With 2018 in the rear view mirror, it’s time to look ahead to 2019! And that means it’s time to make your New Year’s Resolutions! Sure, you’re going to join that gym and lose weight and quit smoking … yada, yada, yada. But what about your cyber goals for 2019? You do have them, right?? Well, let’s now make any rash assumptions…
(Cyber) New Year’s Resolutions
Seriously, though – there are probably several key things you’ve been putting off, planning to do “some day”. But I’m here to tell you that you can’t put these things off any longer. We’re getting more and more connected every day. The Internet of Things (IoT) is exploding, and all those newly-connected cheap devices have crappy security. That makes them easy for bad guys to co-opt and turn into evil minions. Breaches are becoming an almost-weekly occurrence. Things out there are getting worse, not better. So we’ll call these “New Year’s Resolutions”, but in reality this is the list of the things you should have done a long time ago.
1) Back Up Everything
Your best protection against having your data corrupted, lost, deleted or held for ransom is to have it all backed up. You need backups of any digital files that you can’t replace like family photos, home videos, historical documents, etc. Follow the 3-2-1 rule: three copies of every file – the original plus two backups, one of which should be offsite. So ideally, you would have a cloud backup service (offsite) and a little USB external hard drive for local backups. I personally like Backblaze for most people – it’s dead simple to use and the cost is very reasonable. For external drives, I’ve always been partial to the Western Digital portable drives. Both Macs and PCs come with free software to do local backups: Time Machine and Windows Backup, respectively.
2) Use a Password Manager
Database breaches are happening left and right and you can’t do anything to stop them. So you have to assume that your passwords are going to be stolen. Even though most sites hash your passwords (sorta like encrypting), if you pick bad passwords, it’s still very easy for the bad guys to figure them out. When breaches are detected, most sites will force you to change your password. But the real problem is when you reuse those same passwords on other sites. Because this practice is so common, bad guys will try your hacked passwords everywhere else they can.
You need strong and unique passwords for each and every website. What is “strong”? Basically, this means long (greater than 12 characters) and totally random. The only possible way for a human to do this is to use a password manager. There are several good options out there, but I personally prefer LastPass. The essential features come with the free version. If you have a family, I would seriously consider the Family Plan for just $48/year.
Another huge plus for using a password manager: they’re not fooled by look-alike phishing sites. If your password manager doesn’t offer to fill in your password, then you’re probably not at the site you think you’re at.
You probably have a ton of passwords to change. Start with the most important ones: financial, medical, social media and email. Hacked social media and email accounts can be used to trick your friends and family. And email accounts can be used by bad guys to reset your password using the “forgot my password” process.
3) Use Two-Factor Authentication (2FA)
Bad guys are coming up with some really tricky ways to get your passwords. Enabling two-factor authentication adds a second layer of defense against hacking. This means that even if your password is somehow lost, stolen or hacked, your account is still safe. It’s like having a second lock on a door with a different key.
Not all websites support two-factor authentication (2FA) yet, but many now do (see this site for a nice list). You’ll need to install an authenticator app on your smartphone. This makes your smartphone effectively a second key. Once you enable 2FA on a site, you will be asked to provide a PIN number the next time you login. Usually, this is only once per site/device/location. The PIN number is a rolling 6-digit value that you get from the authenticator app on your phone.
While Chrome is a very secure web browser, you have to assume that it’s horrible when it comes to privacy. Google is an advertising company, period. You are not their customer; you’re their product. Google wants to know everything about you, and just because they probably already do doesn’t mean you should let this continue.
You should use Firefox and you should install a small handful of privacy plugins. Seriously, you need to do this – it will go a long way towards improving your online privacy. See this article for full instructions.
On your smartphone, I would install DuckDuckGo’s browser (download here). You could install Firefox on your mobile phone, but they don’t allow extensions yet for iOS.
Bonus tip: if you want true anonymity and privacy, use Tor Browser. However, this can be much slower – so in most cases, Firefox with privacy plugins will be sufficient.
5) Stay Up to Date
You need to keep your computers and mobile devices up to date. That means updating the operating systems as well as the applications – on computers as well as on mobile devices. Bugs are found and fixed all the time. Once the bugs are announced, the bad guys pounce, trying to exploit the weaknesses before people download the fixes.
Dig through the settings on your computers and smartphones. Enable automatic updates for both your operating system and your applications (macOS/iOS, Windows OS and apps, Android). You may have the option to have a different setting for security fixes than for feature updates. If so, be sure to auto-update for all security fixes.
On the flip side … if you don’t have the app installed, you don’t have to update it. Old apps that have been abandoned may be riddled with security problems and never get updated. Remove any and all apps that you don’t need or use regularly. You can always re-install them later if you need them.
6) Get Educated and Stay Informed
Things are happening so fast these days. New sites are breached and bad guys come up with clever new attacks all the time. How are you supposed to stay on top of all of this? Well, this is sorta my thing and I’ve got you covered:
Firewalls Don’t Stop Dragons (book). The book is in it’s third edition now and was just recently updated. It has over 150 tips, complete with pictures and easy to understand step-by-step instructions.
Firewalls Don’t Stop Dragons (podcast). If you have a daily commute or like to learn while you work out, this is a great option. I have a mix of current cybersecurity and privacy news along with insightful interviews, using language anyone can understand.
Newsletter. I publish a newsletter every two weeks with at least one actionable tip. The topics usually address something that’s in the news.
Other resources. I maintain a list of other really useful resources, as well – including other books, websites, podcasts, documentaries and more.
It’s crucial that we follow basic “internet hygiene”, effectively inoculating us against the most basic attacks. The more people do these things, the safer we all become – increasing our herd immunity. So spread the word!!