Being Cyber Safe and Secure this Holiday Season and into 2023

In the spirit of giving, every year, I like to publish a practical guide to cyber security safety for individuals in time for the holidays. This year, unless you have been living under a rock, its certain that either you, a loved one or someone you know has been directly impacted as a result of a data breach. As such, I hope that these practical steps will help you avoid harm and help you and your family stay cyber safe and secure over the holiday period and into the new year.?

Its my firm and professional opinion that you should be doing all of these to some extent if you want to protect yourself. However, cognizant that this can be a big ask, I recommend starting at Step 1 and working from there.

Let's begin.

Step 1: Backup Your Data

Having correctly functioning and segregated backups of your data is the single most important cyber security risk mitigation strategy you can implement. Many ask ‘how is this related to cyber security?’ Well, if you suffer a ransomware attack and your computer system gets locked up, having a complete and readily accessible backup of your data really is the best way of giving a big ‘stuff you’ to cyber criminals and it remains the gold standard in safeguarding yourself against ransomware.

What does good backup look like. Its called the 3-2-1 rule of backup – 3 copies of your data, on two different types of medium and one copy being offsite.

You also need to check your backups and make sure that they are actually happening, that they are complete and that they can be accessed if needed. And that’s not all:

a.????Keep a copy of your backups away from the same physical location as your computer. Otherwise, you're going to have a bad time.

b.????Don’t keep your external hard drive that you use for backups plugged into your computer all the time. Otherwise, you're going to have a bad time.

c.????Don’t rely solely on OneDrive, iCloud or some another cloud provider as your ‘backup’. Otherwise, bad time.

Backing up your data is as important as brushing your teeth when it comes to cyber security.

Backups are not just important for cyber security. If your computer’s hard drive blows up and you don’t have a backup, you are in trouble. If you have a natural disaster or fire and your computers get destroyed, you need a backup of your data offsite, otherwise you risk losing all of your memories.

Step 2: Update the Software on all your IT Equipment

Most people (but certainly not all) have finally acquiesced to the need to update their smart phones, tablets and computers whenever they are told to. However, have you recently updated the firmware on your Wi-Fi router? Have you updated the firmware on any access points or repeaters/extenders you are using? The same for any network switches? How about your smart TV or your Wi-Fi-connected air conditioner? Your automatic pool cleaner? Your cameras? Your kid’s smart watch? Your wearables? Your Wi-Fi connected washing machine or clothes dryer?

Now that I have expanded your horizon a bit more, a few more things to consider:

a.????Are you still postponing your ‘Windows / Mac needs to install an update and restart your computer’ alerts? Please, don’t.

b.????Are you updating applications on your devices as well as your operating systems? Very often, you need to do this manually.

c.????Are you updating the BIOS on your desktop and laptop computers? The BIOS is the code which runs your computer at its most basic level. Most people don’t need to tinker with the BIOS but BIOS bugs and vulnerabilities are a major cause of vulnerabilities and a source of cyber breach. Some of the larger vendors (HPE, Dell, Lenovo, Apple etc) provide BIOS update utilities on their product support page. All it takes is a matter of checking, downloading, and updating.

d.????Are you confirming that operating systems updates are occurring? For example, some operating systems may not prompt you to install a major release. Worse still, despite some operating systems claiming to the contrary, many do not automatically update.

e.????What are you doing with devices that haven’t had software updates in a long time, maybe even years? Chances are that these devices are End of Life. When this happens, you need to think very carefully about whether to retain that product or replace it, as the device will inherently have security risks associated with it. These risks can be managed, but you need to be careful about it. Because if you don’t, and you leave End of Life devices connected, ?this is never a good thing.

Step 3:?Delete Apps You Don’t Use and 'Harden' the Apps that you do use.

Applications on your devices represent the single biggest source of cyber vulnerabilities around today. This means that you need to ensure that your applications don’t represent a disproportionately large attack vector and that they are as secure as possible.

There are three ways of achieving this:

1. Delete apps that you don't need. Does your iPhone home screen span across 20 scrolls because of all the apps you have installed? Every single one of those apps often represents one or a multitude of vulnerabilities that a cybercriminal can use to access your device. It is best practice to delete any unwanted or unused software from your mobile devices, laptops, desktops, or any other computing device. You’ll also get the added advantage of more free space and (probably) a faster running device as well. The way I manage this is that if I don't need an app any more, I delete it. Every six months or so, I go through my devices and delete any app I don’t remember using in recent memory. I recommend you doing the same.
2. Turn off or disable app features you don't need. While getting rid of apps you don't need is always a prudent move, it's not enough. For the apps that you do use, its best to disable features and functionality that you do not need or use. For example, you might use an app that features remote login functionality. Its best to disable this if in fact you do not need it. Why? Have a read of this.
3. Update your apps. For mobile devices, your App Store will usually do this, however you should periodically check to ensure that apps are updated to the latest version available. For apps installed on your PC's and Macs, this can be a bit more difficult. You may need to manually check for updates within each app. You may need to ensure that any auto-update feature within an app is actually functioning. Either way, it's essential that you update all of your apps. Common apps that need regular updates include the Microsoft Office suite (Word, Excel, Powerpoint, Outlook, OneNote, Teams, Access etc); Java JRE, your browsers (Chrome, Firefox, Opera etc), Zoom, Webex, any games that you run on your machine as well as any other productivity programs (such as Adobe Photoshop / Illustrator).

