As an industry we’re not particularly good at talking to people about cyber security in a way which is helpful for them, rather than in a way that either triggers a visceral reaction, a sale or just mystifies people so they stop reading.
In this blog I’m going to talk you through the most common threats you face, and the simple actions you can take to protect yourself. All the apps, software and services I refer to will be free unless I say otherwise, there are links to all those apps and services, along with links to helpful documentation for any tips and tricks.
My number one message is: it’s not as bad out there as you think. The internet contains countless amazing people, communities, bands, videos, recipes, and funny images of cats. Like real life, the very small minority have a disproportionate impact, but don’t let them put you off making the most of this amazing resource.
It’s not as bad out there as you think
Your threat model
‘Threat model’ means ‘Stuff you need to worry about’, and for any average person in the UK, the ‘threat model’ doesn’t include the Chinese, Russian or North Korean governments or secret service agencies. The threat model for you and I is regular cyber criminals, and often the smaller operators at the bottom of the cybercrime food chain. What makes cybercrime different to everyday crime is two things; scale, and (lack of) law enforcement.
Scale
In the physical world, one person is limited in how many houses or cars they can break into by the distance they can travel, and how much loot they can carry. International cyber criminals have no such limitations; they can break into tens of thousands of email accounts in a day, with victims spread across the world, and passwords and payment information weigh nothing. This is one of the reasons you receive so much spam email, because it costs almost nothing to send, and 0.5% of those spam emails will result in a stolen password or an infected laptop and make the cybercriminal a profit.
Law enforcement (or lack of)
A prolific house breaker in your local town runs a reasonably high risk of being caught and jailed. Cyber criminals on the other hand typically operate in countries which have a ‘relaxed’ attitude to digital crime, as long as it doesn’t take place within their jurisdiction. Cyber-criminals commonly code their viruses so they don’t execute their payload if they detect the victim is in Russia or one of the Russian affiliated Commonwealth of Independent States.
Targeted attacks.
The bottom line is no-one is making any specific effort to single you out. In our threat model we’re not being targeted by cyber criminals, the attacks we may fall victim to are automated and opportunistic. Much of the crime is done using software tools not dissimilar to those used by businesses, with a lot of the work done by scripts and automation, rather than someone typing at a keyboard in a hoody.
For some people (typically in the lower age bands i.e. children, young adults and those under 30) there is a completely different and more personal threat, and that is cyber stalking, harassment or sexual exploitation of some kind. These are targeted, far more personal, and I’m not going to cover that here as they’re far less common and there are different ways to deal with that. If you are or know someone who is experiencing such harassment please see the links below to the relevant groups and people who can help.
What you can do to protect yourself
Make them work
Your best defence against cybercriminals is to create some friction, make it just a little bit difficult for them. Because they are targeting hundreds of thousands of victims at once there’s no benefit in spending any extra time or effort on one specific individual, because they don’t get a return on investment. They’re looking for the easiest possible way to make money quickly, and all you need to do is be slightly harder to trick. The 6 steps below, if you did them all, would make you a LOT harder to trick!
1. Get a separate password for your email
Depending on what you do online, your email has become an important part of your identity. If you want to reset your password on Facebook or Amazon, it will want to send an email to your email address. Your bank will send statements to your email address. When you buy something online, it will send the receipt to your email address. That means your email account (your personal email account) is a very important resource, and you should protect it as well as you would your wallet and your car and house keys.
This means when you set a password for your email, you need to make it a good password. In the past people have used anything from pets or family names, the names of football teams or TV personalities, and these are all very bad passwords. If you do nothing else on this list, set a good password for your email, preferably long (see 2 below).
2. Create strong passwords using 3 random words
The recommendation from the NCSC is to use three random words. Easy to say, harder to do. However, there are a few ‘tricks’ to coming up with these passwords which can help (because most people can’t randomly think up random words on the spot), for example;
Think of a memorable but random scenario, something you’ll never forget but isn’t predictable like your wedding or graduating. My example is being a passenger in a car which crashed into a petrol station. Now take three things from that scenario which are key parts of it, so mine would be RenaultCrashTotal.
Another is to pick three random things from an image you remember vividly, which could be anything from the cover of your favourite book to a painting or a poster from a movie. If you’re a fan of Harry Potter you could use TrainGlassesWizard (I wouldn’t use this, never use password examples from the internet as they end up in lists used to crack your password!)
3. Save your passwords in your browser or use a password manager
Your web browser can save your passwords in an encrypted file, which works well because (apart from your email password) most of your passwords you need to enter in a web browser.
This does mean wherever you have a web browser with saved passwords you need to protect that device, whether it be your smartphone, tablet, laptop or PC. Make sure it’s not possible to turn that device on and use it without putting in a password or a PIN. This is particularly true if it’s a mobile device (i.e. something like a smartphone or tablet).
