October is the ENISA Europe wide Cybersecurity Awareness Month (here), which of course, should apply every month. There have been some notable steps forward in assuring digital and information security provided by organisations but the advice for individuals provided by the UK National Cyber Security Centre (NCSC) on personal protection remain broadly unchanged since the agency was started three years ago.
Cyber threats for individuals appear to change mainly with the introduction of new gadgets and technologies. In essence, companies developing these products and services need to take more care to design security into their offerings so that they do not present new pathways for attacks on individual information. That said, the essentials of good cyber hygiene remain timeless and are worth repeating.
These seven simple cyber hygiene steps can help ensure that you are not one of the victims in the next large data breach.
1. Secure your devices
Phone and computing device (tablet, laptop, etc.) theft levels remain high in the UK, being the most popular items stolen after cash (ONS, 2019).
Protect information in the event of theft by enabling transparent encryption of you laptop or phone hard drive. These are often shipped as part of the product (e.g Windows 10 BitLocker), but not always enabled by the user. Enabling encryption on your device prevents misuse after theft.
Always enable the PIN code, remote locking, biometric and device tracking features where these are available. It may not always be possible to prevent a theft, but it can aid recovery and information security if you do.
2. Maintain identity security
Although we have several identities online, these are generally anchored in the real world. This anchoring of ourselves to our online presence is achieved through identity.
Identity can be verified through multiple factors (MFA) to authorise and authenticate users and is said to drastically reduce fraud rates, in some reported cases by up to 99%. This feature is implemented in most popular social media and shopping sites but is not always mandatory to use.
Enable MFA where this option is available, it protects your identity from misuse and impersonation. The services you are entitled to are based on the provider knowing that the person accessing the account is you.
A particular concern in this area is that of the number of Office 365 attacks, see References for best practice.
3. Guard against phishing
A phishing attack is any attack that seeks to gain identity information about you. Normally delivered by email, but may come from text or instant messages. Examples include Student Loan information, tax rebates, or online requests for personal bank details.
Phishing may compromise more than your individual account, as fraudsters may launch other targeted attacks based on your account (this is known as Spear phishing) Emails that appear to be from a legitimate source and have an element of urgency increase the likelihood of a successful attack (See this item from Bob’s Business)
Verify any email that doesn’t appear correct with the sender. If you know where it is from, contact that person using another channel to verify that they did indeed send the message. Legitimate users and organisations should always allow you another way to get in touch.
4. Check the status of your existing accounts
Check that your email / password combination isn’t already compromised by running it through an email checker at haveibeenpwned.com and if it has, change your password immediately.
You should also check and change any other accounts that use these credentials, as phishing scams and fraudsters will use the passwords they know to check the accounts they don’t know, including your work and personal accounts. The ideal in this situation is not reusing account passwords. If you find you do this on a regular basis see the next action point.
5. Consider using a Password Manager.
Using a password manager means that you can access and maintain all of your online passwords using a single master login. Although this may sound counter-intuitive there are several benefits to using a password manager:
- It allows strong passwords to be generated and used.
- You can use the password manager to log in using any device.
- It allows secure backup and recovery in case of loss.
With the growth in online interactions, it is surprising to learn what your full digital footprint consists of, and the first step to being able to manage your presence is to identify exactly what it is. Popular, reputable products in this space include LastPass and 1Password.
6. Keep the apps and software on your phones and devices updated
Apps downloaded and installed on phones are a great way to provide additional functionality and services. However, incorrectly coded, malicious or badly configured apps can ‘leak’ your information to other installed apps on the same device.
Always ensure you update your phone software regularly, usually your phone will prompt you when this is required and download apps from official stores or verified locations e.g. AppStore, Google Play.
As a routine task you should constantly review the apps on your phone and remove old apps you don’t use or have never used.
7. Secure your Internet of Things (IoT) devices.
The IoT is a generic term that describes any device that is wireless enabled and can be controlled. Some examples include smart home devices like TV’s, lighting, doorbells, smart meters or AI type devices that control these, like Amazon Echo.
It is possible for attackers to detect the presence of badly configured devices on your home network and use access to these to plant viruses, ransomware or malware on your computer. The Mirai attack of 2018 is an example of how such household devices can controlled externally and be targeted to attack institutions.
If a device has a factory default password, ALWAYS change it and ensure that devices have a minimal amount of access to your network.
Information is obtained via a number of well-known attack paths, or vectors. These vectors have remained relatively stable for a number of years.
Although there are many differences between the usage patterns of individuals, there are common safeguards that you can apply to decrease the risk of your information and accounts falling into the wrong hands.
Cybersecurity is a shared responsibility between the institutions, organisations and individuals that use the online space. Make sure that you are doing all you can to protect yourself.
https://www.ncsc.gov.uk/section/information-for/individuals-families#section_2 (NCSC advice for individuals and families, 2019)
https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/datasets/natureofcrimepersonalandothertheft (UK Property crime figures, 2019)
https://s3.eu-west-1.amazonaws.com/ncsc-content/files/O365%20Compromise%20and%20mitigation%20advice.pdf (NCSC Advice on combatting the rise in Office 365 attacks, 2019)