Step 4: Using a Good End Point Protection (EPP) Product is Critical.

In the golden days of computers, what we now call an 'EPP' used to be called an ‘anti-virus’. An EPP, however, is far more sophisticated. Most EPP products include a firewall (which looks to keep intruders out), email filtering (to prevent spam malicious attachments to emails from infecting your computer) and nowadays include detection and response functionality (which provides proactive protection and indicators of suspicious activity as well as actual malware).

All devices, including devices such as laptops, desktops, phones, NAS's and anything else with an operating system should have an EPP installed.?Contrary to the baseless myth that keeps being perpetuated, Mac computers (desktops and laptops) need an EPP as much as a Windows machine does.

Which product should you use? Well, products change regularly, and my recommendation is don’t rely on who has the flashiest marketing or who spams you most with the most sales pitches - look at independent product review sites for your best particular need.

Step 5:?Update Your Passwords and Enable Two Factor Authentication Where Possible.

This section deserves to be an article by itself. However, despite cyber security professionals banging on about passwords for decades now, passwords remain one of the most common ways for cyber criminals to compromise accounts. So, are you still using the same password you cleverly created in first year university??If you're as old as I am, I admire your perseverance. However, you can rest assured that that password is swimming around on some hacker forum tied to your email address and you probably used it?for a bunch of different sites, including some that need things such as credit card details or your date of birth.

So, here is an action plan for you to look at this issue and fixing it:

a.????Start off by having a look at the website ‘Have I Been Pwned’ and type in your email address to see if your details come up on any known data breach list. (don’t stress, the website was set up as a tool to help people). Don’t forget to check old email addresses and work email addresses as well. It’s very likely that you will find some accounts on here. Simply log in and change the password.

b.????If you have decided on a possible new password, run it through the ‘How Secure is My Password’ site. The site will also provide you a guide on how to best create a password, including through using numbers, letters, characters, a minimum length, and other ideas such as not using personal information or putting a ‘1’ at the end of an existing password followed by an exclamation mark. Recall my clever first year university password? It would take a computer approximately 54 milliseconds to crack today.

c.????If you are wondering, ‘Tony, why can’t I use personal details for my password?’ check out this video.

d.????If you are wondering, ‘Tony, look…. I get that your password must be complicated, however I think you're talking garbage about the “1” and the exclamation mark!’ check out this video. (fast forward to 2:30).?

e.????If remembering passwords is hard to do, consider the use of pass-phrases instead. It’s a great chance to use that rap song earworm lyric that you can’t possibly sing out loud in the office without HR paying you a visit. ?

f.?????Use a secure, credible, and strong password keeper app to store your passwords. We all need help remembering sometimes. Better still, invest in a notepad and pen and write them all down on hard copy. Keep the notepad in a safe.

g.????Have you ever seen a website asking you to set up ‘multi-factor authentication’ when you log in? Multi-factor authentication (MFA or sometimes called ‘2FA’ for Two Factor Authentication) is a mechanism by which logging in requires two steps, or ‘factors’. The first ‘factor’ is to use your traditional password (which you have hopefully updated by now!). This represents something you know. The second ‘factor’ is to use a token, key or PIN number sent to you through an ‘out of band’ pathway. This could be an SMS with a pin number, an email with a key, a phone call with a?sequence of numbers or a pin generated by an authenticator app. You then need to enter these details into the login screen. This represents something you have. Once you provide both, you can login to the service you need. I need to stress that MFA/2FA is not full proof. But its light years better than simply using a password, no matter how good that password is.

Step 6:?Check the Privacy Settings on your Social Media Accounts and Carefully Consider Your Approach to Privacy.

Besides LinkedIn, which I use purely for professional reasons across the various capacities and functions which I work within, for a myriad of different privacy and ethical reasons, I flat out refuse to use social media. However, I understand that for various different motivations, people like to use social media, like to share their lives stories, and like to stay connected with people, regardless of what people like me say, think or suggest.

So, my recommendations to you are as follows:

a.????Check Your Social Media Privacy Settings. Each platform should provide tools to help you review your privacy settings. A selection of the most popular ones are below:

• Facebook
• Twitter
• LinkedIn
• Instagram
• Snapchat
• TikTok

b.???Assume that whatever you share regardless of your privacy settings will become public. It’s very easy for someone who is a ‘friend’ on social media to take a screenshot and then re-share it. Suddenly, it's outside of your control.

c.????Don’t share personal details, even if your profile is set to ‘private’. This includes old drivers licences with you sporting a mullet, a boarding pass of your business class fare to L.A., a winning gambling ticket to a horse race or anything that could be of value to anyone else.

