Making 2024 Your Most Safe and Secure Cyber and Privacy Year Ever
This image was generated by Microsoft Designer, an AI tool embedded into LinkedIn.

Making 2024 Your Most Safe and Secure Cyber and Privacy Year Ever

Every year, I aim to publish a practical guide to cyber security and privacy safety for individuals in time for the holidays, updated with things that have changed from previous years.

In 2023, by far the most significant development has been the rise of Artificial Intelligence (AI). Being old enough to remember the PC era before the Internet became a thing, the rise of AI very much feels the same way as it did back when the 'world wide web' was starting to be talked about. I genuinely believe that AI represents as groundbreaking a development as the Internet was. As such, I'll cover off AI considerations further in this piece.

Cyber and Privacy Awareness keeps Growing....as does Harm

When you see advertisements on the back of buses advertising 'zero trust endpoint security', I think it's fair to say that general awareness of cyber being an issue is well-established. Sadly, too many people have been impacted adversely by scams and fraud to know the harm.

As such, I hope that these practical steps will help you avoid harm and help you and your family stay cyber safe and secure over the holiday period and into the new year.

Now, I firmly recommend that you should be doing all of these to some extent if you want to protect yourself. However, cognizant that this can be a big ask, I recommend starting at Step 1 and working from there.

Let's begin.

Steps to Protect your Data and Privacy in 2024.

Step 1: Backup Your Data

Having correctly functioning and segregated backups of your data is the single most important cyber security risk mitigation strategy you can implement. If you suffer a ransomware attack and your computer system gets locked up, having a complete and readily accessible backup of your data is the best way of getting back on your feet and remains the gold standard in safeguarding yourself against ransomware.

What does good backup look like? It's called the 3-2-1 rule of backup – 3 copies of your data, on two different types of medium and one copy being offsite.

One thing you need to do is make sure that backups are actually happening, that they are complete and that they can be accessed if needed. And that’s not all:

a.????Keep a copy of your backups away from the same physical location as your computer. Otherwise, you're going to have a bad time .

b.????Don’t keep your external hard drive that you use for backups plugged into your computer all the time. Otherwise, you're going to have a bad time.

c.????Don’t rely solely on OneDrive, iCloud or some another cloud provider as your ‘backup’. Otherwise, bad time .

Backing up your data is as important as brushing your teeth when it comes to cyber security.

Backups are not just important for cyber security. If your computer’s hard drive blows up and you don’t have a backup, you are going to be in trouble. If you have a natural disaster or fire and your computers get destroyed, you need a backup of your data offsite, otherwise you risk losing all of your memories.

Step 2: Update the Software on all your IT Equipment

Most people now understand the need to update their smart phones, tablets and computers whenever they are told to. However, your home has a lot more IT devices that you realise. Most Australian homes have between 20 and 35 connected devices.

Consider whether you have recently updated the firmware on your Wi-Fi router; the firmware on any access points or repeaters/extenders you are using; the firmware of any network switches; the software of your smart TV or your Wi-Fi-connected air purifier; updated the software of your automatic pool cleaner, chlorinator and pump; updated the software of your IP cameras; the software of your kid’s 4 different smart wearables; the software of your own wearables; and of course your Wi-Fi connected washing machine or clothes dryer just to name a few.

I also suggest that you to consider the following:

a.????Are you postponing your ‘Windows / Mac needs to install an update and restart your computer’ alerts? Please, don’t.

b.????Are you updating applications on your devices as well as your operating systems? Very often, you need to do this manually.

c.????Are you updating the BIOS on your desktop and laptop computers? The BIOS is the code which runs your computer at its most basic level. Most people don’t need to tinker with the BIOS but BIOS bugs and vulnerabilities are a major cause of vulnerabilities and a source of cyber breach. Some of the larger vendors (HPE, Dell, Lenovo, Apple etc) provide BIOS update utilities on their product support page. All it takes is a matter of checking, downloading, and updating.

d.????Are you confirming that operating systems updates are occurring? For example, some operating systems may not prompt you to install a major release. Worse still, despite some operating systems claiming to the contrary, many do not automatically update .

e.????What are you doing with devices that haven’t had software updates in a long time, maybe even years? Chances are that these devices are End of Life. When this happens, you need to think very carefully about whether to retain that product or replace it, as the device will inherently have security risks associated with it. These risks can be managed, but you need to be careful about it. Because if you don’t, and you leave End of Life devices connected, this is never a good thing .

Step 3:?Delete Apps You Don’t Use and 'Harden' the Apps that you do use.

Applications on your devices are the single biggest source of cyber vulnerabilities around today. This means that you need to ensure that your applications don’t represent a disproportionately large attack vector and that they are as secure as possible.

