It’s really important to Stay Safe Online. But since starting my business, I’ve seen malware-infected machines (Windows and iOS) and email accounts that have been hacked. So I’ve put together this essential security guide to help you #StaySafeOnline.
Stay Safe Online: the basic concepts
I’ve listed the basic principles that will help you stay safe online. Most points have a more detailed explanation, with suggestions on how you can manage the risk. Links here are not affiliated and reflect my personal opinion. There will always be other options to choose from, and you should do your own research. The information contained here is accurate at the date of writing, but this is a fast-changing area. I will try to review this guide every 6 months or so. I hope you find it useful.
This guide was last updated in May 2020.
Keep your Operating System up to date
Operating system updates often patch security vulnerabilities. Always stay up to date, whether you run Windows, iOS or Android.
- Passwords should be unique to each website, and difficult for others to guess.
- Ideally, passwords should not be written down. They must be kept as secure as possible.
- Where offered, and practical, 2-factor authentication (2FA) should be used.
Devices should be protected with a lock screen. This could be a pin code, fingerprint ID, password or face ID.
Run an antivirus, and check for malware regularly. At present Windows Defender is good enough, but there are other free options that may give more protection. Always scan downloads or installation files (.exe) before opening or running them.
- Keep your browser up to date.
- Never click on adverts in search results.
- Install a browser add-on to help you identify dangerous sites.
- Never click on links in emails. Even if you trust the sender and it looks legitimate.
- Only use secure WiFi networks for banking and emails.
- Keep your social media profiles as locked down as possible.
- Be aware of what personal information you share, and who you share it with.
- Do not comment on viral posts by giving away information such as your birthday.
- Only accept friend requests from people you know.
- If something seems too good to be true … beware!
- Change the default passwords for your wifi and router.
- Never allow remote administration of your router.
- Always keep your router firmware up to date.
Use unique, difficult to guess, passwords
It’s difficult. I know this. But you need to use unique passwords for online accounts. In particular, you must use unique passwords for important accounts. I define those as ones which hold financial details (eg a credit card), or which hold sensitive personal information about you (eg HMRC).
Don’t use passwords that are easily guessable e.g.: the name of your pet; your maiden name; your street name. Instead try using a memorable phrase, for instance, the first line from a favourite book.
You could use a password manager. I use LastPass. This generates random, unique passwords for every website and stores them securely for me. I only have to remember my master password. And only I know that.
If a password manager seems too scary, then at least keep a note of your passwords safe somewhere. Don’t store them on your computer.
Why is using unique passwords so important?
Data breaches happen and will continue to happen. They will affect you. When a site is breached, hackers will steal email addresses and passwords. The passwords might be encrypted, but they can be decoded. So the hackers now have a list of email addresses and passwords. And they will use these to try to get into different websites! So if you were a victim of the Twitter hack last year, and used the same password for Amazon, your Amazon account would also have been compromised.
How can I find out if my data has been stolen in a breach?
There’s a great website you can sign up to, for free, which will tell you if your data has been stolen: Have I Been Pwnd. Enter your email address for a report, and then sign up to be notified of future breaches affecting your email address. They don’t spam you.
If you are the victim of a hack, change your password immediately.
What is 2-factor authentication, and can it help?
Two-factor authentication (2FA), also called 2 step verification, occurs when you link a second ‘thing’, usually a mobile phone, to your sign-in process. It is a way to check that you really are ‘you’. If you have 2FA set up on an account, you will need to enter your login details and then a ‘one-time passcode’ (sometimes called an OTP) to log in. The company will send that code to your phone. This is great – if you have a phone signal! And it will make your account more secure.
The other way 2FA is implemented is via an app that will generate unique codes. Google authenticator is one example. In this case, you register accounts with the app, and it will generate codes for you. Use the app whilst logging into your account. This way relies on a data signal rather than a phone signal, so it can be used in phone blackspot – if you have (secure) WiFi.
So if you can make 2FA work for you, without having to run outside and wave your phone around in a field, you should definitely add it to accounts to make them more secure.
This rule is simple. Use a screen lock on each device.
It could be a password or fingerprint ID, or a pin number. A screen lock secures your device from unauthorised use. And fingerprint ID can be used on a tablet or phone to securely access apps, like banking apps. You can tell that fingerprint ID is regarded as safe if banking apps have adopted it. Personally, I would use fingerprint ID over Face ID, as I think it is more secure. However, if you have the latest iPhone, you may not have a choice in the matter.
Antivirus and Malware Protection
You need antivirus and malware protection on your computer. I always recommend either Avast! or AVG for a really good, free, antivirus (available on Android and iOS too). Windows 10 computers come with Windows Defender, and in the past this really wasn’t good enough. But at the time of writing (February 2020) it does perform as well as other leading programs. So you don’t have to have 3rd party software installed. If you do, I recommend Avast! – just ignore all the popups trying to get you to upgrade. I would not recommend MacAfee or Norton, simply because they are not free, and are very bloated so they will likely slow up your computer.
You also need antivirus protection on your phone, especially if it is an android phone. It is much easier to get an app listed on the Android Store than on the Apple Store. Here are the best Android antivirus apps for 2020. Once more, I would have a preference for Avast!, AVG or Bitdefender. They are trusted companies with long track records of keeping us safe. Pick one that allows scheduled scans on the free version, if you are not going to pay. Avast! fulfils this criterion.
For an iPhone or iPad Avira looks like the go-to app according to this review. Again this is a respected and trusted name.
