IN THIS CHAPTER

Understanding that you’re a target

Protecting yourself using security software

Encrypting, backing up, and more

Not all security improvements require a large outlay of cash. In fact, many of the things you can do to greatly improve your security are free and require little effort. In this chapter, you discover ten ways you can quickly improve your cybersecurity without spending a lot of money.

Understand That You Are a Target

Attitude may be the most important element of keeping yourself cyber-safe. People who believe that hackers want to breach their computers, smartphones, and other smart devices, and that criminals want to steal their data, act differently than people who do not grasp the true nature of the threat.

Internalizing today’s reality will help introduce into you a healthy level of skepticism, as well as impact your attitude and behavior around cybersecurity in numerous other positive ways — many of which you may not even consciously notice.

For example, if you believe that you’re a target of cyberattackers, you’re less likely to blindly trust that emails that you receive from your bank were actually sent by the bank, and as such, you’re less likely to fall prey to phishing scams than are people who believe that they are not targets. You may feel that you already know not to trust such emails, but what if an email were to arrive was from your boss and instruct you to ship a laptop to some address? Or you heard your boss’s voice tell you that you should do so — and didn’t think for a moment about that fact that criminals know how to make targeted deep fakes that can impersonate voices?

People who believe that criminals are after their passwords and PINs are also more likely to better protect these sensitive pieces of data than are people who believe that crooks “have no reason to want” their data.

Use Security Software

All computer devices (laptops, phones, tablets, and so on) that house sensitive information or that will be attached to networks with other devices do need security software. Several popular, inexpensive packages include antivirus, firewall, antispam, and other beneficial technologies.

Portable devices should have tracking and remote wipe capabilities and software optimized for mobile systems; remember to enable such features as soon as you get the device. Many phones come with security software preinstalled by providers — make sure you enable and use it.

Encrypt Sensitive Information

Store all sensitive data in an encrypted format. If you have doubts as to whether something is sensitive enough to warrant encryption, it probably does, so err on the side of caution and encrypt.

Encryption is built in to many versions of Windows, and plenty of free encryption tools are available as well. It is amazing how much sensitive data that has been compromised could have remained secure if the parties from which it was stolen had used free encryption tools.

Also, never transmit sensitive information unless it is encrypted. Never enter sensitive information to any website if the site is not using TLS encryption (this type of encryption is sometimes called SSL, even though the SSL protocol was replaced by TLS many years ago), as evidenced by the page loading with HTTPS, and not HTTP, a difference easily seen by looking at the URL line of a web browser. Encryption involves complex mathematical algorithms, but you don’t need to know any of the details in order to utilize and benefit from encryption.

Be aware, however, that the era of quantum computing — that is, of new types of computers that use quantum physics to store data and perform calculations rather than bits consisting of strictly a 0 or 1 — is likely to render many of today’s encryption mechanisms obsolete and cause data encrypted with today’s technologies to become vulnerable to exposure. How soon such so-called “quantum supremacy” arrives is unknown, and experts have wildly different opinions as to how many years it will take. So pay attention to updates offered by vendors over the next few years that ensure that their products are “quantum safe.”

Also be aware of the two major families of encryption algorithms that are used today (in addition to the ostensibly “quantum safe” encryption mechanisms that are emerging):

• Symmetric: You use the same secret key to encrypt and decrypt.
• Asymmetric: You use one secret key to encrypt and another to decrypt. (This is the type that quantum computing most threatens.)

Most simple encryption tools utilize symmetric encryption, and all you need to remember is a password to decrypt your data. Throughout the course of your professional career, however, you may encounter various asymmetric systems that require you to establish both a public key and a private key. The public key is shared with the world, and the private key is kept secret. Asymmetric encryption helps with sending data:

• If you want to send information to John so that only John can read it, encrypt the data with John’s public key so that only John can read it, because he is the only party who has John’s private key.
• If you want to send information to John and want John to know that you sent it, encrypt the data with your own private key and therefore, John will decrypt it with your public key and know that you sent it because only you have the private key that goes along with your public key.
• If you want to send information to John in a format that only John can read and in a format that John will know that you sent it, encrypt with both your own private key and john’s public keys.

In reality, because asymmetric is processor intensive, it is rarely used for encrypting entire conversations, but rather it is utilized to encrypt special session keys —that is, to convey to the parties to a conversation the keys that they need for symmetric encryption. Subsequent communications between the parties are conducted using symmetric encryption using the keys securely communicated using asymmetric encryption.

Back Up Often

Back up often enough that if something goes wrong, you won’t panic about how much data you lost because your last backup was days ago.

