My New-Years, Cyber Security ‘not-a-top-ten’ List

So I sat down to write either a top 10 list of things I think everyone should do to make both themselves and their organisations more secure and less at risk from cyber attacks.

Two things dawned upon me whilst writing said list…

1. There are loads already

and

1. Bombarding people with lots of things to do, doesn’t get you the results you're looking for. It's easy to read a list of things you should be doing, but don't currently do any of, then come to the conclusion that the mountain is too high to climb. The net result is you end up doing nothing. 

A prime example is fitness - most people want to 'get fit' - we’ve all over-indulged over the festive period (myself very much included) and have decided that it’s ‘new-year, new-me’, but the lack of quick success and having a high mountain to climb puts people off trying (again, myself included).

To avoid an outcome of inaction, I'd like to propose my ‘Top 1 List’ - the thing I would do to make you as an individual or business more secure and less likely to become a victim of cyber crime such as identity theft or a data breach.

We're going to stick to the new-year exercise plan idea - the more you do it, the 'healthier' you will become, little and often. A cyber security ‘Couch-to-5K Challenge’ if you will.

The plan is really simple, free and will take you less than 5 minutes each day to finish. 

So without further ado, in at number 1...

Enable two factor authentication for your online services

To cut down on the IT jargon, 2FA is simple - when you try to log into an online service such as your email or a social network, as well as typing a password, you're going to have to provide a second form of proof that you are who you say you are. 

Multi factor authentication is most commonly achieved either via a 6-digit code that is sent to you in a text message (less secure than the second option, but better than nothing), or a randomly generated code that you get from a free app on your phone (more secure than a code send via text).

Why are we doing this? simple - you could reply to this post and put your current LinkedIn password in the message for all to see (please don't), but without that secondary code or text message to prove the person logging in is actually you - no-one can log in, to get that code someone would need your phone and your fingerprint to unlock your phone.

It's like having a second lock on your front door that uses your fingerprint - the only way someone can get in, is if you’re with them.

Day 1

The idea is that we’re going to start slow to allow you to get warmed up. If after day 1 you’re still ready for more - move straight to day 2.

1. Write a list of the main online services you use such as:

• Email
• Social Media
• Banking
• Retail & Shopping

Start with the most important service - I'd argue that's email, even if it's not the one you use the most, as in all likelihood if you click a 'Forgot Password' link on any of the other accounts you have, the service will send you an email to reset your password. This means that if someone got access to your email, they've also got access to all your other services by proxy.

So you should end up with something like:

1. Gmail
2. Facebook
3. Twitter
4. Barclays
5. PayPal
6. Amazon

Your brands of services may vary and don't worry about missing services off, you can create another list if you like when you're done with this one.

You're done for Day 1 - Congratulations!

Day 2

Today we're going straight for your most important service, as that is what will give you the best security pay-off. It might be email, it might not be, but whatever it is, we're going to do one thing today:

Enable multi-factor authentication (also called 2-factor authentication, or 2FA)

1. Login to your email account.
2. Go into the account or settings menu and enable multi factor authentication (see below for how to do this).
3. If the service offers you recovery keys, or a way to set a fail safe in case you need to get access to your account and don’t have your 2FA code (e.g. you’ve lost your phone), store these somewhere safe.
4. Log out and back in again to make sure that all is OK and to see how the multi-factor logon process works.
5. Congratulate yourself on doing something that took minutes, but now means the most important service you use can't be logged into by someone who knows your password and is pretending to be you.

How to enable multi factor authentication

The Verge wrote a brilliant article that gives you a step by step guide of how to do this for most common web services such as Google, Microsoft, Facebook, PayPal & Amazon. If you’re unsure where to find the option in a service you use, take a look and hopefully it will help you find where to look - link

You can also check out this link to TwoFactorAuth.org for more guides on where the 2FA settings are for the services you use.

That’s day 2 done - the first thing you do is always the hardest - tomorrow we go again, but now you're an old pro and will be much easier - just like a fitness plan - it gets easier everyday.

Day 3

Let's pick the second entry on your list and attack that - again the goal is simple, we're going to secure your second most important account (social media now for most I'd imagine), so that only you can get in.

1. Log in
2. Enable 2 factor authentication, so you can't just log in with a password
3. Logout, log back in, test your 2FA enrolment, then congratulate yourself on a job well done

Remember the Verge article I linked to with some great step by step instruction how to enable 2 factor authentication for commonly used services here.

Lets say that so far you've done Google and Facebook in the past 2 days - now stop and think how many sites allow you to login with buttons that say 'Login with Google' and 'Login with Facebook' - they are all now secure too - small (and free) actions can have a big impact on protecting your identity and data.

Day 4 - Day X

Now you've got the hang of this and you've got your attack plan with the rest of your list of sites and services.  

The task is simple - 1 site or service per day to have 2 factor authentication enabled. If the service doesn’t offer 2FA, firstly consider whether you really need to use that service, if the answer’s no, close your account and delete your data. If you do, ensure you change your password to something not used in any other service you use. If you need help with passwords, see the bottom of this article.

When you finish your list - 

1. Congratulations on a job well done
2. Why not write another one and carry on - remember to rank your services in order of importance as you might not get to the end, but if you do the most important first, the impact you have will be greater.

I've got his - what else can I do?

If the above is a bit lightweight for you, add an extra step - start using a password manager. 

Password managers are great as you can set your passwords to random letters, characters, numbers and symbols that you don't need to know or remember as the password manager can auto-fill them into your web pages and apps for you.

Personally, I have used LastPass for 5 or so years, but there are tons of options out there. As always with software, different solutions will be better for different people depending on your needs.

If you’ve decided to use a password manager (good move), go through your lists of sites and services and change your current passwords to new, secure ones that have been generated by your password manager. Yes you’ve got 2FA enabled on your accounts, but having individual, non-dictionary based passwords for all your accounts is even more safe and secure.

Next time you read about a service being hacked with personal data and logon credentials being stolen, you won’t get that sinking feeling as you know the cyber-criminals only have access to the account they’ve hacked, not every account you have that all share a common password.

Thanks for reading this far and I hope you found it useful, please share this with anyone you think would benefit from being more secure online, but might not know where to start. 

It’s true that cyber security can be very expensive and complicated - but if we all just did the simple, and often free basics, we’d all be much more secure.

Remember - it’s not hacking when someone just logs in as you!