Optimism bias (AKA the “it won’t happen to me” bias) leads most people to believe that tragedies like terminal illness, bankruptcy, and homelessness “only happen to other people.” The same thing goes for cyberattacks. However, with data security becoming a global issue—in the US alone, 64% of adults have experienced a data breach—that optimism is giving way to pragmatism and a growing awareness of cyber hygiene.
In fact, the theme for this year’s Cybersecurity Awareness Month—“Do Your Part. Be #CyberSmart”—emphasizes the personal accountability of each and every internet user to protect their data, recognize scams, and keep their devices from being compromised. Presented by the Cybersecurity and Infrastructure Agency and the National Cyber Security Alliance, Cybersecurity Awareness Month is now in its 18th year. Every October, the FBI and other partner agencies remind Americans to establish basic safeguards against identity theft and fraud.
While the most publicized cyberattacks happen on a massive scale, with cybercriminals seizing information on millions of consumers, some attacks are much smaller—and more personal. For example, someone crashing your Zoom meeting, hacking into your social media accounts to impersonate you, or cracking the password to your email account as a means of gaining access to your bank account. In fact, more than half of all consumers have experienced cybercrime, with around one in three falling victim in the past year alone, according to Norton, with remote work making it easier than ever for criminals to target their victims. Since COVID-19, the FBI has seen a 300% increase in reported cybercrimes.
“For me, being cyber smart and practicing good cyber hygiene means being aware and taking responsibility for your online use and presence,” said Vianey Luna, a student in Springboard’s Cyber Security Career Track. “Since I have started studying cybersecurity, I’ve realized that many of the incidents in cybersecurity are due to human error and a lack of user education.”
With that in mind, we compiled a list of eight ways to protect yourself online and asked three Springboard students to share their top tips on how to #cybersmart.
1. Secure Your Wifi Network
The first step to personal cyber hygiene is securing your home wifi network, which is the primary entry point for cybercriminals to access all devices connected to your home network.
Sniffing is the most common method hackers use to steal information over a Wifi network. This means hackers can hijack any packet of data that is being transmitted between a device and a router. The hacker then transfers the hijacked packet onto their device and runs brute force programs on it in an attempt to decipher it. In fact, there are dedicated software applications called wireless sniffers that can analyze a packet in a matter of minutes. Also known as a packet analyzer, this software is designed to intercept data as it is transmitted over a network and decode the data into a format that is readable for humans.
To avoid falling victim to sniffing, change the default password and username from your internet service provider. This will prevent hackers from gaining access to your Wifi and piggybacking on it (using your internet connection without your permission, which is illegal according to federal law). Remember that anyone within a wireless-enabled range of 150-300 feet from your access point can use your Wifi, which can raise your internet bill, slow down your connection, or allow piggybackers to access your devices.
When using a public network, such as at a coffee shop or airport, beware of the evil twin attack. Hackers will spoof a legitimate Wifi network by setting up a fake access point to impersonate another network. By using a broadcast signal stronger than one generated by the legitimate network, hackers attract people to use the fake access point instead. Once the victim uses the attacker’s system to connect to the internet, the adversary can use decryption tools to read any data the victim sends over the internet, such as credit card numbers and personal information.
Beware that hackers use the same SSID (Service Set Identifier) as the genuine Wifi network, so if your device is set to automatically connect to a specific network—such as the Wifi at your local library—your computer could inadvertently connect to an evil twin network and won’t be able to tell the difference.
Tip: Use a VPN (Virtual Private Network) whenever you connect to a public network. A VPN is an app that allows you to connect to the internet through one of the VPN’s servers. Because your traffic appears to come from the VPN’s server, your IP address is effectively hidden, and your device’s traffic is encrypted.
“Good cyber hygiene to me is being aware of common cyber threats (e.g. phishing) and practicing good account management,” said Dylan Wood, a student in Springboard’s Cyber Security Career Track. “Use a VPN on both your phone and computer when you can.”
When connecting to a public network, ensure that you deny sharing files and folders with other devices. Your computer will usually prompt you to enable or disable file sharing permissions when you first connect to the network. Only allow sharing on recognized home networks—and even then, only when file sharing is necessary.
2. Passwords and 2FA
Don’t skimp on good password hygiene. Unless you use multi-factor authentication (more on that later!), a strong password is the only safeguard against a threat actor accessing your email, social media networks, and other accounts that typically use single-factor authentication (requiring only one form of authentication, such as a password, to enter).
Create complex, unique passwords for each account, using a combination of at least 12 letters, numbers, and special characters. Equally important is making sure to change your passwords regularly. Some company email servers require employees to change their passwords on a regular basis, but private individuals don’t necessarily have the same incentive to do so. In fact, 69% of people say they do not worry about how secure their online passwords are, according to a survey by Pew Research.
