Cybersecurity Tips For Staying Safe Online Anyone Can Use
Nevermind cybersecurity, It’s also Halloween, but I can’t figure out how to fit in Michael Myers and Cyber…
CyBeer of The Week: Magic Rock High Wire Grapefruit West Coast Pale Ale
Metal Artist of The Week: Saliva
Happy Cybersecurity Awareness Month!
Ladies, Gentlemen and everyone else. Welcome to another post! I’ve been busy the last few weeks, so apologies for not being quite so active, but real-life gets in the way sometimes. Anyway, I thought it’d be great to promote national cybersecurity awareness month with some useful tips that ANYONE can use to stay safe online. Before I get into that though, let’s have a beer.
This weeks’ CyBeer of The Week is the wonderful High-Wire Grapefruit by Magic Rock. This is a super fruity, hoppy explosion that absolutely exudes grapefruit flavour and therefore, happiness. It’s almost sessionable for an IPA, sitting at the 5.5% region, but is well worth taking the time to get familiar with if you like those west-coast inspired juicy beers. I adore it. It’s vaguely similar to Brewdog’s Elvis Juice, but isn’t as strong (Elvis Juice coming in at a sturdy 6.5%) and the grapefruit is more subtle in Brewdog’s offering. Both fantastic and wonderful beers though.
To go with the Grapefruit delight, I’m listening to some Saliva this week. A bit of a blast from the past in a lot of respects, but you can’t beat a bit of late 90’s/2000’s Nu-Metal if you ask me. “Click Click Boom” is still a total banger and will get your head bopping along without much effort. Although it’s now been nine months since I got to see any live music, and it’s getting irritating now. I just want to rock and roll and get my face melted off with some blistering death metal. Is that such a problem? Come on COVID, you can leave now. You’ve had your fun, let the rest of us have a bit! Anyway… Let’s get back to the reason we’re here. Staying safe online! N.B. There’s a lot of links below to services I use or like, but there are no affiliations or paid sponsors here. This is all my opinion.
Let’s Get to Business!
I’ve written this guide for anyone who would like to consider the basics of what they can do to stay safe online, so don’t expect scary levels of detail or unreasonable expectations of what you could do. These are all very straightforward and will let you be more confident with your online activity regardless of who you are, whether you’re comfortable with computers or not. I am however assuming a baseline of your home computer having anti-virus software already installed (if not, please go and do that now. I like BitDefender personally). If you ever have any questions or concerns about online safety, please do feel free to contact me through this site or on Twitter. I’d be happy to help. With that said, let’s get to my rather artistic infographic shall we?
Now let’s look into each of these with a little more detail.
Number 1 – Apply Software Updates Regularly! (This Is Probably The Most Important Cybersecurity Tip!)
You’d be amazed at how many people don’t update their personal devices. Hell, you’d be amazed how bad most businesses are at updating their computers. This is undoubtedly one of the easiest and best ways to reduce any risk you may face when using the internet. Most devices (Windows computers/laptops, Apple computers/laptops, mobile phones) will notify you when they have updates available. All you have to do is go into the menu and install them. For computers and laptops, this usually needs a reboot for Windows or macOS updates, but individual application updates will most likely not need you to reboot.
One thing to note though, particularly on smartphones is that you when you get App Store/Play Store notifications for updates. These will NOT update your whole system, only the individual apps. So please do be diligent when doing this. Ensure your operating system gets updated as well as your apps when it notifies you.
You should also update anything else that connects to the internet – Games consoles, Smart Speakers (Alexa, Google Home, Sonos etc), TVs, even smart fridges and plug sockets. These will probably let you know if there’s an update available but you might need to check with your supplier on how to do this.
Cybersecurity Action – When you finish this blog post, check your smartphone and personal computer for any updates and get them applied!
Number 2 – Use A Password Manager!
How many times have you used the same password? Be honest. We’ve all done it, and probably continue to do it. But, one of the easiest ways to reduce the risk of your account being hacked, and having a major identity theft/fraud problem on your hands, can be stopped by using a password manager. If you choose to use a service like LastPass for example, you can install this on all your devices and set up a unique password for every site you use.
By using LastPass, you don’t need to remember the passwords you generate through the application either. So you can have super complex passwords up to 99 characters long which are had to crack. Combine this with having a unique password for each site and feel confident that if your account was to be breached, it’s only that one site you need to worry about.
This could take a little time to set up, if you need to change passwords for a lot of sites. My approach to this when I started was to just change the password as I use a website. This made the process quite manageable. Of course, you’ll still need a password to access LastPass, but at least you’ll only need to remember one complex password rather than 100, right?!
Installing LastPass in your browser of choice and on your smartphone will give you seamless access to all your accounts in a secure and easy to use manner. This will help your online security immeasurably. Of course, there are many different managers out there and I urge you to find one that works for you. But I personally use LastPass and I find its ease of use and features work great for me. It offers a free account too for personal use.
Cybersecurity Action – Find and use a password manager you feel comfortable using that can get you using more secure passwords across your mobile and desktop devices. Start to change your passwords using the password manager to keep them safe and most importantly, individually unique to each site!
