Cybersecurity quick wins

This is a very basic guide to staying safe online, and offered as is. If unsure please seek expert advice.

Learn to spot phishing attacks

83% of successful attacks are phishing. When you and your colleagues learn to spot these you lock the main door against attackers.

Phishing is where an attacker messages you, usually by email, pretending to be someone else. They may present as a person (the CEO, a colleague, supplier or customer); or pretend to be an automatic email from an online service you use like Google, Microsoft or Dropbox.

Their aim is to extract money, sensitive information or passwords from you. They know that speed and panic is their friend, so will often ask you to move quickly or try to scare you by saying that your account has been hacked.

Thankfully 99% of them are easy to spot, keep an eye out for:

  • Fake email addresses and bad links: take this quick quiz, created by google to learn how to spot these.

  • Requests that feel odd or rushed: would the CEO usually email you directly asking you to make a payment? Would Microsoft call you out of the blue and ask you to log into a website?

  • Emails that look wrong: they often have different formatting, fonts and spelling mistakes. The writing style may not match normal emails from the person they’re impersonating.

If in doubt, don’t respond or click any links. If you have an IT team, you could ask them to double check. Otherwise, reach out to the sender using another channel (ideally by phone call, and not using a number on the email) to check if it’s real. If it’s an online service, don’t use the links in the email; just log into it your usual way and check it from there, or get in touch with them.

Lock down your passwords

If a hack gets through, you can minimise its impact by practising good password hygiene. If you use the same password for everything then all the attacker needs is one password to get into all your accounts.

Data breaches, where hackers get hold of  millions of people’s login details at once, are also very common. You probably already appear on a list somewhere, hopefully with an old password. You can check by searching your email address on here.

No one wants to remember dozens of passwords. Instead use a password manager, which is a password protected lockbox which holds unique passwords for all your accounts. Come up with single, new passphrase (a random combination of 3-5 words that you can remember), and use this for the password manager. Chrome and google have a free password manager built in, so you can just set your google account to your new passphrase and use it to create and store strong, unique passwords for all your other accounts. 1password, lastpass and keepass are other popular options. Turn on multifactor authentication for your password manager.

You probably also have lots of accounts where it doesn’t really matter if someone gets in, in which case you might be better off deciding which accounts are risky, and only worrying about those:

Low risk

Things like: news websites you signed up to for to read an article, online voucher websites, any login where an attacker can’t really do any damage or access sensitive information.

Don’t worry too much about the security on these.

Medium risk

Things like: online shopping accounts, especially with card details saved, social media accounts.

Use a strong unique password for these (using a password manager makes this much easier), and turn on multifactor authentication for the risker ones to get a code texted to you to log in.

High risk

Things like: email account, online banking. Accounts which would give direct access to money or sensitive information.

Use a strong unique password for these, and make sure you turn on multifactor authentication. You might want to have a unique passphrase for banking that you don’t use or store anywhere else.

Everything else

Be sensible on your device:

  • Don’t download dodgy seeming software or browser extensions (you can search ‘is xyzsoftware safe reddit’ to check)

  • Install updates when you get nagged to

  • Be careful when using public wifi (just hotspot on your phone if you’re logging into anything risky)

  • Make sure the built-in antivirus and firewall is turned on (search windows security or mac Xprotect to check)