Here is the general rule: If you’re not sure whether you’re backing up often enough, you probably aren’t. No matter how convenient doing so may seem, do not keep your backups attached to your computer or even to your computer network (see Chapter 14). If you do keep backups attached in such a fashion, you run a serious risk that if ransomware or other malware somehow manages to infect your network, it can corrupt the backups as well, which would undermine the reason for backing up in the first place! This risk is not theoretical. Many ransomware victims who were calm upon initially discovering that they had been breached because they had recently backed up their device panicked when they discovered that the backups had also been corrupted by the ransomware!

Ideally, you should have backups stored both onsite and offsite. Onsite storage of backups lets you restore quickly. Offsite storage of backups helps ensure that backups are available even when a site becomes inaccessible or something else devastates all the computer equipment and digital data at a particular site. And make sure you regularly test that your backups actually work. As many parties have sadly learned the hard way, backing up is worthless if you can’t actually restore from your backups.

Do Not Share Login Credentials

Every person accessing an important system should have their own login credentials. Ideally, you should not share passwords for online banking, email, social media, and so on, with your children or significant other — get everyone their own login.

Implementing such a scheme not only improves the ability to track down the source of problems if they occur, but perhaps more important in the case of families, creates a much greater sense of responsibility and encourages people to better protect their passwords.

Use Proper Authentication

You have likely heard the conventional wisdom to use complex passwords for all systems, but do not overdo it. If using too many complex passwords is causing you to reuse passwords on multiple sensitive systems or to write down passwords in insecure locations, consider other strategies for forming your passwords, such as combining words, numbers, and proper names, such as custard4tennis6Steinberg. See Chapter 8 for more details.

For extremely sensitive systems, if stronger forms of authentication, such as multifactor authentication, are available, take advantage of the offerings and use them.

For systems to which passwords do not really matter — such as when accounts are required only so that the site operator can track you, but not to secure anything of value to you — consider using weak, easy-to-remember passwords. Don’t waste brainpower where it does not need to be used. You can even reuse such passwords on multiple such sites, but of course, never use such passwords on any sites where security is actually of concern to you.

Alternatively, use a password manager, but ideally do not use a password manager for your most sensitive passwords — keep them in your head — because you don’t want to put all your eggs in one basket. If you must write such passwords down for other people to use in case something happened to you, write them down on paper and store them in a fire-and-water-resistant bag in a safe deposit box or safe.

Use Social Media Wisely

Oversharing on social media posts has caused, and continues to cause, many problems, such as leaking sensitive information, violating compliance rules, and assisting criminals to carry out both cyber and physical attacks. Be sure that your phone does not autocorrect anything to sensitive material when posting. Also, don’t accidentally cut and paste anything sensitive into a social media window. You would probably be amazed at how often errors of this type occur.

Segregate Internet Access

Nearly all modern Wi-Fi routers allow you to run two or more networks. If your router offers you such a feature, use it. If you work from home, for example, consider connecting your laptop to the Internet via a different Wi-Fi network than the one that your children use to browse the web and play video games. As discussed in Chapter 4, look for the Guest feature in your router’s configuration pages — that is where you will typically find the ability to set up the second network (often referred to as the Guest network). Many people use the Guest network not only for guests, but also for their children who connect devices to the Internet.

Use Public Wi-Fi Safely (Or Better Yet, Don’t Use It!)

While public Wi-Fi is a great convenience that most people utilize regularly, it also creates serious cybersecurity risks. As such, if your phone allows you to create an Internet hotspot to which your other devices can connect, use that method of connecting to the Internet and forgo the use of all public Wi-Fi. Sometimes, however, using a personal hotspot is impossible — you may be located underground, for example, or in some other area to which cellular signals do not penetrate.

Cybersecurity practitioners who preach that people should refrain from using public Wi-Fi in such situations are about as likely to succeed in their effort as they would be if they instructed people to abandon insecure computers and revert back to using typewriters. In such situations, therefore, if you absolutely must connect to public Wi-Fi, it is important that you already know how to use public Wi-Fi safely and understand multiple techniques for improving your odds of defending yourself against mischievous parties (see Chapter 7) and do so before you find yourself needing to connect. So check out Chapter 21 before you need to use it.

Hire a Pro

Especially if you’re starting or running a small business, getting expert advice can be a wise investment. An information-security professional can assist you in designing and implementing your approach to cybersecurity. The minimal cost of a small amount of professional help may pay for itself many times over in terms of time, money, and aggravation saved down the road.

The folks who will attack you — cybercriminals and other hackers — have, and utilize, technical expertise. If you’d hire a lawyer if you were charged with a crime, go to a doctor if you suffered a serious injury, or hire an accountant if the IRS notified you that it was auditing you, hire a cybersecurity pro.