Windows Defender does not protect your computer from Malware. And in this case, there really is only one show in town. Get Malwarebytes. It is quite simply the best tool out there. The paid version will run in the background, giving real-time protection. But the free version is entirely fine. You just need to run a scan manually every so often.
I don’t need Antivirus or Malware protection. I have a Mac.
Wrong. My recommendations for Macs are exactly the same as for Windows computers. Avast Free and Malwarebytes. I have personally encountered 2 macs infected with malware. And Malwarebytes found and secured the threats. You can read more about Mac options here.
Best practice when downloading files or installing programs
Always scan file downloads and program install executables (.exe files) before opening them. Scan them with both your Antivirus and Malwarebytes. Don’t trust companies not to bundle adware with installs. I’ve been caught with that from a developer I thought was reputable before.
Browsing and Email Best Practice
Keep your browser up to date and clean
Always keep your browser up to date. Do not use Internet Explorer. Use Edge if you must. Better still, use Chrome, Firefox or Opera. Opera is a great lightweight option.
Only install minimal, trusted, browser extensions. They could contain malware and will slow your browser down. One extension I would definitely recommend is Avast Online Security. It will help protect you from fake websites and phishing scams. It also has cookie and ad blocking!
Things you should never click on
Never click on adverts in search results. These are paid for and can occasionally contain an ad for a fake site. So always scroll down to the ‘real’ results. You can easily tell the adverts as they will have ‘Ad’ next to them!
Never click on links in emails.
I cannot stress this enough. Even if you (think you) know the email is legitimate, there is always a chance it is a scam. See this Facebook post about an Amazon phishing email I received as an example. Instead, search for the website, or better yet use your bookmark.
If you do click a link on an email, don’t panic. If you have a good antivirus, that will probably stop you. If it doesn’t, look carefully at the actual web address you have been sent to. If it’s a scam, it’s more than likely not the website you thought you were visiting. Visiting the website in and of itself isn’t necessarily going to be the problem. The damage is caused when you submit your email and password.
Your bank should never ask you to log into your account via a link in an email. My banks don’t.
Other companies are not so good. BT send me emails to check my bill with a big ‘Log In’ button. I never click it. And it’s no surprise that BT is a prime target for phishing emails. Since I launched the Greystoke Geek, I have already seen 2 separate instances of BT Email accounts being hacked, with emails being forwarded to the hackers’ account, contacts being harvested, and replies being sent to the wrong address. Both, I suspect, were caused by a phishing email.
And remember, once a hacker has your email and password combination, not only can they access that account, but also any others where you use the same password.
What not to do on Public WiFi
Don’t log in to websites on public WiFi, particularly sensitive sites. Public WiFi is not secure. Do not trust it. My advice would be: Only do your online banking at home.
Social media is a great tool for connecting and sharing information. But it is also a target for scams. There are too many to list here, and they will change. But the basic principles stay the same. If something is too good to be true, it probably is. Make sure you do not download ‘updates’ to software when clicking links – your antivirus should protect you if you do. Only accept friend requests from people you know. Keep your security settings locked down. Don’t share your profile with other pages or sites – the Cambridge Analytica scandal is a great example of how these pages can harvest personal data from millions of people.
Be aware of posting about your current location. This can be used by burglars to help target empty homes. And remember that whilst some sites, like Facebook, can be locked down, other sites like Twitter may work best for you when tweets are public.
So always be conscious of what you are posting, and who can see it.
Some external reading
WiFi and Router Security
This is going to get a little more technical. Sorry. But remember you can always call me!
Why do I need to change the passwords?
The basic premise we will start from is this: All routers ship with a default WiFi password and a default router password. The router is how you configure your WiFi. Lists of these router and Wifi passwords exist.
Using what is known as a ‘brute force attack’ (running through every combination of these passwords) a hacker could gain access to your WiFi, and then your router. If a hacker has access to your router, they can then spy on your network traffic (‘sniff’ it), download malware and worse.
Now, admittedly a hacker would have to be sitting outside your house (unless you have switched on remote administration for your router – more of that soon). But it is still a risk that you can mitigate.
Log into your router to change your passwords
You need to know the IP address of your router before you can log in. Fortunately, some companies, like BT, make this easy for us by putting it on the back of the slide-out card on the router. For BT and Plusnet, for example, you should log in here: http://192.168.1.254/ If you don’t know the IP address, try a google search or follow this guide (warning: very technical).
Log in using the default admin user ID and password. You should then be able to navigate through the screens to find out where to change the router password and the WiFi password. I can’t list every router here, but feel free to #CallTheGeek if you need help on this!
Everything I said about passwords earlier still applies. Make these WiFi and router passwords unique, and very strong. For the avoidance of doubt do not use the same password for both.
Don’t switch on remote administration
You may have an option to allow remote administration of your router. Do not switch this on. You don’t need it, and it could allow a hacker access. BT routers do not have this option.
Keep your router firmware up to date
If you have a BT router, they will automatically update it for you. Other companies may do the same. If you have Avast! antivirus installed you can check yourself by running a scan. Choose ‘Protection’ from the right-hand menu, and then select ‘Wi-Fi Inspector’.
If you need to update, then you should log into your router, and update it from the admin panel.
Well done for getting this far! This may all sound scary, but it’s just getting into good habits. And I can always help if you get stuck. So remember, #StaySafeOnline
Feel free to comment with thoughts or experiences below, or over on my Facebook page