If you’re more confident with technology, you can use a password manager (which works in your web browser and your device so you can autofill passwords). Either of these methods will keep your password safe, along with the rest of the guidance in this document.
4. Turn on two-factor authentication (2FA)
Even if your passwords are strong the service you use might be hacked, you might be tricked into entering your password into a fake website, so in some scenarios you should add another layer of security. This is called ‘Two-Factor Authentication’ or ‘Multi-Factor Authentication’. Your password is one ‘factor’, and it’s something you know (or your browser remembers for you). The second ‘factor’ is typically something you physically have (like a smartphone). The cybercriminal now needs both of those things if they want to access your account.
There are several free apps and services you can use to setup 2FA, what most of them look like is you login to your email, or your online shopping account, and once you’ve entered your username or email address, and your password (the first factor) it will ask you for a six digit code (the second factor).
I strongly recommend you do this wherever possible. Online banks have been doing this for years, with good reason!
5. Update your devices
There are two ways a cyber-criminal will typically try to steal from you. One is to trick you into giving something away and the other is to use a bug in the software on your phone, tablet, laptop or PC to take over the device.
Updating your device to run the latest software gives you the best defences against being tricked. For example, if you are using an up to date web browser (Google Chrome, Mozilla Firefox, Apple Safari or Microsoft Edge) then you’re protected against the fake websites which cybercriminals use to trick you into giving away your password or payment information. Those modern browsers use constantly updated list of ‘bad’ websites and clever software to spot bad links. They don’t spot every single one, but they are an effective defence against fake websites.
Updating your device also means you’re installing the fixes for those software bugs the hackers want to use to take over your device.
If you cannot update your device any more, you should consider replacing it, or at the very least not using it for anything involving money (online shopping, banking etc.) The expense you might incur to replace the device is small compared to the potential cost if your device is hacked.
Some IT workers might tell you not to update your devices automatically as “the patches will break stuff”. That’s true, but it’s much less likely, and the consequences are far less grave.
6. Back up your data
To avoid losing your files if your phone, tablet, laptop or PC is stolen you should copy your important files to a different location. This is called a backup.
This protects you against files being lost if your device is stolen or breaks, of infected by a virus which encrypts all your (this is called ‘ransomware’, because they hold your data to ransom and won’t return it to you unless you pay).
Automatic backup is when your PC, laptop, tablet or smartphone software automatically copies files in specific folders to servers they run (often referred to as ‘in the cloud’, which just means ‘saved on someone else’s servers’). This is available on Microsoft, Apple and Android devices. If you have a lot of data you may need to pay for more storage.
The second is to copy the files you care about to a USB stick or flash drive. If you chose this option, make sure you eject or unplug the stick when you’re not backing up your files, which stops hackers getting to them.
Check before you click
Here are some simple ways to check whether a link is legitimate or not.
- The link looks OK, but when you hover over it, or on a touchscreen click and hold the link, where it actually goes it not where it said it would.
- The link doesn’t contain anything in it which you would expect coming from the company who it claims to be from. For example, if you get an email from your bank, the link they send you should point to their website, not https://tisaweb.com.mx/mul/
- If it looks too good to be true (e.g. you’ve got an unclaimed lottery win of $38,000,000) it almost certainly is. If it looks really bad (e.g. you’re going to be taken to court for HMRC for not filing your tax return) it’s also probably too bad to be true. These emotionally loaded ‘calls to action’ are something to look out for.
A great way to avoid clicking on a dodgy link is to use a link you know and trust (which is why it’s good to bookmark things like your supermarket, bank etc.) If an email or SMS message wants you to click on a link, instead go to that website via a trusted link (e.g. your bookmark for Nationwide, or Santander, or the HRMC, or eBay), or if you don’t have a bookmark, search for it using your chosen search engine.
You can find a helpful list of current scams at ActionFraud, where you can check their news page or search their website to see if an email is dodgy. Another good site for checking both hoax emails and Facebook messages is Hoax Slayer (all in the links below).
Helpful Links
NCSC Cyber Aware | https://www.ncsc.gov.uk/cyberaware/homeThis has instructions for following steps 1-6 above |
Free password manager | https://bitwarden.com/pricing/ |
Free 2FA apps | https://www.microsoft.com/en-gb/account/authenticator https://support.google.com/accounts/answer/1066447 |
Free software update utility | https://ninite.com/ |
Helpful websites for spotting scams | https://support.apple.com/en-gb/HT204759 https://safety.google/securitytips-covid19/ https://www.actionfraud.police.uk/news https://www.hoax-slayer.net/ |
Have I Been Pwned | https://haveibeenpwned.com/Put your email address in here to see if a service you use has had a security breach. If it has, change your password. |
SMS phishing reporting | Forward the text to 7726, typically your provider will then ask for the mobile number which sent it so be ready to provide that in a follow-up message. |