Ten Ways to Stay Safe Online

October 2, 2020 | Article

By Joe Sousa, CISA, CEH, CMMC RP

As our reliance upon computers and mobile computing devices increases, we need to take steps to protect our devices and ourselves from cybercriminals.

Here are tips to help you keep your identity and data safe, so you can have the best defenses possible and avoid being hacked.

1. Unsure? Don’t click it. It’s important to note that technology alone will never be able to fully protect you. Attackers have learned to bypass even the most advanced security technology by attacking you. If they want your password, credit card or personal data, the easiest thing for them to do is to trick you into giving them this information.

No matter where the uncertainty arises, whether you’re in an email or on a website, consider the source and its contents. Why was this email sent to me? Where will this link take me? 

The greatest defense against attackers is you. Don’t click links unless you know you can trust the source and you’re certain of where the link will send you. If you are unsure about a link, the best thing to do is delete the email.

2. Use strong passwords and a password manager. The next step to protecting yourself involves using a strong, unique password for each of your devices and online accounts. The key words here are “strong” and “unique.” A strong password means one that cannot be easily guessed by hackers or by their automated programs, and it should be unique in the sense that it’s not used for any other device or account. That way, if one password is compromised, all your other accounts and devices will still be safe.

The perfect password has, for decades, alluded the masses. How can a string of text be both memorable and secure in an age where computers can easily crunch digits at a rate of 1,000 guesses a second to “crack the code” in a matter of hours? Secure passwords and privacy are top of mind for businesses and consumers alike. No one wants to fall victim to the next breach or hack. But the probability of having a safe password using basic human logic – like replacing “a” with “@” or swapping “i” and “1”, or using the same password across multiple sites and/or accounts – is next to impossible today. And cyber-hacking tactics are growing more and more advanced.

But perhaps, we simply need to change our logic. Enter the secure password unicorn: Passphrases.

Two researchers out of the University of Southern California may have found a solution to our current cyber-crime conundrum: randomly-generated poems.

Long-form passwords and passphrases have been increasing in popularity in recent years. The genius – and simplicity – in this approach comes from changing how we view secure passwords. For years, we’ve been trained to create and use passwords which are essentially gibberish to us but relatively elementary for advanced tech to crack. But short, rhythmic passphrases flip that logic.

They are both incredibly memorable yet completely illogical. It requires the algorithms and technologies used by cyber-criminals to test billions upon billions of possibilities before landing on the right combination of random words.

By deploying a basic form of cryptography, the USC researchers assigned every word in a 327,868-word dictionary with a distinct code. They then used a computer program written for iambic tetrameter to generate a string of numbers which are then translated into short, rhyming phrases.

The resulting phrase is an ultra-secure password. The passphrase is far easier for us simple-minded humans to remember and much, much harder for today’s sophisticated computers to guess. Stringing together random words as a passphrase is calculated to take more than 500 years for a computer to guess, as compared to just a number of days for conventional passwords.

Full disclosure though, the passphrases are a little odd. Here are a few examples from the researchers:

Receiver Mathew Halloween
deliver cousin magazine

And British fiction engineer
Travolta captured bombardier

They even have a fun little tool to generate others. Now, it should be noted that these examples are for demonstration purposes only. Don’t start using these are your new passphrase! But, if you’d like your own randomly generated and secure phrase, you can enter your email here and their program will send you a unique password, immediately deleting it from their servers.

Now, secure as they may be, these rhyming phrases do have a downside. Many sites have character limits on passwords today, but more and more are considering dropping these limits since we now know that shorter passwords are more vulnerable to hacking. Additionally, some policies require special characters or numbers be included, but a simple workaround is using them in place of the spaces.

To ease you into passphrases – and offer some general tips for more secure and memorable passwords – consider these tips:

  • Build Your Own Passphrase
    If random words won’t work for you, string together three to five words that have meaning to you. A winning formula? A Place + A Thing + A Thing + A Number
    So, for example, maybe it’s the state you went to college, your favorite color, a local park, and your lucky number: CaliforniaNavyBlueMapleRiver92
  • Don’t Forget About the Add-Ins
    As mentioned above, some sites require special characters in passwords. Mixing in upper-and-lower-case letters as well as a few special characters is a traditional tactic to help secure passwords. With passphrases, this is also true – though less necessary because of its long string of characters. That said, you can take the above passphrase and replace a few letters and spaces to get: CaliforniaNavy_blueMapleRiver92*
  • Shorten—But Smarter
    Having a hard time getting used to long passphrases? Running into character limits? Shorten your passphrase to make a completely random string of single numbers and letters, so our example becomes: CN_bMR92*

Cybersecurity breaches can happen to anyone.

3. Enable two-factor authentication. One of the most important steps you can take to protect any account is to enable two-factor authentication. Passwords alone are no longer enough to protect accounts, and two-factor authentication is much stronger. It uses your password and adds a second step: either something you are (biometrics) or something you have (such as a code sent to your smartphone or an app on your smartphone that generates the code for you). Enable this option on every account you can, including your password manager, if possible.

