Over the past 2 years, I’ve learned a lot about cyber security - not just in a business setting, but personally as well.
I don’t usually write content focused on helping everyday citizens with personal tech capability, this recent bout of cyber criminal behaviour affects everyone, so if I can help, I should!
Thanks to Dermot Conlon (DevSecOps/Kordia) and Ian White from ZX Security for peer reviewing this.
The best advice I can give about security…
Richard Branson, like him or loathe him, once famously said “[..] the art is to protect the downside.” I’ve used that to great effect in my career and in business. It applies to cyber security too.
Think in a mindset of “protecting the downside” to limit negative impacts.
For a small-ish amount of learning & effort, you can limit the extent of a hack, ransomware or a data-leak affecting your work and personal life.
Must-do cyber checklist
You should be able to tick EVERY box here. No tick-y, no Secure-y! I have provided recommendations for software to use alongside this checklist in the following section.
I use long PINs (6 numbers or more) and long passwords or passphrases (15~20 characters) that have numbers, symbols and letters for :
All my email accounts, including that hotmail account you signed up for in high school
All my banking and finance related accounts
All my work logins
All my social media accounts
Every single one of my passwords or passphrases is not easily guessable. Use a passphrase if you’re not great with password managers, or remembering passwords (though, a good password manager really helps with this!).
I use a password manager to securely generate them or make sure my passphrases are really unique.
I don’t use famous quotes, names of famous people or sports teams
I don’t use personal details of mine or people that are close to me - these are details like mine or my partner’s birthday, names or addresses. This data is very easy to get (or be hacked) and hacking using password guessing works so well it is collectively embarrassing as a species. This type of data leaks from the most innocuous places like that Facebook Quiz to find out “if your IQ is higher than your friends!,” maybe it was that cheap Insurance quote you filled out online but never bought...5 years ago.
Every single one of my passphrases is unique. Imagine if the same key for your front door also started your car and opened your office. Losing one key, risks losing many things. Don’t risk it.
I don’t share my passwords. Not even with my cute grandson who might later lose it without your knowledge. If you’re not sure if you’ve shared a password, just change it to be safe.
I have enabled Multi-Factor Authentication (MFA) and I have printed my MFA backup codes for my accounts. Store them somewhere safe, Store them with your passport for example - but remember, if you lose your passport, you better invalidate those codes… fast! I personally keep them in a separate location to any of my IDs.
I use a Password manager. They help generate secure passwords, store passwords, and make password management a heck of a lot easier. Password managers also make using passwords easy - you don’t have to remember them all, it just fills them in for you.
I use a reputable Internet Security suite that has Antivirus, a Firewall, and Disk Encryption on all my computers, tablets and phones. Yes, even on a mac.
I have signed up my email address to Mozilla Monitor. This free service monitors the dark web for your email account and lets you know if it was involved in data leak or hack on one of the online services you use - https://monitor.firefox.com/ - you don't have to use FireFox to use the service.
I have a good password and PIN code setup on my personal and work computers and my phone, and all my devices auto-lock after a few minutes. These devices are gateways into your digital identity and hence now, much of your life. These passwords offer more protection if you get Malware but also if you lose a device or it is physically stolen. Make sure they are properly protected. It sucks to lose a device, then realise it was unlocked for anyone to pry.
I keep my devices and software up to date. Software providers and hardware providers regularly release fixes to security issues. Keep your devices up to date, it’s really important. Turn on auto-update if it’s available. Don’t put off installing updates and take a note when there hasn't been an update for a while - it could mean something isn’t working.
I have a backup service like Microsoft OneDrive, Google Drive or Apple iCloud enabled on my phone and computers. This is the simplest mitigation against malware that encrypts and ransoms your data. Unfortunately this doesn’t stop hackers threatening to leak the data on the public internet, so you still want to avoid Malware!
