Making cybersecurity a fundamental habit of your digital life is easier than it seems. You don’t have to wear a tinfoil hat, pay through the nose for bespoke firewalls or learn the difference between AES-256-GCM and AES-256-CBC. All you have to do is adopt a set of low-impact habits, do a bit of initial deep cleaning and train yourself to realize when you may be under attack.

Every one of the 12 tips in this article can be done completely free of charge and almost always in under 10 minutes. You might have to accept some limitations if you don’t pay for a service, but the same level of protection is absolutely available. Also, some of the most important solutions are about educating yourself and building habits, with no apps required at all.

If you take even one of the 12 suggestions below, you’ll be more secure online. The more of them you can fit in, the harder a target you’ll be.

1. Install every software and firmware update

I know — it’s annoying when you have to download some file before you can use an app, but safety is worth the aggravation. Software developers ship a new update whenever they discover a vulnerability in an app they’ve built. Hackers are also racing to find these flaws, and you never know how far behind they are.

The faster you install each new update, the quicker you close that window against potential exploitation. Of course, not every update comes with life-or-death fixes, but it’s much faster to download them all than to read through the version notes trying to decide if this one is important.

The great thing about training this habit is that it’s an effective counter to the most technically complicated forms of cybercrime. To get one over on the bad guys, you don’t need to know anything about computers; all you need to do is click “yes” on a pop-up message. If it helps, feel free to type really fast and shout “Hack the planet!” while the update installs.

2. Strengthen your passwords

Pop quiz! Which is a more common cause of data breaches: A) cutting-edge hacking technology invented in secret Russian labs, or B) the password “12345” granting remote access to an entire corporate network? If you said B, congratulations — you know more about cybersecurity than most corporate executives.

Weak passwords are a serious problem, as they’re easy to guess by brute force — but password reuse may be an even bigger issue. The 2021 ransomware attack on the Colonial Pipeline started with a compromised password. According to postmortem investigations, the password was long and complex, but it had been used on another account that was exposed in a data breach.

It’s not hard to imagine how this can work at the individual level. Suppose you set the same password for your bank account and your My Little Pony role-playing forum. The latter is hosted by one guy in Ohio and has pretty weak data security. If it leaks, and hackers try your password on your bank’s website, then you and Twinklehoof can kiss your life savings goodbye.

The LastPass password manager.

The LastPass password manager. (Sam Chapman for Yahoo Tech)

The best way to command a herd of strong, unique passwords is to use a password manager, which does almost all the work for you. Not only can a password manager create individual passwords on command, but it can store them and automatically enter them into the websites they match with. The only thing you have to remember is a single master password that gets you into the password vault itself.

Some browsers come with built-in password managers, like Firefox Password Manager or Google Password Manager on Chrome. While these have significantly improved in recent years, they still generally put your saved passwords one level down from a menu bar option. That means walking away from your laptop for two minutes could leave you vulnerable to a point-and-click drive-by (see “real-world protection,” below).

Likewise, Apple’s new Passwords app is a strong contender for those who use the Apple-compatible hardware on which it runs (there’s a Windows app, too). But like the browser-based options above, it’s only as secure as the password or passcode on your Apple device. If your roommate can unlock your iPad to watch Netflix, they can access your Apple Passwords respository, too.

So, back to our original recommendation: A third-party password manager is your best bet.

3. Study the tricks of social engineering

“Social engineering” is a blanket term for any kind of scam that works by manipulating your perceptions of reality and your reactions to those perceptions. It’s a classic, old-school con that’s seen a resurgence thanks to the anonymity of the internet. Predators throughout history have relied on the same few truths: people trust authority figures, panic under time pressure and make decisions based on emotion as much as reason.

Phishing, one of the most common social engineering techniques, is a perfect example. Usually over email, text message or phone call, the scammer poses as a legitimate authority and demands sensitive information. Those toll road alerts from someone claiming to be your state department of transportation are phishing in a nutshell — invoked authority, ticking clocks and threats of vague yet scary punishment.

To beat social engineering, teach yourself to count to 10 whenever you receive a scary message that looks like a bill you forgot to pay. Once you’re calm, ask yourself what you can do to verify the threat. With those toll-road scams, for instance, the phone number often doesn’t even have a US country code. I suppose it’s not impossible that the Texas Department of Transportation has relocated its headquarters to Albania, but it sounds mighty unlikely.

4. Keep sensitive info to yourself

One of the biggest risks to your cybersecurity is the information you share willingly on social media. Oversharing about your family, your job and other aspects of your life isn’t just a good way to weird out your friends; it also furnishes cybercriminals with information they can use against you.

Oversharing is still a risk even if you follow the advice from step 2 and use strong passwords that aren’t derived from your real life. If a scammer gets a chance to research you first, they can use their knowledge to pose as a family member or supervisor, making their phishing attack that much more convincing. There’s even a whole genre of deception called grandparent scamming in which the con artists pose as an elderly target’s grandchild, claiming to be in desperate need of money for contrived reasons.

I’m not saying you have to delete all your socials and become a monk. An easy way to mitigate this problem is to set all your posts to be viewable by friends only. This isn’t a perfect solution, as social profiles can get hacked, but it’s a common-sense measure you don’t have to think about every single time.

5. Don’t click suspicious links

Although social engineering scams have traditionally tried to get people to surrender information of their own accord, there’s another extremely common form of late: phishing emails and texts that trick you into clicking a link. These links may take you to replica websites where you give your social security number to someone that looks like the IRS.