Number 3 – Check If Your Email Addresses Have Been Hacked
This may sound scary, but trust me, it’s not. There are a number of reputable services out there than can and will alert you if your email address(es) appear in data breaches or posts on the dark web. Two I would recommend signing up to are Have I Been Pwned and SpyCloud. Both of these services offer free subscription that will notify you if your email address appears in any data breach or databases being sold online. The benefit to doing this is that it allows you to check what account may be compromised and you can take adequate action. You can also use Have I Been Pwned to check for historical lists your account may have appeared in, which I’d encourage you to do.
The second benefit here is if you have re-used passwords, you can see exactly where you should focus on changing them immediately to prevent any fraudulent activity taking place using your account.
Cybersecurity Action – Sign up to both Have I Been Pwned and SpyCloud for alerts. Check your email addresses in Have I Been Pwned to see where they have historically been breached so you know which passwords to change immediately.
Number 4 – Change Your Hacked Passwords Using Your (New) Password Manager!
This is where some magic happens. If you’ve followed along and performed the requisite actions, you should now have a password manager in place, and a list of accounts you need to change the passwords to. So now we need to go to each service that was compromised and change the password on that account using the password managers inbuilt password generator. Do this for each site you’ve identified.
If you’re unsure which site was compromised (maybe the data breach is a “combolist” for example), then if you know the passwords you use with that email address and the sites where you’ve re-used passwords. Make sure to change anywhere you may have used the same password. Remember, we want unique passwords for as many sites as possible, and ideally, every site you use.
This may take a little time but do remember that each password you set that is unique is reducing the chance of your details being stolen from multiple places. We might not be able to stop criminals from accessing every website, but we can at least prevent how much they can get access to. That’s what’s important.
Cybersecurity Action – Use your password managers inbuilt password generator to change any compromised passwords from Have I Been Pwned. If you’re not sure which site may have been breached. Change any passwords where you’ve re-used the same password.
Number 5 – Delete Any Old Accounts You No Longer Use
We all have sites we don’t log into anymore. Maybe you still get emails from them? If there are sites you know you haven’t logged into for some time, or just don’t need anymore. Really do consider deleting your account with that website. There’s little point keeping an account alive that contains your personal information with an insecure password if you’ll never use it again.
It may be difficult to find every single account you’ve ever used, and I totally understand that. So what I would say is consider this as a best-practice. If you find an old account you don’t need or want anymore, then delete the account. Each account you can delete that you don’t use is one less target a cybercriminal can use to target you, and one less site to wait to appear in HaveIBeenPwned.
Cybersecurity Action – If you come across any old accounts you no longer need or use, then delete them to reduce your overall footprint on the internet which will reduce the likelihood of your details being compromised.
Number 6 – Use Multi-Factor Authentication On Accounts You Care About
Now I would encourage you to use Multi-Factor Authentication (MFA) everywhere you can. But I’m a human being, and I realise that it’s a bit of a pain and not ideal. Now, if you’re unsure what MFA is, let’s briefly explain. When you create an account on a (lot of) website(s), you’ll get the option to turn on MFA. This usually means you provide a phone number to receive a code via text message, or you can use an application like Google Authenticator (iOS and Android) to provide a time-sensitive code when you log in.
The benefit of doing this is that any criminal would need access to your second device in order to access your account, even if they got your password. There are other fancy options out there such as YubiKey, but I think that starts to go beyond the scope of this blog and what I hope is the target audience.
I’d recommend using Google Authenticator where you can. It can be a pain having to enter a code, so if you’re impatient, please consider using it on accounts that contain any payment details or you definitely don’t want criminals to access (such as social media, Amazon, online banking etc).
MFA isn’t a silver bullet of course, and it’s one more app you need to update, but software-based apps like Google Authenticator are preferential to SMS text message-based services. But SMS is better than nothing, but please do consider using some form of MFA on as many, if not all of your accounts.
Cybersecurity Action – Set up MFA on the accounts you care about most, and ideally using something like Google Authenticator. But do consider using MFA whenever possible to again help with reducing your personal threat level from cybercriminals.
Number 7 – Be Wary Of Phishing Emails And Scams
This might sound obvious, but there are a lot of sophisticated scams out there and it’s incredibly easy to fall for them, regardless of how diligent you are. I won’t teach you to suck eggs here as I’m sure you’ve received a million offers from a Ugandan Prince offering to make you rich if you help him hoard some wealth for a short while (this is how I bought my first Aston Martin!*), so you know what a lot of phishing emails look like. But there are some other types that you should consider being wary of and a few things to consider.
Firstly, if you get an email from a website claiming your payment hasn’t gone through (usually the likes of Netflix, Amazon etc), don’t click the link in the email. Go to the service directly, either through the mobile app or website, and verify your account is fine. Most reputable sites won’t encourage you to login using a button whenever there’s money involved (Caveat – Account set up will usually need you to click a link to verify your email address). There are other giveaways with these scams, they’ll usually never come from a legitimate website dot com email address (netflix.com for example), or they’ll have a really obtuse email address like [email protected]com, you get the idea.
