Practical Cybersafety for Everyone
The Internet is a dangerous place. In this post, I’ll cover five basic Cybersafety tips that anyone (including those who aren’t tech-savvy) can use to stay safe online.
1. Protect against viruses and malware
Most computer viruses are small sections of code that are embedded into files such as PowerPoint presentations and PDFs. When these files are opened in a software app (e.g., Microsoft PowerPoint or Adobe Reader), the app inadvertently executes the malicious code. Alternatively, malware (short for malicious software) includes apps that often run silently in the background to perform malicious tasks, such as stealing information or encrypting files until you pay a ransom (called ransomware). As a result, malware is one of the most dangerous threats to computer users today, and many viruses merely download and execute malware from Internet sites.
Luckily, protecting against viruses and malware is easier today than it has ever been. Vendors such as Microsoft and Apple have taken a leading role in providing security for their Windows and macOS operating systems.
If you are a Windows 10 or 11 user, the built-in Microsoft Defender provides the best protection against viruses and malware if all features are enabled. To configure Microsoft Defender features, you can click Start > Settings > Update & Security > Windows Security and then click on each area shown below. After reading about what each feature does on the screen, ensure that it is enabled. The green checkmarks shown below indicate that all available Microsoft Defender features for your computer are enabled.
While third-party antivirus apps are still available for Windows systems, they don’t provide any significant protection beyond that provided by Microsoft Defender. Instead, many of these apps (notably McAfee Antivirus) merely slow down your PC and may prevent you from accessing certain safe Internet resources. My advice today is to remove these apps and ensure that all Microsoft Defender features are enabled.
Alternatively, if you use macOS on an Apple Silicon-based Mac computer, the built-in Apple Gatekeeper provides the same protection that Microsoft Defender does. Apple automatically enables all Gatekeeper features for you the first time you start macOS, and there’s no reason to disable them afterwards.
If you use macOS on an older Intel-based Mac computer, Gatekeeper has significantly less capability for protecting you against viruses and malware. In this case, I recommend you also install the free Avira Antivirus for Mac.
To find out if your Mac uses Apple Silicon or Intel, click > About This Mac. As shown below, next to Chip you will either see Apple (e.g., Apple M2 Pro) or Intel (e.g., Intel Core i7).
2. Secure your web browser
Because your web browser is your primary Internet portal, it’s also the primary target for malware. While there are many web browsers to choose from, mainstream web browsers with a large user base offer the most aggressive protection. As a result, try to use one either Chrome, Edge, or Firefox only.
Some websites have you install custom software in your web browser called an extension to provide extra functionality. In some cases, it’s desirable (e.g., the Google Docs extension), but in other cases it may be malicious, and you may not be aware that it was installed when you clicked through prompts on a webpage. As a result, you should regularly review the extensions that are installed, removing or disabling any that look suspicious or unnecessary. I never install any extensions unless they are from a reputable organization such as Google or Microsoft.
Additionally, web browsers allow you to enable additional protection against malicious websites, links, and downloads. This is often called enhanced or strict security mode, and you must manually enable it within the settings of your web browser. I recommend that you enable it, and only allow exceptions for individual websites that don’t work properly with it enabled.
Many websites store information about you (e.g., your postal code) in cookie files on your PC that they search for to save time when you browse their website in the future. While most cookies are harmless from a security perspective, there’s a chance that cookies from websites other than the one you are currently viewing (called third-party cookies) will be used to store sensitive or tracking data for malicious purposes. Thus, it’s important to disable third-party cookies in your web browser settings and only allow exceptions for trusted websites that require them (rare today). Firefox blocks third-party cookies by default, but Chrome and Edge allow you to choose.
In short, perform the following actions:
-
Chrome:
- View and remove any suspicious extensions by navigating to
chrome://extensions/
in your address bar - Enable Enhanced protection within Settings > Privacy and security > Security
- Block third-party cookies within Settings > Privacy and security > Third-party cookies
- View and remove any suspicious extensions by navigating to
-
Edge:
- View and remove any suspicious extensions by navigating to
edge://extensions/
in your address bar - Enable Strict protection within Settings > Privacy, Search, and Services > Security > Enhance your security on the web
- Block third-party cookies within Settings > Cookies and Site Permissions > Manage and delete cookies and site data
- View and remove any suspicious extensions by navigating to
-
Firefox:
- View and remove any suspicious extensions by navigating to
about:addons
in your address bar - Enable Strict protection within Settings > Privacy & Security
- View and remove any suspicious extensions by navigating to
3. Click wisely
Even with Windows Defender or Apple Gatekeeper, your computer can still get infected with malware if you click on malicious links or open malicious attachments in emails and other messages. Even picture attachments can contain viruses or malware embedded into the picture itself. This is called steganography, and the virus or malware is released when you view the picture. Similarly, you can be coaxed by false emails and messages into downloading malware or giving away sensitive information (called phishing). Thus, it is important to approach all emails and messages you receive as being potentially malicious until you can verify otherwise.