Just as often, though, they may directly download malware on your phone or computer. These unwanted programs can hold your files ransom, steal your data to another device or record your keystrokes as you type in your passwords and credit card numbers.

To fight back, remember that you can see the URL associated with any link by hovering your cursor over it without clicking. Scam URLs tend to be overlong, have suspicious national domains instead of .com or .net, or contain no legible words entirely. You know what your bank’s website is — if that’s not in the URL, be suspicious. If you’re not sure, right-click on the link, copy the address and paste it into a URL checking tool.

6. Use two-factor authentication

Strong passwords are important, but it’s possible for even the best to be made moot — say, if the website that’s supposed to be taking care of your credentials lets them leak. The best way to hedge against black swan events like that is to add redundancy by setting up two-factor authentication (2FA) on any account that would really mess you up if it got compromised.

Yes, two-factor authentication can be annoying, but that doesn’t even scratch the surface of the aggravation involved in getting your identity stolen. Besides, all 2FA really means is that it takes two pieces of information to log into an account instead of just one. That second factor can be many things: a text, an email, an authenticator app or even a passkey that lives on your device and gets applied automatically. Your options depend on what each website allows, but you do have options.

7. Use a VPN

A virtual private network (VPN) is like a mask between you and the internet. When you connect through a VPN app, your ISP — and any websites you visit — only see the VPN’s identity instead of your own. When you’re anonymous behind a VPN, it’s much harder to collect data on you, sell your activities to corporations or spy on you in ways that violate your rights.

Lots of the best VPNs even come with ad blockers and virus scanners that expand your security further. Most of them happen to be paid services, but if you want to keep your cybersecurity budget tight, there are several trustworthy free VPNs.

Secure Core servers on Proton VPN.

Proton VPN is one of the best. (Sam Chapman for Yahoo Tech)

In spite of what some providers like to claim, a VPN doesn’t completely protect you from all privacy and security dangers. The other items on the list are still critical; a VPN can’t protect you if your password is easy to guess from your social media profiles, or if you click a link that infects your phone with a virus.

8. Don’t forget real-world protection

Physical thefts and robberies pose more of a cybersecurity risk than you might think. If you leave your phone unlocked on a barstool and the wrong person finds it, they’ve got full access to all your accounts. Similarly, if you’re at work and someone asks you to hold a door, your systems could be in trouble if they aren’t really an employee.

Both IRL and online, the solution isn’t paranoia, but common sense. No need to learn jiu-jitsu — you can secure yourself against theft using settings and behaviors you’re already familiar with. At work, ask for a building ID if you don’t recognize someone in a secure area. Set your personal devices to lock automatically, and consider using a biometric lock that only opens with your fingerprints (almost every phone has this option now). And don’t type in your phone’s passcode when anyone’s able to see your screen (such as when you’re sitting at a bar).

9. Set up automatic backups

Other than identity theft, one of the biggest threats from cybercrime is that you might lose important data with financial or sentimental value. This is the lever that ransomware uses to extort money, but data loss can also be an unintended consequence of another form of infection. If your system is corrupted so badly by malware that it can’t be saved, backups make it infinitely easier to start again.

If you want to go all-out, follow the 3-2-1 rule. Back everything up three times in two different ways, making sure one of those backups is away from your real-life home (so you’ve got options even if your house burns down). This is another tip that will probably cost money, but it can be as simple as copying all your important stuff to a flash drive — encrypting it with a strong password, of course — and giving it to a relative or trusted friend.

10. Scan with an antivirus

“Antivirus” is an outdated term at this point. What they’re really looking for is malware: unwanted applications that hide on your device and sneakily do crimes in the background. A good antivirus can scan for malware both at the point of download (searching for malicious programs piggybacking on innocuous files) and in the background on your hard drive. There are tons of free antivirus programs capable of doing the job, including Windows Defender.

You might think you’d notice if a program you didn’t install was on your computer, but malware is very good at running under the radar. A virus scan can look for malware programs that disguise themselves as critical system files by using similar names. The best ones can even catch interlopers that haven’t been seen before by checking for the traces of previous attacks — hackers tend to build attacks off what’s worked in the past, which is how you get detectable “families” of malware.

11. Hide your real email address

If you’ve been to the internet in the last 10 years, you may have noticed that everyone and their mom wants your email address. On the surface, this is so they can identify your account without you having to remember a separate username. More often, though, it’s about spamming you with newsletters. Worse yet, if any of those newsletters suffers a data breach, your real email could be loose on the dark web.

The solution: use an email relay service to make it so nobody actually has your email address. These services generate fake email addresses that forward everything to your real address, a lot like a VPN for email. You can find plenty of low-cost options for email masking, including Firefox Relay, which is free (in limited form) for all Firefox users.

12. Keep your information out of databases

Related to the above, it’s never a bad idea to ensure your personally identifiable information — of any kind — is stored in as few third-party locations as possible. The best way to do this is to automate it through a data removal service like DeleteMe or Incogni, but those do cost money (though they’re quite effective even if you only run them once).

A free option here is to use a private search engine like DuckDuckGo. Search sites like this make money by selling ad spots directly, so they’ve got no need to profit off advertising profiles like Google does. They also use Google’s algorithms as the basis for their search results, so you don’t have to sacrifice the type of search outcomes you’re used to.

Source link