Secondly, there has been a lot of blackmailing emails that claim to have watched you, watching sexy things on the internet. They’ll claim you can tell you’re hacked because it looks like the email has come from your own email address. All you have to do is check the email address (click on it/expand it) and you’ll see it’s clearly not you. No Blackmail, back to your regularly scheduled smut viewing in peace.
Thirdly and perhaps most important, apply a little critical thinking and common sense. 99% of the email you’re receiving is probably marketing from different companies, they’re unlikely to suddenly be in your inbox asking for new payment details or confirming orders you haven’t made. If you do get these emails, verify the content yourself by going directly to the service OUTSIDE of the email. Check your account that way, and if you do have any issues contact the service provider and follow the advice above on resetting passwords and using MFA.
Cybersecurity Action – Always be aware that any email trying to get you to do something that isn’t a regular marketing email could be a potential scam. Use common sense and some of the advice above to try and avoid falling for any scams.
*I bloody wish I owned an Aston Martin
Number 8 – Consider Backing Up Your Files & Documents
You’ve probably heard of Ransomware. In cybersecurity, it’s undoubtedly the biggest threat that most organisations face, and can cost millions to recover from or paying the ransom. It’s an absolute menace the whole world has to fight hard to stop. It can also affect the everyday person at home. Ransomware will encrypt every file on your computer and will demand you pay a fee in order to unlock them. In most cases, there’s no hope for decryption without the key, and thus you’re stuck with the large fee for getting your files back.
Fortunately, in the age of broadband internet, we can back up our files using cloud service providers. Cloud is just a fancy term for somebody else’s’ computer, but you can use services from a multitude of companies to back up your files safely and securely away from your home computer, so in the event, you’re unfortunate enough to get hit with ransomware, you can at least restore your files from the cloud and avoid paying the ransom fee.
There’s a whole range of providers including Microsoft, Apple and Google. Personally, I use iDrive at home. I find their pricing very fair and the service easy to use. But depending on how much data you have or genuinely care about, you could use free services from Microsoft (OneDrive), Apple (iCloud), Google (Drive) or DropBox.
This won’t prevent you from getting infected of course, but it provides you a fall-back option if you’re unfortunate enough to fall victim to Ransomware operators.
Cybersecurity Action – Look at cloud backup providers and find one that can help you secure copies of your most important files and documents. You’ll not regret it, especially in the event of a Ransomware attack.
Number 9 – Consider Ad-Blocking Software In Your Web Browser
Ah, adverts. Both the lifeblood and absolute bane of the internet (and not the cool Batman kind of Bane). One common way for criminals to target their victims are through pop-ups and malicious adverts on perfectly legitimate websites. With that in mind, I’d implore you to consider using an ad-blocker in your web browser. I use AdBlockPlus (ABP) in Google Chrome to try and avoid this issue. There’s also the fact that a lot of ads are quite intrusive, and not having them clutter a site is nice. That said, a lot of websites depend on ad revenue and if you use a site a lot you should consider allowing them to show some ads. ABP allows you to allow ‘safe’ adverts on sites, this mostly translates to adverts which don’t ruin the browsing experience mostly, but worth considering.
Using an ad-blocker will prevent you from falling victim to things like drive-by-downloads and malvertising (the ad may run code that’s malicious and downloads further malicious software or where the ad downloads files on to your computer directly). Using this in combination with the other advice here will put you on a really strong footing with your personal cybersecurity.
Cybersecurity Action – Consider using an ad-blocker in your web browser of choice.
Number 10 – Don’t Panic! Cybersecurity Can Feel Overwhelming
We’ve covered a lot of ground here and you may feel slightly overwhelmed, please don’t. Take each step here one at a time and build up how comfortable you are with each step. Remember this is about raising the bar for a criminal to target you successfully, it’s not a guarantee that you’ll never fall victim to a cyber-attack of any kind. But by doing everything outlined in this post (notably drinking a beer and cranking up the heavy metal!) will make you a much harder target overall. And that’s all we can do right?
In the event that you have fallen victim to a cybercriminal, then also don’t panic. Try and understand what’s happened, and seek out appropriate support. Depending on the circumstances, maybe I can help (please contact me on this site or on Twitter). If you’ve been a victim of fraud or lost money then you’ll need to involve the Police to try and recover any lost funds, but I can probably help you understand what’s happened and how to try and prevent it from ever happening again. We’re always learning in cybersecurity and this month is about raising awareness.
Cybersecurity Action – Open a beer and crank up the heavy metal. Also don’t panic if you feel overwhelmed or have fallen victim to an attack. Help is at hand, all you have to do is ask!
Cybersecurity Awareness Month Parting Thoughts
There’s a lot of advice and guidance online from security professionals online that are all very good but assume too much deep technical knowledge for most people. I hope this post has avoided that and you feel comfortable looking into every step I’ve outlined. You can consider hardware-based MFA devices, VPNs, router configurations etc. all day long, but most people don’t understand and don’t need to worry about that level of complexity, so let’s demystify some of these concepts with the cybersecurity awareness month. I really hope you’ve found value in this post and will see your security improve as a result.
If you have any questions, do contact me and I’ll do what I can. Until next time.