There are three ways of achieving this:

  1. Delete apps that you don't need. Does your iPhone home screen span across 20 scrolls because of all the apps you have installed? Every single one of those apps often represents one or a multitude of vulnerabilities that a cybercriminal can use to access your device. It is best practice to delete any unwanted or unused software from your mobile devices, laptops, desktops, or any other computing device. You’ll also get the added advantage of more free space and (probably) a faster running device as well. The way I manage this is that if I don't need an app any more, I delete it. Every six months or so, I go through my devices and delete any app I don’t remember using in recent memory. I recommend you doing the same.
  2. Turn off or disable app features you don't need. While getting rid of apps you don't need is always a prudent move, it's not enough. For the apps that you do use, its best to disable features and functionality that you do not need or use. For example, you might use an app that features remote login functionality. Its best to disable this if in fact you do not need it. Why? Have a read of this .
  3. Update your apps. For mobile devices, your App Store will usually do this, however you should periodically check to ensure that apps are updated to the latest version available. For apps installed on your PC's and Macs, this can be a bit more difficult. You may need to manually check for updates within each app. You may need to ensure that any auto-update feature within an app is actually functioning. Either way, it's essential that you update all of your apps. Common apps that need regular updates include the Microsoft Office suite (Word, Excel, Powerpoint, Outlook, OneNote, Teams, Access etc); Java JRE, your browsers (Chrome, Firefox, Opera etc), Zoom, Webex, any games that you run on your machine as well as any other productivity programs (such as Adobe Photoshop / Illustrator).


Step 4: Using a Good End Point Protection (EPP) Product is Critical.

In the golden era of computers, what we now call an 'EPP' used to be called an ‘anti-virus’. An EPP, however, is far more sophisticated. Most EPP products include a firewall (which keeps intruders out), email filtering (to prevent spam malicious attachments to emails from infecting your computer) and nowadays include detection and response functionality (which provides proactive protection and indicators of suspicious activity as well as actual malware).

All devices, including devices such as laptops, desktops, phones, NAS's and anything else with an operating system should have an EPP installed.?Contrary to the baseless myth that keeps being perpetuated, Mac computers (desktops and laptops) need an EPP as much as a Windows machine does .

Which product should you use? Well, products change regularly, and my recommendation is don’t rely on who has the flashiest marketing or who spams you most with the most sales pitches - look at independent product review sites for your best particular need.

Step 5:?Update Your Passwords and Enable Two Factor Authentication Where Possible.

This section deserves to be an article by itself. However, despite cyber security professionals banging on about passwords for decades now, passwords remain one of the most common ways for cyber criminals to compromise accounts. So, are you still using the same password you cleverly created in first year university??If you're as old as I am, I admire your perseverance. However, you can rest assured that that password is swimming around on some hacker forum tied to your email address and you probably used it?for a bunch of different sites, including some that need things such as credit card details or your date of birth.

So, here is an action plan for you to look at this issue and fixing it:

a.????Start off by having a look at the website ‘Have I Been Pwned ’ and type in your email address to see if your details come up on any known data breach list. (don’t stress, the website was set up as a tool to help people ). Don’t forget to check old email addresses and work email addresses as well. It’s very likely that you will find some accounts on here. Simply log in and change the password.

b.????If you have decided on a possible new password, run it through the ‘How Secure is My Password ’ site. The site will also provide you a guide on how to best create a password, including through using numbers, letters, characters, a minimum length, and other ideas such as not using personal information or putting a ‘1’ at the end of an existing password followed by an exclamation mark. Recall my clever first year university password? It would take a computer approximately 54 milliseconds to crack today.

c.????If you are wondering, ‘Tony, why can’t I use personal details for my password?’ check out this video.

d.????If you are wondering, ‘Tony, look…. I get that your password must be complicated, however I think you're talking garbage about the “1” and the exclamation mark!’ check out this video. (fast forward to 2:30).

e.????If remembering passwords is hard to do, consider the use of pass-phrases instead . It’s a great chance to use that rap song earworm lyric that you can’t possibly sing out loud in the office without HR paying you a visit.

f.?????Use a secure, credible, and strong password keeper app to store your passwords. We all need help remembering sometimes. Better still, invest in a notepad and pen and write them all down on hard copy. Keep the notepad in a safe.

g.????Have you ever seen a website asking you to set up ‘multi-factor authentication’ when you log in? Multi-factor authentication (MFA or sometimes called ‘2FA’ for Two Factor Authentication) is a mechanism by which logging in requires two steps, or ‘factors’. The first ‘factor’ is to use your traditional password (which you have hopefully updated by now!). This represents something you know. The second ‘factor’ is to use a token, key or PIN number sent to you through an ‘out of band’ pathway. This could be an SMS with a pin number, an email with a key, a phone call with a?sequence of numbers or a pin generated by an authenticator app. You then need to enter these details into the login screen. This represents something you have. Once you provide both, you can login to the service you need. I need to stress that MFA/2FA is not full proof . But its light years better than simply using a password, no matter how good that password is.