“Anyone can get a list of the top 10 million passwords online right now for free,” said Wood. “A hacker can brute force their way into your account in a matter of minutes if your password is simple.”
A brute force attack involves using trial-and-error to guess password info, encryption keys or find hidden web pages. Hackers will try all possible combinations until they find the right one.
Avoid including any personally identifiable information (PII) in your password, such as your date of birth or your city. Beware of any publicly available personal information on social media that can be used to guess your password or answer your security questions for password retrieval.
“Be careful what you reveal about yourself online,” said Bismar Montano, a student in Springboard’s Cyber Security Career Track. “The amount of information that is available about you online is alarming, and the amount of open-source intelligence someone can obtain on a target is really astonishing.”
Safeguard your most important accounts—such as your online banking account—using two-factor (2FA) or multi-factor authentication (MFA). 2FA usually requires you to submit your username and password combination along with a unique code that is sent via SMS or email. However, MFA adds even more security by using biometrics such as fingerprinting or facial recognition, ensuring that no one but you gains access to your device.
“Since I’ve started studying cybersecurity I have really focused on using a password manager to create unique passwords for each account I have,” said Wood. “While I am not 100% there with updating my account passwords, I have updated my critical accounts like my bank and email.”
3. Install Antivirus Software
The best offense is a good defense. Antivirus software is a program that scans for and eradicates computer viruses and malware such as worms, Trojan horses, and spyware. It achieves this by doing the following:
- Scanning files, web pages, software, and web applications for the presence of malicious software (malware)
- Scheduling and performing automatic scans
- Erasing malicious codes and software
- Monitoring the health of your computer and other devices
Some software offers additional protection such as website blocking and firewall customization. The software detects threats by scanning your computer programs and files against a database of known malware. Most programs use three types of detection: specific detection (identifies known malware), generic detection (looks for known parts or types of malware that are related by a common codebase) and heuristic detection (scans for unknown viruses by scanning for suspicious file structures).
4. Attack-Proof Your Social Media Accounts
Avoid divulging personally identifiable information (PII) on social media. Review privacy settings across all of your social media accounts to adjust who can view your posts, photos, and other information.
“It is very important to limit the personal information we share online,” said Luna. “For example, family members’ names—including our pets— address, birth date, car information, workplace information, and phone numbers, just to name a few.”
Hackers can harvest personal information from your social media account to target you on a different platform, such as guessing your password based on your place of birth, or pretending to be a close friend or family member based on publicly available information about who you fraternize with the most.
Remember that any information you enter on your social media profiles—even if you’re the only who can see it—is still up for grabs in the event that the social media platform is hacked.
“My understanding of cyber hygiene has changed a lot since I started studying cybersecurity,” said Bismar Montano, a student in Springboard’s Cyber Security Career Track. “It has shown me that not being careful with my information online can leave me vulnerable to attacks.”
When LinkedIn was hacked in 2016, attackers gained access to the account credentials of 117 million users, and sold them on the darknet. When Twitter was hacked in 2020, cybercriminals accessed the login credentials for some of the most influential Twitter handles, including former president Barack Obama and Tesla CEO Elon Musk. Hackers issued fake tweets from these accounts asking followers to send Bitcoin to an anonymous URL in exchange for having their money doubled.
5. Learn to Recognize Phishing
Phishing scams have come a long way from the Nigerian prince emails of the early 2000s—although those still rake in more than $700,000 a year. Phishing refers to scammers using social engineering techniques to manipulate the unsuspecting into revealing personal information. Scammers typically impersonate a legitimate business using email, social media, phone calls, and text messages to make contact with their victims. In fact, 92% of malware is delivered by email, and over 75% of all cyberattacks begin with email.
Usually, the scammer will ask you to provide or confirm your personal information because the organization is “verifying customer information.” Sometimes, the scammer will say that the business detected suspicious activity on your account and they need to verify your identity. They may threaten to deactivate your account “for security reasons” if you don’t provide this information in a timely fashion. For example, a scammer pretending to represent your bank might say that a large purchase was made from your account in a foreign country and may ask you to verify the purchase. If you say no, they’ll ask you to provide your credit card information in order to have the funds restored.
Montano said he received a suspicious email a few months ago regarding his Amazon account. When he checked the email address it originated from, he noticed it looked suspicious. “I didn’t react to the email; I just reported it and signed into my Amazon account—taking care not to use the link in the email—and I changed my password,” said Montano. “Then I checked all my other accounts to make sure nothing was wrong.”
