As this was "Get Safe Online" week in the UK, I thought I would share this article I wrote for Doesn't Grow on Trees, a UK site focused on helping consumers and businesses protect their money. It touches on tips and best practices common in the worlds of fraud protection and cybersecurity.
This week sees the promotion of “Get Safe Online” week, a campaign to promote and secure better habits in the virtual world, and many current and would-be cyber surfers, e-commerce purchasers, and digital customers do need a wake-up call to what represents good practice. As with any safety or security measure, strength comes from depth: layers of security presenting a range of obstacles to those who might otherwise manipulate and misrepresent our identity. An easy way to remember good practice comes through remembering our vowels:
A is for Accessing. Even the most advanced and up-to-date anti-malware is only likely to prevent a proportion of the latest cyber-attacks because malware is constantly being established, renewed, changed and reinvented by the criminal, malicious and mischievous communities. Having anti-malware in place and constantly patched is essential, but those entering the virtual world need to keep in mind that there is a significant chance that devices and sites are already irreconcilably compromised, and therefore to be careful what they are accessing in order to limit their exposure to potential malware and further compromise. Many of us intuitively apply restrictions to where we might or might not go in the physical world, but most of us are far more laissez-faire with our virtual footprint. Well established and “big name” sites are typically going to be more secure than smaller, niche players. It is important to look out for https sites, especially those operating in a payment or value exchange context, because these are more secure owing to website authentication.
E is for Establishing. When we go about setting up a new connection or business or personal relationship in a physical context, we will typically be far more selective about the credentials and information that we will offer. We will usually minimise disclosure only to what is reasonable and essential for the purpose we are entering into. We need to adopt the same healthy caution online, and not simply load data “in the clear,” where others with a more nefarious purpose might be able to access and capitalise. We should also ensure that sensitive data is, wherever possible, held in encrypted formats and password protected. Plus our passwords should not be the same (or a simple variant of the same) for all our various accounts and relationships because that makes them susceptible to compromise. We should always avoid deploying “classic” password techniques such as using standard demographic data about ourselves and our families as that is information that is easily mined. Using your date of birth? Well, that’s a matter of public record. Using your mother’s maiden name? Well that’s possible to find through a genealogy website. Some great advice on more secure password creation and maintenance is available from Cyber Streetwise.
I is for Interacting. Many of us fail to appreciate that details we provide in support of our online presence, especially in a social media context, are frequently generally available to the masses because we have simply failed to adopt proper privacy settings. Take a look at this “experiment” from back in 2012.
We also need to consider when we are looking for the best available (and often free!) public wi-fi signal, that this may not necessarily have been set up legitimately, as criminals are keen to exploit our desire to be “always connected”. See my fellow blogger’s (Doug Clare) commentary on this very topic. The general rule of thumb is that if you are on an unknown public network, to not divulge personal, sensitive and especially financial credentials.
O is for Opening. Barely a day goes by without my e-mail accounts being bombarded with materials from would-be business or personal connections suggesting that I “take a look at this”, often with either an embedded attachment or a link to another site. Some of these seem to emanate from genuine people or official organisations, some even appear to come direct from e-mail accounts that I know and trust as belonging to friends and family. Yet, invariably they are actually attempts atphishing, where my apparent trust, curiosity or simply carelessness leads me to be “socially engineered” and provide ready access to a malware payload through opening attachments or clicking on links that are not what they appear. One particular clever spoof that the criminals have tried recently is to send a risqué, sexy picture to a work e-mail (for many organisations something that might warrant disciplinary action against those involved in the exchange) with an “unsubscribe” link at the bottom of the message. Recipients keen to avoid receiving future similar materials for fear of retribution at work will frequently click that link and unwittingly download malware. For me, if I receive something that is a relatively impersonal e-mail with an attachment or link I will invariably delete it without opening or, if it appears it may have come from a legitimate source, reach out to the sender direct through a different, trusted channel to see if they have indeed sent me the material.
U is for Utilisation. It is an excellent idea to keep a watch on anything where your identity, payment credentials, or accounts seem to be used for reasons that you do not recognise. Maintaining access to your credit bureau file allows you to monitor both how your identity is being used and how accounts in your name are being conducted. Similarly, looking at online statements is an important housekeeping exercise to make sure that activity is not happening without your knowledge. Where something arises that appears anomalous, it is important that this be reported to the organisation concerned as quickly as possible for investigation and either ratification or mitigation. Many organisations offering online accounts also helpfully tell the subscriber, at each log-in, the date and time of the last recorded access and we should all mentally check and acknowledge this every time we log-in. Criminals may, having gained access to on-line credentials, spend time harvesting further information before progressing to realising financial gain, so the earlier unusual access is spotted the better.
If we all took a while to seriously reconsider, and act to protect, our personal on-line security proportionate to the risks and the amount of time and access that we spend in the virtual world then, as with the physical world, unwelcome visitors would be dissuaded and seek easier and more malleable targets.