Be extra cautious with emails and messages that:
- Start with generic greetings such as “Dear customer” or “Dear sir/maam” or have poor spelling or grammar. Malicious emails are often sent in bulk to recipients from a different country and generated by a translation program that does not understand how to edit content for style and grammar.
- Are sent from people you don’t know, or from people you do know but seems out of character for them. If someone you know clicked on a malicious link or attachment, malware may have stolen their address book for use with phishing.
- Are sent from someone trying to mask their identity. For example, an email from someone claiming to be from Microsoft, but their email address is @gmail.com. Or an email from someone @microsoft.customersupport.cn (not a Microsoft domain) or @microsft.com (misspelled).
- Have a false sense of urgency. For example, you must click a link, call a phone number, or open an attachment soon claim a reward, avoid a penalty, or remove a charge on your credit card. Whenever there is a sense of urgency in an email, take a deep breath and look at it carefully and slowly. Most organizations that require you to act on something will give you plenty of prior notice before sending emails that require you to do so.
- Contain words like INTERNAL or TRUSTED in the subject line to encourage you to trust it.
- Contain suspicious links or attachments. Instead of clicking on links, hover your mouse over them (or long-press on a touchscreen) to see where they are actually going. If you don’t recognize the domain name in the link, or it doesn’t go to where the link states, it’s likely malicious and you should not click it. Similarly, only open attachments from emails you absolutely trust, and only in cases where it was expected.
Following is an example of a malicious email I received that includes several of these features:
Once you identify a malicious email, ensure that you flag it in your email app as spam (unwanted) or phishing (purposefully malicious). This will delete the email as well as send a notification to the email server that allows it to better protect you and others against similar emails in the future.
4. Manage your online passwords
Most of us today log into dozens of different websites: online banking, news, social media, Gmail/Office365, work, school, Uber Eats, and so on.
But how do you manage the passwords for these sites?
- Do you use different ones for different websites and remember them all? Probably not, unless you’re a robot.
- Do you use the same password for multiple websites? If so, then when one of these websites is compromised, hackers will try your username and password on other websites automatically to gain access to your other accounts (called password spraying).
The most secure approach to managing your online passwords is to first determine which websites are critical. Critical websites include any websites that you store payment information on (e.g., Amazon), as well as online banking, work, school, email, and federated organizations. Federated organizations are large companies that are trusted by other websites. Have you ever tried to create an account on a vendor website and been presented with the option to supply either a new username and password OR use your existing Facebook, Apple, Microsoft, or Google login? When you choose to use your existing login from Facebook, the vendor website doesn’t store any username or password data, but instead obtains proof from Facebook that you have successfully logged into Facebook on the same web browser and can trust your Facebook account. This is called federated authentication.
For critical websites, generate a unique password for each account that is at least 10 characters long, does not contain dictionary words, and consists of different character types: UPPERCASE, lowercase, number, and special (e.g., ; % $ # @
). Try to make the password easy for you to remember. For example, the password i8ahorC;aaC
may look like random characters but could stand for I ate a horsey as a child (something you remember from your childhood).
Next, write the username and password for each critical website in a book that is stored in a secure place in your home and refer to it as necessary. Since there is always a small possibility that a password has been compromised by malware, it is important to change your passwords periodically. I recommend scheduling a password change day twice per year on your calendar (e.g., first Sunday in April, last Sunday in October). First write down a new password for each website in your password book and then log into each website and choose the option to update your account password.
For non-critical websites, use federated authentication if supported. If the website doesn’t allow federated authentication and you must create a username and password, allow the built-in password manager of your web browser to create and store a strong password that it will automatically insert each time you visit the site. In the rare event you lose access to your web browser stored passwords (e.g., your PC failed and was replaced), you can always go through the account reset process for these websites (the original account signup process requires a valid email address for this purpose).
Chrome, Edge, and Firefox periodically check the passwords it stores for you and alerts you if the same password is used for two different sites, or if the password was found for sale on the dark web (which indicates that it was compromised by hackers or malware), as shown below for Chrome. In this case, you can follow the directions to see which accounts you need to immediately change passwords for.
5. Be mindful of what data you are sharing online
Most information that you share on the Internet is publicly-accessible by automated software (called bots) that can use it to socially engineer you (e.g., with a phishing email) or gain access to your accounts (e.g., by obtaining the answer for a security question during a malicious account reset). For example, if a bot can see that you recently bought a Dyson vacuum from a social media post, it could craft a phishing email that appears to come from Dyson. Or if you post the name and picture of your pet, a bot could use that information to answer an account security question of “What is the name of your pet?” Moreover, bots can often access this information even if your social media profile is set to private.
In general, don’t share your home address, email address, nickname, or mobile number online, unless it is required for account signup. Never share passwords in an email or store them in a text file on your computer where malware can find them. Don’t friend anyone on social media that you don’t know because they could be a bot and prune your friend list periodically. Avoid sharing pictures and information on social media unless you feel they cannot be used to obtain personal details about you. And if possible, reduce or eliminate your use of social media entirely.