Step 6:?Check the Privacy Settings on your Social Media Accounts and Carefully Consider Your Approach to Privacy.

Besides LinkedIn, which I use purely for professional reasons across the various capacities and functions which I work within, for a myriad of different privacy and ethical reasons, I flat out refuse to use social media. However, I understand that for various different motivations, people like to use social media, like to share their lives stories, and like to stay connected with people, regardless of what people like me say, think or suggest.

So, my recommendations to you are as follows:

a.????Check Your Social Media Privacy Settings. Each platform should provide tools to help you review your privacy settings. A selection of the most popular ones are listed below:


b.???Assume that whatever you share regardless of your privacy settings will become public. It’s very easy for someone who is a ‘friend’ on social media to take a screenshot and then re-share it. Suddenly, it's outside of your control.

c.????Don’t share personal details, even if your profile is set to ‘private’. This includes old drivers licences with you sporting a mullet , a boarding pass of your business class fare to L.A. , a winning gambling ticket to a horse race or anything that could be of value to anyone else.

Finally, if you are zealous in sharing your life away on social media but also happen to be concerned about things such as government surveillance and intrusion into your life, and as such feel the need to deploy a VPN to ‘protect your privacy’, I think that it’s very important that you carefully reconsider your overall approach to privacy. I often talk about the contrast between the hyper-politicised agenda-driven take of the world that’s often seen on different social media platforms today and my experience as a kid growing up in the 80’s, where I once asked my uncle who he voted for in a federal election. He sternly told me that voting is a secret matter and not to be discussed openly. There are lessons from the past we should remind ourselves of.

Step 7: ‘Trust No One’ Needs to be your Default Position when using the Internet, your phone and electronic devices.

Do you remember ‘stranger danger’ as a kid? Well, you need to think the same way when on the Internet. Assume that every link is dodgy until you confirm otherwise. Assume every email is fake unless you confirm it's not. Assume every phone call is dodgy unless it comes from a number verified to be from the actual person or organisation. Assume every text message is spoofed. Assume that you are being misled, lied to, or deceived unless you can confirm otherwise.

There is a lot of buzzwordery around the concept of ‘zero-trust.’ I’ll distill it in a way that cuts through the marketing hype and saves you a bucket of money in the process.

a.????Learn to get into the habit of typing websites into your browser window, rather than relying on links.

b.????Learn to confirm that the website you are visiting is a ‘https’ website and not a ‘http’ website. You can use free tools such as HTTPS Everywhere to help.

c.????Look for the padlock in the address bar to confirm the website has security features built in.

d.????Get into the habit of manually checking the email addresses of emails you receive that you are unsure of.

e.????Do not open attachments in emails unless you know for certain they come from the person who says they come from.

f.?????When being asked to amend bank account details for payments, call the supplier on their official phone number to confirm this request, not the one listed on the email or letter.

g.????Install anti-tracking software into your browser. It's for this reason that I prefer to use Firefox and its suite of comprehensive tracking protection mechanisms.

h.????When paying for products, consider using a secure payment platform such as Paypal instead of using a manual credit card number. The reason for this is that it's going to be far easier to deal with fraudulent transactions via Paypal than it will be to have a new credit card reissued every time, given the sophisticated mechanisms these providers use to validate payments to prevent fraud.

i. When receiving text messages from numbers purporting to be from a parcel service, the ATO, your child or any other source, do not rely on information provided in the message, including links. Visit the purported services official website and log in manually to verify any claims.

j. When receiving phone calls from numbers purporting to be from a large organisation, unless you explicitly recognise the phone number as specifically belonging from the organisation, do not provide any personal details over the phone. Request a reference number and offer to call them back on an officially listed number.

k. When using Microsoft Office, be wary of any spreadsheets that asks you to open Macros , which are a series of commands and instructions that you group together as a single command to accomplish a task automatically.

Step 8: Consider Physical Security Aspects

Cyber security is important, sure. However, did you know that physical security is an important part of information security? Lets assume I am a criminal wanting to access your information for some sort of nefarious means. I can try to hack into your computer. Or….I could steal a few pieces of your physical post and get equally as sensitive information from letters that come from your bank, your local council and your utilities.

As such, you should consider physical security countermeasures on top of your cyber security ones as well. These could involve:

1.?????Use a PO Box to receive letters and parcels.

2.?????If the sound of a PO box doesn’t float your boat, consider a locked letter box.

