October is National Cyber Security Awareness Month, and in this series of blogs, we will be providing simple tips and tricks to help you and your staff with adjusting their security behaviour to remain ever vigilant against the threats that criminals pose to our digital lives.
So far, we have covered:
Looking after yourself and your devices
Updating devices and apps
Securely logging into services
In this final instalment, we want to look at security behaviour.
I’m an expert, let me out of here
Welcome to the internet! Here is your guide, oh wait, there isn’t one.
It amazes even now that when you first get a device, whether it is a phone, tablet, laptop or desktop, there is no manual for the internet. We use it every day. We use it to organise our lives, communicate, do financial transactions and all this with no reference manual, guide or training. Is it any wonder that so many people make mistakes that get them into trouble? This final blog is about security behaviours that can cause you issues whilst navigating the 1.74 billion websites on the internet.
Some of the issues we have been around on the internet itself. At some super speed, the internet grows, daily, hourly – in fact, in the minute you have read this so far, 404,000 hours of Netflix have been watched. New users are added, new websites are created, new fads are created, and old ones die.
As an end-user of the internet, it can feel like you are at the end of an enormous waterfall and you are clinging on for dear life! So be aware of new apps that spring up from nowhere and become the latest fad. Be mindful of what they are asking of you and how they work. Highly addictive games can very quickly get you to a point where to progress, you need to pay for in-game upgrades.
One recurring theme in this blog will be data. The internet is made up of data. Information has been put into a website or app, and it is there for you to view. It may be facts, opinions, images, misinformation – whatever it is, it is just data.
Anxiety on the internet can quickly happen. The pressure may come from a feeling of the fear of missing out (FOMO), having imposter syndrome (will I be caught out), body image, mental health, scams, criminals, privacy, and data breaches. Just stop.
If you feel anxiety whilst navigating the internet, using an app, or reading something, stop.
Take your hands off the device and lay them down. Take a moment to breathe and be calm. Think about what on the screen is causing you that anxiety. Remember, it is data. Usually, people are not scared of numbers and letters, that is what is on the screen. Numbers and letters. Think about how real that information is and if it may have been put up there to try and create an emotional reaction in you, the reader. If so, scroll past it, it is ok, you are in control, and there are still a billion or so other websites you can go on to!
The art of the scam
We know that attackers are trying to get us to click things and do things that we would not normally do. After all, we spend a significant amount of time being the attacker in penetration tests and phishing campaigns for clients. The primary attack method is email and if you look at your email do you think you could work out the scam from the genuine emails?
The usual advice is to look for spelling mistakes and inaccuracies, but the criminals have got wise to this, and now modern scam emails are even harder to spot.
I want to teach you a simple set of things to look out for – credit to Human Factor Security or this list.
If you receive an email, an advert, or a website from a source that you do not know personally, think about how it is trying to make you react:
Is it trying to raise your emotional state?
Is it pressuring you to act within a timeframe?
Is there money involved?
Are they asking you to keep quiet?
Any of those four should be a red flag to make you look at your screen a bit more closely and think “Scam or not?”
To share or not to share, that IS the question
Have you ever looked at something someone has posted on the internet and thought to yourself, why on earth have they put that there? An embarrassing story, too much personal information, something very private, an admission of something they have done.
Social media is an expert environment built around the psychology of feeding the great machine with your data with an endorphin rush caused by someone else reacting to your post. Putting it more simply; social media creates an easy-to-share environment where the end-user put into it as much data as it can persuade them to and the output they get is a digital ‘like’ or comment. Once you have that ‘chemical rush’ from the interaction you want to do it again and so you put more data in there to get more likes, retweets, shares and so on.
When you step back and look at social media from a distance, it is a very odd thing. You put your data into a system so that strangers and people you barely know can look at it, make an opinion about it and ultimately about you. It causes you to share data in a way that engineers your audience to like, comment and re-share. That feels very un-sociable, doesn’t it? If you were sitting around chatting with your friends and you only spoke to say something that would get your friends to react, it would be a very odd situation indeed!
So, if you feel the urge to post something on social media, think about who you are doing this? Is it data that someone needs to know, or is it for your own endorphin rush?
I’m Brian and so’s my wife!
Here is an interesting question for the day. Why does an online service that you buy from care if the details you put in are real or not?
Your purchasing details need to be real, but what about your name, and date of birth? I call this the “Coffee Effect.” When you are in coffee shops, and they write your name on the cup, why do we give our real names? We are opening ourselves up to criminals using that information to find out more about us (our name, location, bank card details, allergies, habits, loyalty cards, coffee preferences). My name is Brian, Davros, Barbarella – get inventive and use characters from your favourite film or TV show. Use an alter ego for non-critical services. Some do require real data though! Register for services and websites with a pseudonym, a name that is not yours etc. If a website gets breached, then the attacker will find it difficult to attribute the data back to you physically.
Oops, I think I did it again
So, the final piece of advice, in this blog, is what to do if you do make a mistake. It is straightforward to make a mistake and knowing your Plan B, your backup plan, is sometimes a significant step.
If you over-share on social media, you can delete your post but remember that once it is on the internet, it is likely to never get removed so post carefully as others may have seen it and they can remember that data.
If you believe someone has got you to click a link and you think you may have infected your device, know the tools you need to turn to – look for reputable antivirus, and anti-malware applications that can help clean your data.
If you believe you have typed your data into a website that you realise, too late, that it is fraudulent, then change any data you have stored with them and ensure to change any passwords that you may have compromised.
Within your company, do you have dedicated people you can turn to? Find out who they are and how easy it is to contact them and what information they might need if there is an incident.
Know which law enforcement in your country deals with internet crimes. In the UK, the NCSC has created a set of services to report scam emails and SMSs.
1. Be aware of fads and apps that appear overnight as the latest hype
2. The internet is just data
3. Anxiety is real, stop and breathe
4. Look for the scam in how it makes you feel
5. Social media is unsociable
6. Use a pseudonym for non-critical services
7. Know what to do if you make a mistake
8. If you put data on the internet, it is there forever
9. Know where to get hold of tools to clean a device if you click something
10. Change data and change passwords if you think the website is fraudulent
11. Know who to turn to in your country’s law enforcement
The internet can feel like an odd place. It has its hidden parts, and it has dangerous areas as well as its fair share of criminals and scammers. Keep your wits about you. Stop, think before you click the link. Just being cautious and having a sixth sense about what you are looking at will keep most attackers at bay. Adjust your security behaviour. Enjoy your digital life and stay safe.