Finally, if you are zealous in sharing your life away on social media but also happen to be concerned about things such as government surveillance and intrusion into your life, and as such feel the need to deploy a VPN to ‘protect your privacy’, I think that it’s very important that you carefully reconsider your overall approach to privacy. I often talk about the contrast between the hyper-politicised agenda-driven take of the world that’s often seen on different social media platforms today and my experience as a kid growing up in the 80’s, where I once asked my uncle who he voted for in a federal election. He sternly told me that voting is a secret matter and not to be discussed openly. There are lessons from the past we should remind ourselves of.

Step 7: ‘Trust No One’ Needs to be your Default Position when using the Internet, your phone and electronic devices.

Do you remember ‘stranger danger’ as a kid? Well, you need to think the same way when on the Internet. Assume that every link is dodgy until you confirm otherwise. Assume every email is fake unless you confirm it's not. Assume every phone call is dodgy unless it comes from a number verified to be from the actual person or organisation. Assume every text message is spoofed. Assume that you are being misled, lied to, or deceived unless you can confirm otherwise.

There is a lot of buzzwordery around the concept of ‘zero-trust.’ I’ll distill it in a way that cuts through the marketing hype and saves you a bucket of money in the process. ?

a.????Learn to get into the habit of typing websites into your browser window, rather than relying on links.

b.????Learn to confirm that the website you are visiting is a ‘https’ website and not a ‘http’ website. You can use free tools such as HTTPS Everywhere to help.

c.????Look for the padlock in the address bar to confirm the website has security features built in.

d.????Get into the habit of manually checking the email addresses of emails you receive that you are unsure of.

e.????Do not open attachments in emails unless you know for certain they come from the person who says they come from.

f.?????When being asked to amend bank account details for payments, call the supplier on their official phone number to confirm this request, not the one listed on the email or letter.

g.????Install anti-tracking software into your browser. It's for this reason that I prefer to use Firefox and its suite of comprehensive tracking protection mechanisms.

h.????When paying for products, consider using a secure payment platform such as Paypal instead of using a manual credit card number. The reason for this is that it's going to be far easier to deal with fraudulent transactions via Paypal than it will be to have a new credit card reissued every time, given the sophisticated mechanisms these providers use to validate payments to prevent fraud.

i. When receiving text messages from numbers purporting to be from a parcel service, the ATO, your child or any other source, do not rely on information provided in the message, including links. Visit the purported services official website and log in manually to verify any claims.

j. When receiving phone calls from numbers purporting to be from a large organisation, unless you explicitly recognise the phone number as specifically belonging from the organisation, do not provide any personal details over the phone. Request a reference number and offer to call them back on an officially listed number.

k. When using Microsoft Office, be wary of any spreadsheets that asks you to open a Macro. Macro’s are a series of commands and instructions that you group together as a single command to accomplish a task automatically.?

Step 8: Consider Physical Security Aspects

Cyber security is important, sure. However, did you know that physical security is an important part of information security? Lets assume I am a criminal wanting to access your information for some sort of nefarious means. I can try to hack into your computer. Or….I could steal a few pieces of your physical post and get equally as sensitive information from letters that come from your bank, your local council and your utilities.

As such, you should consider physical security countermeasures on top of your cyber security ones as well. These could involve:

1.?????Use a PO Box to receive letters and parcels.

2.?????If the sound of a PO box doesn’t float your boat, consider a locked letter box.

3.?????If you are a prolific eBayer, Amazon or online shopper, consider how your parcels are being delivered.

Step 9: Consider breach and credit monitoring services

Over the course of 2022, we have seen numerous instances of mega breaches which have now resulted in cyber criminals using data derived from those breaches to perform fraud in the name of a data breach victim. Very often, the individual who is being targeted by a cyber criminal has no idea that this has occurred until they get a knock on the door by a sheriff, or try to apply for credit themselves and discover their credit history has been severely impacted by this fraud.

There are ways of mitigating this risk through monitoring your identity online. Broadly speaking, there are few things you can do in this regard:

1.?????Set up a free credit score service to let you know when your credit score has changed. There are multiple services available for this, including from Credit Simple, GetCreditScore, CreditSavvy and others. A full list of these can be found here.

2.?????Set up credit monitoring services to advise you when your credit file is being accessed, who is making inquiries and the nature of those inquiries. Generally speaking, these are paid services however the investment may be worthwhile. Please visit the Australian Government MoneySmart website for more information. ?

3.?????Consider setting up a data breach monitoring service. These will advise you if your details have appeared in a data breach and will recommend steps to mitigate any risk. These are often included as add-ons to password management services.

In Conclusion.

I hope all of this comes in handy in protecting you, your loved ones and your family and friends in this very difficult era. If you have comments, suggestions or feedback , please feel free to reach out to me directly or comment in this article below.

Merry Christmas, Seasons Greetings and wishing all of you a happy, healthy, safe and successful 2023.