for each account, you minimise this risk and mean that if one account is compromised, they can’t get access to others. It should go without saying not to use simple passwords, three random words are a good way to keep it more memorable. Equally, consider using biometrics for ease of access, but be aware they aren’t completely hack proof.
Use a password manager – password managers mean you can easily create more complex passwords for each account and not worry about remembering them, making the accounts more secure. There are a range of free and paid-for options available, from web browsers, device manufacturers and specialist password managers.
Use multi-factor authentication (MFA) wherever possible – alongside strong and unique passwords, activate multi-factor authentication where you can. This is normally found in the privacy & security settings of apps and websites and normally comes in the form of a text or email message with a one-time code or through use of an authenticator app. It's worth noting that any form of MFA isn't completely unbreakable, with Coinbase users being impacted by a flaw in their SMS (text) MFA, however it's simple to set up and will often be enough to stop an attacker pushing on with you personally, with the options of an easier target without MFA.
Trust no-one – or more specifically, think critically about every email, text, phone call, social media message, google ad and website you read and visit. There are a few questions you can ask yourself and steps you can take before clicking links to verify if it's legitimate:
- Am I expecting to receive this message, from this person and is what they’re asking a normal thing to ask?
- Is it from an email address / a website I recognise?
- Does it sound too good to be true?
- Is the spelling and grammar poorly written?
- Hover over hyperlinks to see where it’s actually heading – or better still, always go to the official website directly using the url you know / a search engine to log in if you’re unsure
- Be cautious of search engine adverts (images below) – these appear at the top of the page and whilst always taken down eventually, can lead you to a fake webpage – it’s much easier to get a fake advert up for a few hours than to get their on the legitimate, organic searches (i.e. non-paid for), so you’re best off looking for the ‘organic’ searches or, if you know it, going directly to the website
- Call the person who allegedly sent the message first if you’re unsure
Update your devices – device updates from hardware and software manufacturers contain critical security patches for recently found flaws, whether it’s your mobile phone, laptop or IoT device – ideally ensure it’s set to automatically update, but if not, push the update through as soon as it’s made available. Be sure to only do this via your device settings and know what an update notification should look like – you'll be able to find how to do this easily with a simple online search.
Think about how you use social media – both in terms of your privacy settings (i.e. how much can people who don’t follow you/aren’t friend with you see), but also consider what you post. A good example is people commenting on posts (usually on Facebook as is the nature of the platform) that ask seemingly innocent questions such as “name a tv show that younger people won’t know about” or “it’s national teacher’s day, name a teacher that made a big difference to you as a child”. Whilst the poster may have no malicious intentions, these can often help potential hackers with critical information to unlock your accounts. Remember point 1 – if you don’t have a unique password and they manage to get hold of an older account you’ve forgotten to update, they can often get hold of more useful accounts.
Check if your data has been found in a breach – visit haveibeenpwned.com to check if your email accounts or phone numbers have been compromised. If so, try to get them back and definitely change any passwords that may have been common on other apps.
Delete apps and accounts you no longer need – reduce your digital footprint by deleting any apps or accounts you don’t use regularly – it’s never much hassle to create a new one later should you need it, but by getting in the practice of deleting old accounts you reduce the risk of them being compromised. It’s quite often the case that people historically used common passwords with no MFA and forget to go back to some accounts as they learn and improve their security.
Exercise your right to be forgotten – you’re in the EEA, under GDPR you have a right to know what information organisations hold on you and a right for that information to be deleted. Linked to point 8, if you’re not sure, ask companies to delete your information. This also applies to the UK as whilst they are no longer in the EEA, The UK GDPR and Data Protection Act 2018 keep this a legal right. If you’re outside of the EEA, check your rights on this matter and exercise them!
Lock your devices – a very, very simple one, but often overlooked. Get in the habit of locking your devices whenever you’re away from them, even in your own home as it will reinforce the habit and make you more likely to lock it when it matters (e.g. in a shared workspace). On a Windows device you can quickly do this by pressing Windows + L, on a Mac it’s Control + Command + Q and on a Chromebook it’s Search + L
Let us know if you have any that you’d add to this list and look out for our next blog in the series, sharing tips on how organisations can make themselves more secure.
Distinguishing between Google Ads and 'Organic' search pages N.B. in this example we're not saying that the adverts pictured are not legitimate, just showing how to tell what is an ad (and therefore easier to make malicious pages rank higher) versus what is an 'organic' search result.