3.?????If you are a prolific eBayer, Amazon or online shopper, consider how your parcels are being delivered .

Step 9: Consider breach and credit monitoring services

Over the course of 2023, we have seen numerous instances of mega breaches which have now resulted in cyber criminals using data derived from those breaches to perform fraud in the name of a data breach victim. Very often, the individual who is being targeted by a cyber criminal has no idea that this has occurred until they get a knock on the door by a sheriff, or try to apply for credit themselves and discover their credit history has been severely impacted by this fraud.

There are ways of mitigating this risk through monitoring your identity online. Broadly speaking, there are few things you can do in this regard:

1.?????Set up a free credit score service to let you know when your credit score has changed. There are multiple services available for this, including from Credit Simple, GetCreditScore, CreditSavvy and others. A full list of these can be found here.

2.?????Set up credit monitoring services to advise you when your credit file is being accessed, who is making inquiries and the nature of those inquiries. Generally speaking, these are paid services however the investment may be worthwhile. Please visit the Australian Government MoneySmart website for more information.

3.?????Consider setting up a data breach monitoring service. These will advise you if your details have appeared in a data breach and will recommend steps to mitigate any risk. These are often included as add-ons to password management services.

Step 10: Consider how you are using Artificial Intelligence (AI)

Easily the biggest IT news story of 2023 has been the use and advancement of Artificial Intelligence (AI). The truth is, we haven't even started to scratch the surface in terms of what AI can do to increase efficiency and productivity at work and in the home. And while I will park to one side the considerable risks and concerns that warrant greater regulation with respect to AI, AI technology is also something that you need to be thinking about when considering cyber and privacy risks.

I'll list some of these concerns here:

  1. You don't want to be relying on what AI generates without casting a critical eye and undertaking your own research on what it outputs - for all professions but especially if you are a lawyer.
  2. You want to be really sure of the sort of information you are feeding into AI systems. What do I mean? Well, as of December 2023, there remains a lack of regulation, particularly in Australia, in relation to what AI providers can and will do with the information you input into those systems . This has direct implications on your own individual privacy and the confidentiality needs of the organisations you work for and are involved with.
  3. AI generated photography sounds like fun. However, there are a cavalcade of caveats with respect to who owns what when your information is provided to an AI app creator, and this raises major security and privacy risks. Consider that over 25% of apps that collect your information (including images) go on to store that data on their services and 75% of AI photo apps require you to sign over rights to personal images for promotional purposes. In my view, this is not a good outcome for individual rights to their own information. As such, I look forward to seeing global iterations of strong AI regulation, such as the recently agreed to European Union AI Act to pass parliaments around the world, including here in Australia.
  4. Be mindful of becoming dependent on AI. When I say 'dependent' on AI, I mean two things: 1) if you are performing a job that AI can do, then you need to start thinking about a new job or even a new career, and; 2) if you become entirely dependent on AI and do not critically analyse or think about how and why it arrived at the answer it did, it will impact your own long term critical thinking and research ability - the same way the arrival of GPS made people forget how to read maps and street signs and relied on what the machine told them to do.

In Conclusion.

I hope all of this comes in handy in helping to protect you, your loved ones and your family and friends in this ever-challenging world that we all live in. If you have comments, suggestions or feedback, please feel free to reach out to me directly or comment in this article below.

Seasons Greetings to all, Merry Christmas to those celebrating and I wish all of you a happy, healthy, safe and successful 2024.

Kajol Patel

Partner Alliance Marketing Operations at Data Dynamics

9 个月

Your 2024 cybersecurity guide covers crucial aspects of data security and privacy. The emphasis on the 3-2-1 backup rule, software updates, and endpoint protection aligns with safeguarding sensitive information. Your thorough approach to password management, two-factor authentication, and social media privacy underscores the significance of personal data protection. Here is an article on data security in the AI age that might interest you - https://www.datadynamicsinc.com/blog-datas-new-frontier-in-2024-the-interplay-of-data-custodianship-security-and-compliance-in-the-age-of-ai/

回复

We appreciate your dedication to promoting cybersecurity awareness and privacy. The 2024 guide is comprehensive and covers crucial areas for individuals to consider in enhancing their digital security. How have you seen the landscape of cybersecurity and privacy evolve over the past year, and what emerging trends do you anticipate in 2024? ??

回复
Joe Cozzupoli

CISO Advisor | Cloud & Cybersecurity Strategist | Board Advisor | Tech Evangelist | Author | Mentor

10 个月

We as society can be the strongest link in the chain, not the weakest link as old school cybersecurity professionals think! Let's be smart, verify (phone a friend as Eddie would say) before we trust (click on that link that looks sort of ok) ??????

要查看或添加评论,请登录

社区洞察

其他会员也浏览了