Ian Turnbull. Personal Academic Tutor (Computing), Perth College UHI, University of the Highlands and Islands.
Cybersecurity is one of modern life’s buzzwords we hear in news items every day. We’re warned of car alarms that can be hacked, bank-card skimming, phishing and spam emails, and creepy internet connected children’s toys that can be hijacked remotely. Over time our understanding of what we’re trying to achieve by implementing cybersecurity has evolved. Essentially, what people really want is to reduce their cyber risk. That is, reduce the chances that there are negative consequences to using technology in the form of identity theft and financial fraud, and reduce potential intrusions into our privacy.
You can think about ‘security’ versus ‘risk management’ in the same way you think about cars and driving. The ‘Security’ part could be considered mostly done for you, how planners curve a road to make corners safer, how the car’s safety systems, like bumper design, airbags, wing and rear view mirrors, anti-lock brakes, and traction control are designed. ‘Risk management’ is concerned with how you make use of these things – Understand the risks; when you’re driving be aware that you may get a puncture, someone may walk out onto the road, a cyclist might turn right in front of you, and a myriad of other road dangers, Implement protections; drive to the conditions, use your mirrors, wear your seatbelt, don’t use your phone, Have a plan – Know how to pull over safely, know how to brake safely in an emergency or how to avoid an obstacle, know first aid, and so on.
A large part of managing your personal cyber risk is about what you do as a person, and the steps you take to minimise your risk. Some of this is ensuring you implement simple and cheap interventions, and some of this is following lower risk behaviours.
Some General Advice
- Know what software you have and use. If you don’t use a piece of software, uninstall it. Over time we can collect lots of applications on older devices – our computers, laptops, tablets, phones – software becomes old, unused and possibly unsupported and unpatched. You should also update your software – software is complex, and testing software for weaknesses can only go so far. Often, software is found to have a weakness, and then that weakness is fixed. These fixes are distributed to you using software updates. If software has an ‘auto-update’ feature, make sure it is switched on.
- Use the ‘Firewall’ feature of any device you use. Firewalls act as sort of guards between your device and the outside world, only allowing specific types of network traffic, like internet browsing, to protect your computer systems. Commonly firewalls are turned on by default on modern computers, but it’s good to make sure.
- Use an antivirus that offers frequent updates. Modern antivirus looks for malware in several different ways, and can help prevent virus infections on your computer, or clean them up should your computer become infected. Many also offer some level of additional protection when browsing the internet.
- Use a good, modern, browser. Different browsers are considered more effective at protecting their users’ privacy than others. Popular browsers such as Firefox and Chromium regularly receive very positive security reviews.
- Use a different password for each account you have. This can be tricky, using a complex password for different sites, but is key in protecting yourself should any one of this become the victim of an attack. Often hackers will steal data from websites which will include your email address and password. Even if a password is encrypted, advanced techniques can reveal that password, particularly if it is a commonly used one. Use a password manager if you can. Password managers can generate random, complex passwords and store them for you. You remember your password manager’s password, and the manager remembers the passwords of the sites you use. This makes it much easier to have a unique password for each service you use. If you use a lot of different computers, services like Google Chrome’s password manager can make using many computers much easier.
- Where sites offer Two-Factor Authentication (2FA) you should use it. This approach to security ties your account to a secondary device, often your phone. Should someone try to log in to the site on a new device they will need a pin number from your phone to access that site.
- Be very careful about using public Wi-Fi, as this can at times be very vulnerable to ‘snooping’ or ‘man in the middle’ attacks, which would be able to observe or change data between you and the services you’re using. Use of a reputable Virtual Private Network (VPN) connection can help mitigate this risk by encrypting your data over the Wi-Fi network.
- Backup important files and data to a suitable store. Cloud backup can offer suitable options, but can be expensive for large amounts of data, and carries its own risk. Remove the backup device from your computer between backups. Backing up multiple copies of data, rather than just updating or overwriting existing backups, is a sensible approach to mitigating the risks associated with a computing becoming infected by ransomware.
- Be careful of phishing emails. These emails are typically trying to get you to enter information, such as your account credentials, into websites which look like the proper website. Always be vigilant when clicking on links or downloading files from emails. Phishing emails may appear to come from a web service – such as LinkedIn, Microsoft, or Facebook, they may appear to come from your technical support team, or from someone you know or work with. Unless you are certain about the origin of an email, simply do not click the link or download the file. If you are concerned, then contact the person in question and ask if the original email is genuine.
- Use a bank card (RFID) blocking holder. These cheap sleeves can be used to hold your bank cards but prevent their ‘contactless’ features from being abused.
For small businesses you can always download and print out the Cyber Security Small Business Guide from the National Cyber Security Centre – https://www.ncsc.gov.uk/guidance/cyber-security-small-business-guide-infographic
Whilst the suggested steps typically involve using a feature of technology, they are mostly simple, low-cost or free steps, and are tied to your behaviour when using the technology. Once you get into the habit of using your devices in this way it will become second nature, you just need to make the switch, and doing so will significantly reduce your risks.
As part of the Cyber Scotland Week 2019 the University of the Highlands and Islands is organising a free seminar where you will find out about:
- cyber risks associated with doing business in the modern landscape
- approaches that can be implemented to prepare and respond to incidents should they happen
- threats and trends, offensive security, forensics, incident handling
- NCSC Cyber Essentials Scheme