Stay safe online – security best practices

Online security can be hard and confusing. We’re overwhelmed with scare stories about hackers, identity thieves, scammers and other ne’er-do-wells constantly trying to get at our personal data and empty our bank accounts. According to this website, we Brits have a 1 in 4 chance of being a victim of cybercrime, and stand to lose an average of £7.5K if we do. So, apart from using secure passwords, what other measures can we take to stay safe online?

In this article, Dave outlines a set of information security procedures that should keep you safe.

What is Information Security?

Information security is a way of sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. Already with the jargon! Let’s break this down:

Confidentiality means not telling anyone, other than those who should or need to know. For instance, you wouldn’t tell anyone the password to your online banking app (hopefully).

Availability, in relation to information, is making sure those who need to access something are able to access it when they need to. It’s no good having a password for a banking app if the website is down!

Integrity means making sure the information being accessed is accurate and trustworthy. Most importantly, it means making sure it can’t be altered by unauthorised people. Wouldn’t we all love the ability to add an extra few zeros to our bank balance? Unfortunately, only the bank can do that!

Assets are the things you are trying to protect. They’re worth something, even if they aren’t tangible. For instance, your identity is the most valuable thing you have. Without it your life would grind to a halt.

Threats and vulnerabilities. A lot of people think these are the same. They’re not. A threat is a way of attacking something – a weapon if you like. A vulnerability is a way that attack can succeed – think of a gap in a suit of armour through which a sword can penetrate.

So in English, what we want to do is:

  1. protect our important stuff from attack,
  2. make sure no-one pinches or damages it, and
  3. know that it’s there when we need it.

OK, so what steps can we take to do this?

Information Security Management for ordinary people

There’s a whole area of scientific study around Information Security Management. One only has to glance at the Wikipedia pages here and here to understand how big and complex it can be from an organisational point of view. But as an ordinary member of Joe (or Joanne) Public, there are some straightforward things you can do. There are also millions (literally) of pages on the internet offering advice on this stuff, of which the one you are reading is just one. But I’ve read a lot of them, so you don’t have to.

First and foremost, this should go without saying, and it stands alone as the single most important thing you can do. Use a Secure Password! Seriously, go and have a look at my previous post on this before you read on.

Once you have digested the advice about passwords, the second thing you can do is Keep Your Passwords Secure! Don’t share them, write them down or tell them to anyone. Not even your Mum! Now that’s out of the way, here are my Top Tips.

1. Install antivirus software.

You’d be surprised at how many people I come across who haven’t done this. It annoys me, because a) you would have thought everyone would be aware of computer viruses by now and b) it’s FREE to do it. That’s right, it doesn’t have to cost anything. Here is a list of the best free packages. So if you haven’t already done so, go and download one now and install it.

2. Install an anti-spyware package.

Spyware is a special kind of software that secretly monitors and collects personal or organizational information. It is designed to be hard to detect and difficult to remove, and tends to serve up unwanted ads or search results to direct you to certain websites. It’s not a virus, as it doesn’t actually cause damage, but it can be a nuisance and will slow down your computer.

Some spyware records every keystroke to gain access to passwords and other financial information. Most paid-for antivirus has an anti-spyware module bundled as part of the package, but the free stuff doesn’t so you will need to get one. Again, there are lots of free ones out there – here’s a list.

3. Keep Software up to date.

I know, it’s a pain when Windows decides to update itself and takes aaaaages to start up or shut down, or worse still decides to restart to apply an update just when you’re in the middle of the finale of that must-see show on Netflix. But it’s important that you do it. Windows Updates protect you against ‘Zero Day Exploits’. These are vulnerabilities that Microsoft didn’t know about when they built Windows, but some clever hacker has found and is using to attack systems. They have to be patched immediately (hence the ‘Zero Day’) otherwise you are vulnerable to attack. It’s not just Windows that has more holes than a colander – most software is likely to need updating at some point. It’s a bit like fixing the roof on a house. If you don’t do it, the rain will get in! McAfee have some useful advice on this page.

4. Use two-factor authentication.

I mentioned this in yesterday’s post about setting up PayPal. Put simply, it means if a thief somehow gets hold of your login details, they can’t log in unless they also have possession of your phone or tablet. The online service sends you a text message with a special code every time you log in, and without that code, the thief won’t be able to log in. No code, no access. It’s a simple idea, yet very effective, and you should turn it on wherever you can. Here is a really useful list of online services that allow 2FA (or not). Check the services you use, and if they allow it, turn it on!

5. Use a firewall.

A firewall is a software application that prevents hackers from getting into your computer ‘through the back door’. It’s like a bouncer, in that it maintains a list of applications that should be allowed through (for instance email, web browsing, Skype), and blocks those that aren’t. If their name’s not down, they ain’t comin’ in!

Again, most paid for antivirus comes with a firewall, and Windows and MacOS have one built in, so it’s not usually something to worry about as long as you keep up to date. It can be a bit of an annoyance sometimes when it blocks something legitimate (a bit like a bouncer stopping you coming in because you’re not wearing a tie), but whatever you do, DON’T TURN IT OFF!

6. Secure your network.

When you get a new router, it will have a default password. Usually this is really easy to guess. In fact there are websites that have lists of default router passwords. So you need to change this to stop anyone logging in to it. It’s a bit complicated to do (and quite low likelihood that it’ll happen), so I’ll write a future post on how to secure your network properly.

7. Ignore Spam.

Beware of email messages from unknown parties, and never click on links or open attachments that accompany them. Really, don’t. The instant you do, you will either be taken to a website that wants to harvest your personal data (bank details, PIN numbers, passwords, all that juicy stuff), or you will launch an attack that might lock up your data until you pay a hefty fee. This is called a ‘Phishing attack’ and the nasty that it launches is called ‘Ransomware’ See this cautionary tale. I’ll be doing a future post about how to spot fake emails and avoid Phishing attacks.

By the same token, you will never, EVER, get a call from your bank or Amazon or PayPal asking for your credentials. If you do, politely hang up, Google the phone number of the call centre for whoever called you and give them a call. You will most likely be told the call was a scam, and they will report it to the police for you.

8. Practice Safe Browsing.

You wouldn’t choose to walk through a dangerous neighbourhood – don’t visit dangerous neighbourhoods online. Cybercriminals use lurid content as bait. They know people are sometimes tempted by dubious content and may let their guard down when searching for it. You know the ones I mean…

9. Be Careful What You Download.

A top goal of cybercriminals is to trick you into downloading malware – programs or apps that carry viruses or try to steal information. This malware can be disguised as an app: anything from a popular game to something that checks traffic or the weather. If in doubt, Google “Is [insert app name] safe”.

10. Back up, Back up, Back up. Then Back up again!

This should be at the top of the list really. The number of times I’m approached by a customer panicking that their computer has broken down and they can’t access that important file they need. My cynical response is usually “if it wasn’t backed up, it wasn’t important”. Think of the hundreds of photos you have stored on your computer, the months or years’ worth of bank statements, that novel you had nearly finished. If you only have one copy, what happens if your house burns down and your computer with it? My advice is to buy a USB hard drive, plug it in, and copy those files to it now! Have you done it yet? Even if you have followed all of the tips above, if you haven’t got a backup you might as well not bother. Again, I’ll write a future post about backups, but for now just remember – ONE COPY IS NOT ENOUGH!

In principle, you should practice ‘Opsec’ or Operational Security. If you follow the tips above, you’re most of the way there, but it’s more of a mind-set than a set of hard and fast rules. Be careful, be suspicious, but most of all, be safe!