4. Run the latest software versions. Most software vendors periodically update their products to address any newly-discovered security flaws. Users should register purchased software with the vendor in order to receive software security updates. Software updates provided by vendors should not be ignored or postponed.

Make sure your computers, mobile devices, applications and anything else connected to the internet are running the latest software versions. Cybercriminals are constantly looking for new vulnerabilities in the software your devices use. Stay informed on new updates and apply them as they come out.

5. Back up your information. Sometimes, no matter how careful you are, your account or identity may still be hacked. If that is the case, usually your only option to ensure your computer or mobile device is free of malware is to fully wipe it and rebuild it from scratch. The attacker might even prevent you from accessing your personal files, photos and other information stored on the hacked system. Often, the only way to restore all your personal information is from backup. Make sure you’re regularly backing up any important information and verify that you can restore from them. Most operating systems and mobile devices support automatic backups. In addition, store your backups in the cloud or on an external device offline to protect them against cyberattackers. Your backups will be critical in a time of need.

6. Check for the “s.” The letter “s” makes a difference when it comes to secure web surfing. “Http” stands for hypertext transfer protocol, while the “s” at the end stands for secure. It’s important to make sure that “https” is displayed as part of any URL you visit, because it shows the authenticity of the security certificate on that webpage. If you access a webpage without a certificate or with one that is expired, there’s a chance you’re accessing a website that could be loaded with malware, viruses, trojans or eavesdroppers.

7. Protect your business from malicious activity by educating your employees. Utilize security awareness and user training, so your team is armed with insight and is discerning enough to not open or click on suspicious links and attachments. As the business owner, it’s your duty to teach and empower your employees to interact safely with email and websites.

8. Ensure security. Even if your team is trained to be cautious, without an effective and strong security system, threats can still get through.
  • An email security system should be in place to protect against threats coming through email.
  • A firewall with the intelligence and advanced security detection capabilities to detect and prevent threats from entering your business network can help ensure security.
  • Using a real-time threat security prevention solution is key to detecting new threats quickly enough to prevent infections.
9. The Importance of a Firewall. A key component to any cybersecurity threat is the use of an active firewall. A firewall prevents your business from the negative effects of ransomware, malware, viruses and more. An effective firewall that properly protects your business against internet-based threats will need:
  • Content filtering. Your firewall should use controls to enforce internet-use policies and block access to non-business or malicious websites.
  • Multi-Engine File Sandboxing. Files downloaded to your users’ web browsers need to be checked for safety. If that’s unknown, then they need to be sandboxed and tested to verify their safety before they can be used.
  • Antivirus. Your firewall should have a real-time, high performance virus scanning engine and dynamically updated database to detect threats as they happen.
  • Antispyware. It also needs real-time, high performance prevention of spyware that could transmit confidential information out of your network.
  • Intrusion Prevention System (IPS). Make sure your firewall has high-performance traffic inspection and dynamic database protection against application exploits, worms and malicious traffic as well as manages access control for peer-to-peer instant messenger applications.
  • Application Intelligence and Control. Your firewall should manage privileges and bandwidth for application and users, allow or deny internet based on the application, and inspect, detect and prevent infections from application communications.
  • Geo-IP and Botnet Filtering. Your firewall should block connections to or from a geographic location (such as overseas) where you may not be doing business, but where hackers are actively working on gaining access to your network. It should also block connections to and from botnet command and control servers to prevent ransomware.
  • Inspection of SSL (Encrypted) Web Browsing Traffic. Your firewall should inspect SSL traffic for viruses and other malicious content. Most web browsing today uses SSL, and without this service, it is all encrypted and the firewall cannot detect malicious content.
  • Inspection of SSH (Encrypted) Connections to Internet. You will want to be sure your firewall detects and prevents advanced encrypted attacks that use SSH, which blocks encrypted malware, spread of infections and command and control activities.
10. Avoid personal email for business communication. Think twice about allowing personal email accounts for business communications, because:
  • Private email accounts don’t enforce the same level of security as corporate email, and they’re more easily hacked.
  • Hackers could use a private email account to attack your customers.
  • Emails sent via personal accounts are not discoverable in standard legal discovery procedures.
  • Employees can keep secrets from the business.
  • Communications that employees conduct using their personal email accounts are considered private.
  • Data sent through a private email account is out of your control.
  • Allowing employees to use personal email accounts to conduct business means that your company’s business information is being stored on mail servers outside of your control.
  • Private email services, like Gmail and Yahoo, store data everywhere. They have servers all over the world and there is no way to confidently identify where your data is located when it’s sent via a private email account.

How to Stay Safe Online
An email security system should be in place to protect against threats, such as ransomware, coming through email. Even if your team has been trained to be cautious and avoid social engineering, without an effective and strong security system, threats can still get through.

Here’s what you need to know to prevent, detect and respond to cybersecurity threats.

Stay current on your favorite topics

SUBSCRIBE

Learn More

See what more we can bring to organizations just like yours.

Government Nonprofit Manufacturing Construction & Real Estate Healthcare

Take a deeper dive into this Insight’s subject matter.

Cybersecurity Cybersecurity Cybersecurity Threat Management