Keeping safe checklist
I’m aware that if I get a Social media message, email or call about something that is too good to be true, it probably is. Yes that’s right, no one wants to give you $10,000 for free. No, there wasn’t an error, and yes, it is suspicious that they want to give you money but are asking for you to give them money first.
I’m aware that if I get a Social media message, email or call from the “IRD”, “your bank” or “your insurance” company, there is no harm asking if you can call back. Hang up and Get the number from their official website. If it was a scam, tell your service provider and report it online at https://cert.govt.nz to help other kiwis.
I know what to do if I get into trouble. Shutdown any affected devices immediately if you have concerns about your device. If a password is involved, change your affected passwords immediately - and I mean the second you realise. It's common for an automated script to be doing the hacking, it moves quickly, you need to be quicker. Contact your Bank immediately if needed. Call Netsafe toll-free 0508 NETSAFE (0508 638 723) or text 4282 to get support and help.For more help and general awareness, there are some great guides on CERT NZ and Netsafe NZ
Should-do cyber checklist
All my important passwords are not more than a year old. Data from hacks and leaks can take years to be exploited. Changing your passwords helps protect you by making your “old” passwords useless if they did happen to leak.
I don’t provide my real details if they aren’t needed. Does your favourite online shoe store reeeally need to know your birthday?
I delete old accounts or request my data to be deleted. You can do this under your rights provided by The Privacy Act 2020 (in NZ), and generally GDPR compliant services. Check in the profile or account page for a “delete” button. They can’t steal your data if it doesn't exist!
I avoid using SMS for 2 factor authentication where possible. SIM-jacking is unfortunately pretty easy, using a Rolling Authentication code or “Temporary One Time Passcode” (TOTP) is a better option.
Keep your home (and office) router updated. Oftentimes the security quality varys from brand to brand between routers and that scarily, home routers are notoriously insecure - a 2020 report found out of 127 different models of routers every single one had notable security flaws. While most are configured to not be accessible via the internet, that assurance is only as firm as our knowledge of an exploit that bypasses that. The best thing is to keep them up to date and configured correctly. For this I do recommend getting a good aftermarket router from the likes of DrayTek, Peplink, AVM and ASUS which have firmware auto-update features and internet security capabilities.
Software and Service Recommendations
These are just recommendations, there are so many products in this space - I’ve recommended those that have good security performance, company reputation and I would say they work well for most users. I am not affiliated with or sponsored by any of the following companies.
Best password managers:
Best: 1Password - it has a good security reputation & their software is reliable with good support. Install the Mobile App, the Browser Extension (remember to pin it) and the App on your laptop/computer. Once everything is installed and set up it works great. 1Password also has MFA support built in, though I’m not a huge fan of keeping my MFA codes in the same place I store my passwords.
Good Alternatives: BitWarden or KeePass (for the tinfoil hat crowd) - for a good Free Password Manager use the ones built into Safari and Chrome or FireFox on Mac or Windows - use it with Microsoft Authenticator for a solid mobile password manager and MFA (remember to turn on secure backup in this app).
Best backup services:
Best: your native provider - this is because I believe that ease of use is important for backup to work effective, and the native integrations require the least effort to get going and keep going - if you have a major brand phone/computer these are: Apple iCloud, Samsung Cloud or Google Drive on Android / Google One and Microsoft OneDrive.
Good Alternatives: IDrive.com is very competitively priced and Box.com. Both of these have the advantage of better encryption models than the other providers mentioned above.
Good Free Alternatives: BOX.com offers a free 10GB tier and has a very good security reputation that is helpful for at least your key files, however Microsoft OneDrive provides 5GB free but pricing scales better after that free allocation.
Good Alternatives: This is a totally free setup that you should consider if buying or using a product is a bit daunting
Being cyber safe has become critical, I would love to see more regulation here to help everyday citizens in managing what can be a daunting task, but hopefully this article provides practical help. I will be following this article up with some specific tips for businesses small and large, but in general the list here provides a good guideline for any individual or organisation (be it a family, or a business). Feel free to connect with me on twitter/instagram @danuabey.