Spear phishing is a targeted type of phishing attack, where threat actors use highly specific information about the victim to successfully impersonate a legitimate business or close confidante. Disclosing too much information online can empower hackers with the information they need to fool you into thinking they are someone you know.
“Spear phishing emails tend to target specific individuals,” Luna said. “Crafting a campaign that includes highly personal information makes users more susceptible to an attack.”
The most mainstream phone scam involves call spoofing, where attackers disguise their phone number as the number of someone you know, or a business in your local area. Criminals pretending to represent a company might inform you that you’ve won a cruise or prize money, and that to receive your reward you simply need to confirm your identity by verifying personal information such as your credit card number and date of birth.
6. Regularly Update Your Software Applications
Out-of-date or unpatched software represents another entry point for hackers to exploit a network security vulnerability in your computer system or smartphone. Patches are software code fixes for security vulnerabilities and bugs, which cause the software to behave abnormally. All software has bugs—resulting from flaws in design and/or implementation.
Software updates can include crucial patches designed to fix bugs or eliminate entry points. For safety reasons, developers don’t always publicly announce new patches because this would alert hackers, who will try to find ways to circumvent the new protections. Make sure your software applications are set to do automatic software updates or schedule time each month to approve new updates. Finally, don’t forget to delete any software applications you no longer use.
7. Secure Your Mobile Device
Your mobile device and computer are equally prone to cyber-attacks. Data shows that mobile malware is on the rise. The number of new mobile malware variants increased by 54% in 2018, according to PurpleSec.
- Check app permissions
Allow the minimum necessary permissions for apps installed on your mobile device. Some apps can access your camera, microphone, and contacts by default unless you disable these permissions in your smartphone’s settings. For apps that require location tracking access when in use, such as maps or rideshare apps, make sure you select ‘Allow only while using the app’ rather than allowing the app to track you all the time.
- Delete apps you no longer use
Some apps may have access to sensitive information or may become outdated if you don’t regularly update them (or if the publisher stops shipping updates) and create vulnerabilities in your mobile device.
- Be choosy about which apps you download
The Google Play Store, the official app store for Android devices, has been known to harbor malware-laced apps that allow attackers to remotely steal data. Earlier this year, researchers identified nine malicious apps on the app store which had AlienBot and MRAT malware baked into them. AlienBot enables attackers to control a device remotely as if they were holding the device in their hands. They can install new applications on the device or control it with TeamViewer. Meanwhile, MRAT has information-gathering capabilities plus app and file deletion. Google Play Protect runs safety checks on apps before you download and then checks your device for harmful apps from other sources, but some malware can still pass undetected.
- Install antivirus software
Yes, your mobile device needs this, too.
- Beware of “juice jacking”
Be wary about charging your phone at public USB points, which can be infected with malware that has the ability to lock devices, track keystrokes, and share passwords with hackers. In fact, the malware can be loaded onto the USB port or the USB cable, so even using your own USB cable doesn’t necessarily protect your device. This is due to a smartphone design flaw, where the power supply and the data stream pass through the same cable. When your phone connects to a device, it pairs to that device, meaning the two devices can share information. However, when you plug your phone into a public USB port, you don’t know what device your phone is connected to. During the charging process, the USB cord opens a pathway into your device that a cybercriminal may be able to exploit.
Malware from USB ports comes into two forms: a crawler program that searches your device for PII, account credentials, and financial information, and malware apps that can clone your phone data and transfer it back to the attacker’s device. Spyware can reveal your GPS location, social media interactions, call logs, online purchases, and more. Apple and Google have added safety features to iOS and Android devices to protect against juice jacking, and it hasn’t been found to be a widespread problem just yet.
8. Periodically Check to See if You’ve Been Compromised
The first step towards a good cyber hygiene regimen is checking whether your details have been compromised already. Websites like haveibeenpwned.com and breachalarm.com allow you to search across multiple data breaches to see if your phone number or email address has been exposed online.
Is cybersecurity the right career for you?
According to Cybersecurity Ventures, the cybersecurity industry is expected to have 3.5 million high-paying, unfilled jobs this year. With Springboard’s comprehensive Cyber Security Career Track, you’ll work 1:1 with an industry-mentor to learn key aspects of information technology, security software, security auditing, and finding and fixing malicious code. Learning units include subject-expert approved resources, application-based mini-projects, hands-on labs, and career-search related coursework.
The course will culminate in a multi-part capstone project that you can highlight on your resume for prospective employers or use to demonstrate your technical knowledge in your job interview. The learning materials will also help prepare you to pass the globally-recognized CompTIA Security+ certification so you stand out when applying for cybersecurity roles.
Learn more about Springboard’s Cyber Security Career Track here.