Over the last twenty years, I have been providing volunteer cybersecurity and cybersecurity awareness lectures to children of all ages, K12 students, business communities, computer science and information systems classes, university faculty/students/staff, and to retirees (generally the people with the most assets to protect and the least knowledge to protect themselves online.) At the end of most of these sessions, I left the audience with a quick cybersecurity checklist. In the early years, it was just a few items. Since then, my list has steadily grown to over 20 items as our digital world has expanded.
While this checklist is intended as a personal checklist, there are many items in the list that are still applicable to organizations as well. The checklist may be obvious to many in the IT field. However, in my experience, no one is really fully protected from some of the modern day cybercriminals; especially from cybercriminals who are skilled and have access to hacker tools and their own tech support from underground, cybercriminal organizations.
1. Personal Responsibility–Complacency by individuals, especially in organizations, is usually a common element in data compromises. There is a common misconception among some individuals that “the IT security people and the firewalls will protect me.” These individuals need to realize that unless stringent security controls are enforced, a careless click on a mal-link may still lead to a compromise. Even worse is when individuals willingly surf to a website and divulge their credentials in anticipation of some goods or rewards.
2. Data Clutter and Spring Cleaning–Reduce that data clutter. Don’t become a data hoarder! Minimize your stored information, especially confidential or sensitive information. Over time, people forget how much confidential or sensitive data they have accumulated; sometimes even other people’s confidential or sensitive data. Establish a Spring Cleaning (or Christmas Cleaning) routine.
3. Updates–Where possible, enable automatic updates of operating systems, applications, anti-virus software, and apps. While more secure systems are emerging such as cloud-based tablets, notebooks, and operating systems as a service, the currently installed base of consumer and business devices still require updates as vulnerabilities and exploits are identified. For business devices, a managed approach is advisable.
4. Anti-Virus Software–Use it and keep it updated.
5. Screen Locks–Deploy screen locks for computers, tablets, and smartphones. Whether a simple 4-digit PIN or a more complex method, this is the simplest and first line of defense for most systems.
6. Passwords–Use strong passwords. Unfortunately, not all service providers use best practices for password acceptance by their systems. Do not re-use old passwords. Use different passwords for different services, especially if these services are important, such as primary email accounts, bank accounts, investment accounts, etc. Create a system that is unique to you. With the many different online services that an individual has, it may help to inventory and update these during the annual Spring Cleaning routine. Treat them as carefully as your important documents. If you wish to use a password manager, consider carefully when and where to use it based on your comfort level.
7. Password Recovery–The dated, standard password recovery questions are easily used by hackers to breach accounts. The limited set of questions where responses may be guessed or easily found on social media, combined with people’s honesty in answering these questions, make this an easy way for hackers to breach an account. This is possibly the one time in your life; it is OK to intentionally give an erroneous response if you are forced to use this method. However, don’t forget your responses!
8 . Multi-Factor Authentication–Wherever possible, use multi-factor authentication, especially for important accounts and services. At the basic security level, an individual has three types of credentials (factors), what you know (e.g. username and password), what you have (e.g. smartphone or physical token or smartcard), and what you are (e.g. fingerprint or iris scan). Combining these different factors raises the confidence level that the correct individual is accessing the account.
9. Home Computer Accounts–As much as possible, instead of using the default Admin (privileged) account on home computers, set up a second Standard (non-privileged) account and use it for most of your activities, especially when browsing the web. Set up an additional Guest account if you have regular visitors or children who are allowed to use your home computer.
10. Hyperlinked Words or Links–Don’t click on hyperlinks in other contents, e.g. in SMS, emails, websites, etc. Where possible, log into your actual accounts (FB, LinkedIn, etc.) or open a browser and type in the URL. If that is not possible, mouse over the link to ensure that it is the link that it purports to be. Especially beware of short URLs and QR codes when you can’t see the full link to the website before you click.
11. Phishing Schemes–Think. Be wise. Be vigilant. Don’t be fooled. Don’t become a victim. Do not divulge personal credentials. No, it is not “THE IT Help Desk” asking for your credentials or helpful “Microsoft Tech Support” trying to fix your computer! Nor is it the IRS demanding your personal credentials via social media or email. And remember that scammers do change their tactics frequently to increase their payoffs.
12. Backup–Backup your data judiciously. Use automated backups. There are several, credible cloud-based automated backup solutions that are easy to use and reasonably priced. For the really important information, keep a separate, off-site backup that is refreshed periodically.
13. Account Profiles–Keep your account profiles updated, especially for primary emails, credit cards, bank accounts, investments accounts, retirement accounts, and other important accounts.
14. Credit Card Alert Notifications–Enable alerts such as transactions above a set amount or even below a certain amount (sometimes cybercriminals test your cards with low purchase amounts that are then backed out and won’t be reflected in your monthly statements.) Set up geographic alerts, e.g. purchases conducted in another country. Set up travel notices and alerts if you plan to travel overseas.
15. Credit Reports–Check your credit reports at least a few times a year. Verify that no one else has opened an account under your name.
16. Social Networks–Limit personal information (yours or others) exposed via your social media postings and/or profiles on social networks. Cybercriminals scan social media postings and social network profiles for useful information that can be used to compromise accounts, identities, or your (or your loved ones’) personal safety.
17. Public Wi-Fi–The risk in connecting through a public Wi- Fi is also the unintended consequence. Most mobile devices have dozens of apps that are constantly signed-in with the credentials stored on the device. The moment your device connects to a public Wi-Fi access point, many of these apps will rapidly transmit the stored credentials, faster than you can disable them, and some without your knowledge.