Disclaimer: I am not a certified cybersecurity professional like my colleague Brendon Taylor.
I am however, like many who work in the IT industry, de facto help desk and tech support for family, friends and relatives when they have problems with their PCs, laptops and devices. Think of this article as a community service announcement to lessen your home tech support pain and improve the cybersecurity and safety of your loved ones.
No doubt you have fielded a call from a relative asking something like: “My computer’s acting weird” or worse: “I’m getting messages on my machine and can’t login — what’s bitcoin and why do I have to pay to unlock my computer?”
That’s when you get that sinking feeling that your weekend just got busier, and wish that you had spent a little more time beforehand educating them on some cybersecurity basics. As they say, an ounce of prevention is worth a pound of cure.
Outlined below are the top twelve tips you can share (or implement yourself) to better prepare before you get that call, to make everyone’s lives just a little safer online.
- Work out what to protect. The starting point is to work out your digital footprint — i.e. what data you have, where it is, who has access to it, and what you want to protect. Take an inventory of all of your sensitive material so you can start to consolidate your data — it’s a good time to do a virtual spring clean too. You may often be surprised what information you have sprawled on USBs, external hard drives, mobile devices, in the cloud, on camera SD cards, in printer/scanner memory, on your PC or laptop.
- Backup regularly. Sooner or later, something’s going to go wrong, whether malicious or user error, that will destroy data. You need to assume that this is inevitable and get a simple, effective backup solution in place that runs frequently. If you are using a physical external device, ensure that you disconnect it after backing up or it may be just as vulnerable to data loss. It doesn’t hurt to check that the backups are working periodically too — goodness knows there have been enough professional system admins who have gone to restore from a backup only to find them corrupted or incomplete.
- Update regularly. Patching or updating your operating system, applications and (if you are confident) firmware is essential to reduce the number of vulnerabilities that can be used to access your device. Just like the weakest link in a chain, all it takes is a single chink in your system armour to gain a foothold. Whilst not a panacea, it certainly reduces the attack surface of vulnerabilities. Refer back to point #2 above though, sometimes your updates may not apply correctly and there are times a home techie will need to restore to a prior state if the patch you just applied didn’t work as expected.
- Use antivirus/anti-malware and keep signatures up to date. Whilst having an antivirus solution is not the silver bullet that some users assume them to be, they do at least provide a level of protection. Keep the signatures up to date and run scans regularly, particularly on specific files before opening them or if you notice any unusual behaviour on your system. And consider using ad blockers with your browsers too.
- Use strong (and unique) passwords for each key system. Better yet, use a password manager like LastPass, Dashlane or 1Password. Re-using the same password is a bad idea — if someone discovers it, they could use your password to login in to your social media, work systems or banking information so it is better to keep them separate. And please, please, don’t use the top worst passwords that are prone to reuse. Find something unique, and not too short — every extra character adds to the effort required to brute force it. And it goes without saying, don’t put passwords on a sticky note or in your wallet.
- Use encryption. This is a broad recommendation, but what is important here is wherever you can, secure your information so that it is harder to access or intercept. Encrypt your hard drive with something like BitLocker, your external drives and USBs so if you drop them they aren’t easily accessible, look for the lock sign (SSL) for web sites, and check the encryption settings on the apps you use. Consider using Virtual Private Networks (VPNs) for more secure communication where appropriate.
- Always click with caution. Whether you are opening an attachment in an email or downloading and installing an app, you need to do some form of checking or verification if you think that something feels dodgy. It goes without saying, don’t run pirated software or apps from suspect web sites. With shortened web addresses it can be tricky to see what you are clicking through to. You can check these shortened URLs by using a site like CheckShortURL.com or Sucuri, or if you want to get really fancy, check out Cisco’s Talos IP and Domain Reputation Center. Calling the original sender of an email or business can be a useful alternative method of verification.
- Be careful what information you share and check your privacy settings. With social media privacy standards evolving regularly, it is important to check your settings to understand if you are sharing public information you didn’t mean to, such as location data, personal information like date of birth, or photos that weren’t intended for the public domain. A quick google search on your name or email address may surface information available to the public, and whether it represents you appropriately. If not, look to remove it from public view. While you are at it, be sure to check the HaveIBeenPwned website by Troy Hunt to see if your account information may have been leaked through a variety of data breaches. If your account shows up, it is highly recommended that you change your passwords immediately.
- Watch the Wi-Fi. At home, it is important to ensure that you have taken the basic steps to secure your Wi-Fi, including: changing the default network name and password, hiding the signal from public view, updating the encryption level to the highest available and ensuring that you check periodically that there are no unknown devices attached. In public, you should approach any public Wi-Fi network with extreme caution as you don’t know who is intercepting the traffic that you are passing and where it is going. If you need any reinforcement of this, check out this article from CSO on why you should never connect to public Wi-Fi.
- Consider multi factor authentication. Having a second method set up to verify who you are beyond the initial system password is worth the effort for more sensitive data. There’s a useful paper from the Australian Cyber Security Centre on multi factor authentication if you want to read more.
- Don’t forget physical security. Devices are prone to theft or tampering, so make sure that you don’t leave them unlocked or out in the open as visible temptation for thieves. And of course, the more mobile the device, the more likely you are to lose it — looking at the 2018 Uber Lost & Found Index the number one device lost is the mobile phone. So make sure it has a passcode on it and set up the ability to find it or wipe it remotely if possible. And finally, when you are disposing of old devices, make sure you are thoroughly wiping all of the data off it.
- Keep informed. Technology is constantly changing, as are privacy standards and vulnerabilities that can be exploited, both through systems and more sophisticated scam techniques. Follow or subscribe to useful trusted sources of security information, such as Stay Smart Online and Scamwatch in Australia. For more advanced reading around cybersecurity or those who like listening to podcasts, check out the following: Brian Krebs, Brian Johnson — 7 Minute Security podcasts, Sans.Org Information Security Resources, Security Week or Dark Reading.
I’m sure most of these cybersecurity basics apply equally well in start-ups, small business and enterprise, it is just the scale and complexity of the challenge that requires additional governance and broader controls fit for your industry. And like the old adage “charity begins at home”, so too should cybersecurity, because these habits translate into our schools, our institutions, and our businesses. These days the line between home and work are becoming more and more blurry, so being safer at home can reduce your business risk too — not to mention saving you time on the weekends not having to deal with as many unexpected tech support issues at home!
Other useful resources:
- NSA’s Best Practices for Keeping Your Home Network Secure
- Microsoft Top Tips for Internet Safety at Home
- StaySmartOnline — Protect Your Stuff
- ATO Top Cybersecurity Tips for Individuals
- Cybersecurity While Travelling Tip Card
- ACSC Protect: Essential Eight Explained
- Report a Cybercrime — Australian Cybercrime Online Reporting Network
What are your tips for improving cybersecurity at home? Feel free to share your thoughts. Need some help with your organisation’s cybersecurity?