October is the National Cybersecurity Awareness Month (NCSAM) aimed towards raising awareness about the importance of cybersecurity and sharing the knowledge and resources needed to stay secure while connected. This year's theme is "Do Your Part. #BeCyberSmart" and we, of course, want to do our part.
Everyday, we are spending more of our time online, browsing, shopping, and working. With more everyday tasks we do online, more of our personal data is shared. And if that data falls into the hands of cyber criminals, sensitive information could be at risk.
Most successful attacks and data breaches are the result of simple human error and a moment of carelessness. Being aware of ways attackers might gain access to your personal information or infect your device with malware, and knowing what to watch out for, can reduce your chances of becoming a victim. This is why we've prepared 10 do's and don'ts of staying safe while connected.
Our advice is aimed towards the everyday user, with measures that are easy to implement but poised to make you that much more secure while still freely scrolling online. You can find additional links and resources that tackle different topics mentioned here, so you can always read more about different types of cybercrime and protection measures.
- Do: Use complex passwords and change them regularly
- Don't: Use any of your personal information as your password
- Do: Use multi-factor authentication
- Don't: Install antivirus solutions from unknown sources
- Do: Pay attention to telltale phishing signs in emails
- Don't: Open attachments from unknown senders
- Do: Review each site you visit
- Don't: Use free public WiFi
- Do: Keep the OS and all software up to date
- Don't: Click "Remember" that quickly
- Final words
Do: Use complex passwords and change them regularly
While this might be a no-brainer, using common and easy to guess passwords isn’t a safe practice. The password “123456" alone is used by over 20 million people. This is exemplified by the fact that stolen credentials are one of the most common causes of data breaches. And one way cyber criminals frequently gain unauthorized access to systems is actually quite simple—by guessing passwords. Known as a brute force attack, attackers can guess an individual's password using relevant clues they have on them. Another example of brute force attack is to rely on users reusing their passwords, some of which have been exposed by previous data breaches.
You can find out if your credentials have been compromised in a previous data breach, by visiting HaveIBeenPwned.
Always use complex passwords with a mix of lower and upper case letters, numbers and special characters; and make sure they are regularly changed and different on all accounts. If it seems daunting to remember all those long and complicated passwords, using a secure password manager is a great way to stay on top of your password security.
Don't: Use any of your personal information as your password
When we mentioned that attackers can guess your password by using relevant clues, some of the more obvious tip-offs can be your first name, last name, date of birth, location and other personal information. Some clues, however, can be easily found by observing your social channels. That's why your password should never reference anything that's easily connected to you. Instead, use random words and phrases, or a combination of "nonsensical" word formations.
Do: Use multi-factor authentication
Chances are you're probably using at least a two-factor authentication on some of your accounts, as platforms often require you to create one. Authentication factors are: knowledge - something you know about the device, such as email and password; possession - another device that will verify your identity, such as an SMS code; inherence - something you actually are, such as a fingerprint, and location.
In the case of identity verification, the more the merrier. Multi-factor authentication considers the use of two or more authentication factors, which is not only important for creating an additional barrier to attackers trying to gain unauthorized access to your account, but also because SMS code and similar types of authentication aren't that secure.
Most, if not all, platforms will have 2FA and MFA authentication easily accessible, so it's simple to get started and add another layer of protection to your online accounts.
Don't: Install antivirus solutions from unknown sources
While the use of antivirus and anti-malware are commendable cybersecurity hygiene practices, they're not when they come from unknown and third-party sources. Always install popular and well-tested antivirus software, and use official websites and distribution platforms to make sure you don't get exactly what you're trying to avoid—malware and viruses on your device.
And please, never trust pop-up ads that tell you your computer is infected with a virus, offering you a quick fix just by clicking on that flashy button.
Do: Pay attention to telltale phishing signs in emails
Phishing is one of the most "popular" (a better word might be "infamous") types of cyber attacks and is considered a social engineering attack. We've all received, at least once, an email allegedly coming from our bank or from a website or service we use, urging us to change a password or update our information. And we can't forget the Nigerian prince-style emails that circulated for many years.
Besides email, there are other ways that attackers try to phish you as well, such as by asking you to click on a malicious link or divulge your private information by SMS, social media and even phone call.
Phishing emails are more sophisticated today than ever. The emails can look nearly identical to those coming from the impersonated company or person, with sender addresses looking eerily similar to legitimate ones. So how can you tell if you've received a phishing email?
Check for grammar. When impersonating a sender address, attackers might make a typo or add numbers to the domain in order to have it registered, and that can be easy to overlook. Also, while grammar errors can happen to anyone, keep your eyes open for continuous grammar errors or sentences that don't sound "professional", or don't sound like they would come from the company.
