Image with text "a month of cyber security lessons"

A Month Of Cyber Security Lessons

Back in February, I took on a short contract with The AntiSocial Engineer Limited. I’m a writer and marketer and the plan was to help this awesome small business get a lot of the ideas they had for blogs down on paper.

I feel like we’ve accomplished a lot in this past month, but what I didn’t expect was to learn so much in such a short space of time. I am definitely not a novice when it comes to cyber security, but I’ve now learnt that I’m far from an expert.

Learning about cases where simulated phishing attacks have resulted in an employee’s entire mailbox being compromised whilst he was blissfully unaware and the lengths criminals will go to in order to get access to confidential data has made me realise that a little more effort is required on my part in some aspects of my online security.

Here are the five key pieces of security of advice that I have actually started to implement, thanks to The AntiSocial Engineer:

Voluntarily Enabling Multi-Factor Authentication

I hate to say it, but I’ve come to the realisation but I’m one of those people that implements security because I’m told to, and not because I think I need to. It’s common practice in most workplaces for multi-factor authentication (MFA) to be obligatory, so I’ve always begrudgingly set it up and scoffed at the five extra seconds it takes each time I log in.

Since working at TAE and beginning to fully understand the implications of not having MFA enabled, I can proudly say I have been slowly but surely setting it up on my personal accounts. Seeing statistics such as Google Authenticator being successful at preventing up to 100% of automated attacks has really opened my eyes to how important that extra layer of security actually is.

Better Password Organisation

My passwords have never been memorable events or pet names but I’m guilty of reusing some, guilty of some being far too simple, and guilty of not caring enough. Having spent hours checking the copy of TAE’s learning modules for grammar mistakes, it seems that I actually absorbed and acted upon some of the content. We’ve all heard ‘use strong passwords’ over and over again, and most of us probably believe that to be the equivalent of bashing your fingers on the keyboard and using that string of characters, however TAE actually recommends a better solution.

I’ve started making the transition to passphrases instead of passwords. Four random words with at least four letters in each – passphrases like this are perhaps even longer than the auto-generated random string of characters but are just as hard to crack – and a heck of a lot easier to remember. A good example would be “tractorllamafriendbucket” – it doesn’t even need any numbers or special characters but if you can chuck a couple in, the more the merrier! With so many accounts, it won’t be an overnight fix, but I’m determined to keep going until all my accounts are suitably protected with a strong, unique password.

Clicking on Spam Means More Spam

I can’t count the times that I have refreshed my emails, seen nothing new, and then checked the junk section out of boredom. Some of the emails look pretty interesting (we’re talking winning the African lottery/deceased long-lost relative sorta thing) and curiosity usually gets the better of me and I read them.

I know that they’re blatant phishing attempts, but my state of mind during this is “I’m on my phone, I’m not going to get a virus on my phone” and “it’s fine to open the email as long as you don’t click any links”. Curiosity might not always kill the cat, but it can certainly lead to a bored, nosey person unwittingly opening themselves up to criminals. Viruses for phones are much less common than for computers, however they do exist, and the few seconds of satisfied curiosity after reading an elaborate story that accompanies a phishing attempt is absolutely not worth the risk.

To make it even worse, every time you open one of these emails, the sender is potentially analysing the open and click-through rates, just like in legitimate email campaigns. If you’re regularly opening emails from scammers, your email address becomes valuable. You are seen as a target with potential and scammers could sell your data to other scammers and spammers, meaning you will be bombarded with more and more emails.

After learning all this, I hereby pledge to never open a spam email again.

Leaving Stuff in My Car

I’m the person who gets in the car, throws my belongings onto the passenger seat and off I go. If I want to make a quick pit stop for fuel or food, it feels like far too much effort to then take the stuff out of the front and put it in the boot, especially when I only plan to be gone a couple of minutes.

The reality is that leaving a laptop bag or indeed any kind of bag on display in your car is incredibly foolish. What if one of the times I forget to lock my car door? One of the phrases that has now stuck with me from TAE’s training material is “opportunistic thieves”. Sometimes a person hasn’t stolen anything in their life but when presented with a perfect opportunity on a plate, that can quickly change. I have learnt to be less relaxed about things like this, and rather than the “if it gets nicked, it gets nicked” attitude, there is a real sense of worry about what someone could actually do with my laptop if they stole it, which brings me onto my last point…

Preparing for the Worst

Often we focus on making sure that our belongings and data don’t end up in the wrong hands, and not enough time making preparations in case they do. Don’t wait until you lose your phone before frantically logging into the Apple website and praying that Find My iPhone is enabled, despite knowing that you’ve never taken the two minutes required to set it up.

Enabling these kinds of services allows the GPS tracking to help you find your device, as well as the ability to remotely lock it, ensuring that the thief cannot get access to your data. Taking five minutes now to secure your devices and activating the lost device features can potentially save you a huge headache.

Don’t Wait Until it’s Too Late

Online security is about putting the best defences you can in place and hoping they’re strong enough to keep intruders out. If you’ve never been a victim of an attack, it doesn’t mean that you’ve outsmarted the criminals, it probably means you haven’t been targeted yet. If your password is used across multiple accounts, was leaked in a data breach back in 2013, and you don’t even have an authenticator app installed, the odds don’t look good if you were to be targeted. Take some time to do a thorough review of your online security (our blogs are packed with information to get you started) and don’t wait until after you’ve fallen victim to put the right defences in place. I’m lucky that my stint with TAE opened my eyes to how prevalent cyber crime actually is – I’m now implementing better security practices before it’s too late.