Cybersecurity Awareness Month is mostly geared toward businesses rather than individuals, encouraging them to ensure they carry out risk assessments and follow best practices to protect their IT systems. (There appear to be one or two companies who could use a little work there…)
But it’s also a worthwhile reminder to individuals to check their own cybersecurity, and for us to offer some advice to less-techie friends and family members.
Many of the steps that seem obvious to us may not be so to less tech-savvy friends, so here’s a checklist you can show them.
Passwords
The single most important step is to ensure we’re using unique passwords for every website, app, and service. A scary number of people use the same password all the time, and that means that their security is only as good as the least-secure service they use. The first thing hackers do when they get their hands on login credentials for any service is to throw them at a whole bunch of popular services, from Apple to Facebook, to see if they work there.
Passwords should also be strong. Never use words found in a dictionary, nor things that would be guessable by anyone who knows you.
Realistically, a password manager is the only way to have unique, strong passwords for every site. Safari has a decent built-in one, while 1Password and LastPass are two popular subscription services.
Security questions
Many sites use very weak security questions, asking information that would be readily available to anyone who knows you. If they ask for things like place of birth, first car, first pet, and so on, consider developing your own system for answering these. For example, you might use the first letter of the question to instead give the name of a favourite book or film beginning with the same letter.
Beware of social media posts asking for the same information. Many posts ask you to share your first car, first pet, and so on. These are not generally targeted attacks, but they are designed to help hackers build up a dictionary of common answers to these questions.
Two-factor authentication (2FA)
Always use two-factor authentication every time it’s offered. This means that even if someone gets your password, they still won’t be able to log in.
Note that text messages are a very weak form of 2FA. SIM attacks and network hacks can rather easily compromise security, so if you’re offered a choice of methods, never choose SMS. It’s far better to use authenticator apps.
Fortunately this is easy for Apple users on iOS 15, as the feature is now built-in. Settings > Passwords > <Sitename> > Set Up Verification Code. Another popular option is Google Authenticator (iOS and Android).
Phishing
Phishing is the process of trying to fool you into handing over your login details by sending you a link to a fake website. Typically this will be an email claiming there’s a problem you need to address with your bank account, Apple ID, PayPal, email service, and so on. A very common one is to send you a receipt for an expensive purchase with a link to dispute it.
The main safeguard here is to never click on links sent in emails. Always use your own bookmarks, or type in a known URL.
Bank payments
A very common type of fraud is when you receive an email or text message claiming to be from a company you are using. The message says that they have changed their bank account, and future payments should be made to a different one. Never act on this without phoning a known contact at the company.
A variation on this is when the message (or very often, phone call) claims to be from your bank, stating that your account has been compromised and they need to transfer your money to a new one. A bank will never do this, so you should always ignore these.
VPN
It’s best not to access sensitive websites like ebanking on a public Wi-Fi network, but if you need to make frequent use of Wi-Fi hotspots, a VPN subscription is highly recommended. This encrypts all your data, so even if it is intercepted by a man-in-the-middle attack, the hacker won’t be able to see your login credentials or any other private data you send or receive.
What are your own cybersecurity tips? Please share them in the comments.
FTC: We use income earning auto affiliate links. More.
Comments