Check if the sender email address is actually in use by the company. Most companies and services will have the email addresses they use somewhere on their website, and as phishing emails mostly come from "customer support", that email is easily verifiable.
Use an anti-phishing browser extension. Most modern browsers will offer phishing detection to help you protect yourself against phishing attacks whenever spam filtering hasn't detected and flagged potentially suspicious email.
Don't: Open attachments from unknown senders
Tied in with telltale signs of phishing, you might encounter an email from an unknown sender, or even from a known sender sharing a link or attachment that you're 'supposed' to open. In some cases, that can be a link that leads you to a website that might (or might not) impersonate a legitimate website advising you to input your credentials. Or, it might be a file that when downloaded injects malware into your computer. Whatever it is, it's not good news.
If you're unable to determine whether the email is legitimate, even after checking each of its elements, and it contains a link or an attachment, the best thing would be to hover with your mouse over the URL. This will show you the real address, letting you know if it really is a website or form belonging to the sender. Ideally, you won't open the link, and will investigate further or ask around. Phishing campaigns often target a large number of people, so chances are it's an ongoing campaign with information about it available online.
Do: Review each site you visit
You should always keep your eyes open with any website you visit in order to avoid having your information compromised. Check the URL to see if it looks like a legitimate one, and shows the name of the website you intended to visit (with no typos). Look in the address bar for the lock icon that shows you the website allows for encrypted connection to your browser, indicating shared and private information are safe. And before inputting any private or financial information, make sure it's a verified payment platform and that the connection is also graced with that small lock — protected.
Don't: Use free public WiFi
It's end of the month, your phone plan has run its mobile data down to its final breaths and you need to connect online to check for an important work email or a message on your social networks. Free and public WiFi is always tempting and a "quick fix" when we're out and about, but while seemingly without cost, it does come with a price.
One of the biggest threats of free WiFi is the fact it’s also free and an easy target to those with malicious intent. They can get between you and the hotspot you're connecting to, and intercept all traffic. Even if all you do is input your email or other credentials while connected to the hotspot, you're basically giving it to attackers, putting it right in their hands.
Additionally, attackers might even set up fake hotspots that share a name with a popular public WiFi service, get access to your device, and collect your private data.
Our best advice to you is, if you use free WiFi, don't. If it’s really necessary, then at least make sure you don’t share your private information at any time while connected, don't log into accounts you aren't already logged into, and use a VPN.
Using a VPN is an easy way to ensure secure connection to the internet, or alternatively, you can invest in an unlimited data plan to avoid emergency situations where you need internet access, with no option other than free, public WiFi.
Do: Keep the OS and all software up to date
New update is ready! Update your system. New version is available, update!
We’re all too familiar with these sometimes bothersome messages from our operating system and programs that urge us to update to the newest version. While yes, updates often take a lot of time and even render your device non-functional during that time, it's crucial that we keep all of our systems and software up to date, and on all of their latest versions.
When security issues are discovered in a software or OS, security patches and fixes for them are released. By applying these updates, we can be confident in using devices without any known security holes, that aren't just waiting for attackers with an easy way in. After all, if security researchers have discovered a security flaw, then attackers probably have too. And bad guys will waste no time in attempting to exploit systems running on a version with a flaw.
Don't: Click "Remember" that quickly
Convenience is one of the perils of cybersecurity. It's always easy to use simple and memorable passwords, to use free WiFi and to click "remind me tomorrow" to updates from your OS. It's also easy to click all the "Remember me" buttons on websites and services you're signing up for.
When it's a website or platform you visit regularly, your simplest option might seem to stay remembered and logged in, so you don't have to input your email address and password each time. But it's not the most secure option. There's always a chance of forgetting or losing a device so it falls into the hands of those with malicious intent. Staying logged into all your accounts just gives them sort of a "right of passage" to collect all your private information.
Hold off on the urge of convenience. Make it a habit to always log out of all accounts and devices you use.
October is a month of many things; fall is arriving with its warm colors, we're spending more time inside, and with more time inside we're bound to use more of our devices. Add to this the growing number of remote work policies with people accessing company networks from their homes and private devices, and the reality of cyber attacks becomes more frightening than Halloween.
With cybersecurity awareness month we wanted to do our part and veer away from our technical content. Instead, we took this opportunity to share some quick do's and don'ts of staying safe while connected.
We've intended them to be useful to both casual users and the least technical of users—so if you were already familiar with these tips, we hope you'll share them with others.
Stay tuned for information on how to create and maintain cybersecurity awareness on an organization level, as October and cybersecurity are not only for everyday users and individuals, but also for companies and organizations of all sizes, and cybersecurity is everyone's job.
Spread awareness about the importance of cybersecurity. Do your part. #BeCyberSmart.