Attackers look for the path of least resistance. Recently, that path has shifted from enterprise networks to you and your devices for two reasons. First, as we have built more secure software and systems, it has made it harder to attack enterprise networks. At the same time, we have started to access more sensitive information, both personal and professional, on our phones.
That isn’t to say enterprise security, isn’t important – it still is. But individual cybersecurity is now a critical part of enterprise security because when individual workers aren’t secure, the enterprise isn’t either.
In the current era of cybersecurity, your life is part of the attack surface. In this post, we lay out 16 practical steps you can take to secure your data, accounts, and devices. The list is prioritized by risk reduction, so start at #1 and work your way down.
THE BASICS: 4 Steps & 3 Habits to address 99% of your online risk.
These first seven tips are the security basics. If you do nothing else, these tips – many of which you’ve probably heard for years – will protect you against the most common attacks.
1) Implement two-factor authentication (2FA)… and not with your cell phone!
Our first two tips are the most important to protect yourself against the most common security breach: password theft.
Two-factor authentication (2FA) creates two layers of security to access online accounts or information. There are a number of options for 2FA, and not all are created equal. At a16z, we believe hardware is the strongest form of 2FA because it requires possession of a physical object to access your account. For instance, I use a password and a Yubikey (a small device that plugs into a computer port) to access my work accounts, such as email or my HR system. My password is the first authentication; the Yubikey is the second.
SMS or text message-based authentication is a very weak choice for 2FA. Using SMS as an authentication (e.g. when your bank account texts you a verification code) leaves you vulnerable to SIM jacking, also known as SIM swapping attacks. In these attacks, a hacker convinces your mobile provider to reroute your phone number to their device. They can then access information and accounts linked to that phone.
SIM jacking is on the rise, and on September 17, 2019, the FBI even issued a formal warning about the risk of SMS-based authentication. If you do want to use your phone as a 2FA, Duo and Google WebAuthn are mobile-based 2FAs that do not rely on SMS and are less vulnerable to SIM swapping.
NEXT STEP: Add a second authentication method (not SMS!).
- Yubikey – hardware key that plugs into your computer
- Duo – mobile-phone based authentication that doesn’t use SMS
- Google WebAuthn – mobile-phone based authentication that doesn’t use SMS
2) Use a password manager.
Most of us have the terrible habit of reusing the same password on multiple sites. In Passwords are Dead… Again, I explained how this reuse creates a web of risk if your password is stolen. Even when we know the risk, many of us reuse passwords because it’s just too hard to remember different passwords for all of our different online accounts. Even worse, we tend to choose passwords that are easy for hackers to guess or figure out.
That’s where a password manager can help. Password managers secure each account with a unique, complex password and store each of these passwords, so that you don’t have to remember them.
NEXT STEP: Start using a password manager, such as 1Password, LastPass, DashLane.
3) Patch your sh*t!
The second most common cause of security breaches are missing security patches. No software is perfectly secure. Many updates are released to address newly discovered security gaps or bugs. When you receive a notification from your phone or computer that an update is available, install it as soon as possible. Or even better automate updates so that as soon as software or system updates are available, they are installed. In particular, the three most important systems to keep patched are: 1) your computer operating system, usually Windows or MacOS; 2) your browser, such as Chrome, Internet Explorer, or Safari; 3) your mobile operating system, usually Android or iOS.
NEXT STEP: Check that the following systems and software are fully up-to-date and automate patches.
4) Review cloud, social, and financial security/privacy settings.
Cloud configuration isn’t just important to the enterprise (see the blog The Next Generation of Cloud Security Startups). Each of us needs to be aware of how we set up and configure our security and privacy settings for any cloud and SaaS applications that we use. The three most important here are cloud storage, social media accounts, and financial applications. Most of these tools provide security and privacy wizards that make it easy to check and configure your settings.
NEXT STEP: Check your privacy and security for cloud storage, social media, and finance tools that you use. Below are links to some of the most common.
5) Trust but verify digital communications.
At my peak as a security professional, I saw over 20,000 breaches per year. More than half were the result of phishing attempts – someone clicking a bad link in an email or other digital communication.
Always maintain a healthy skepticism towards emails and other digital messages. If a message is requesting you take an action or click a link, validate and verify who the message is from. You can think of this as 2FA for digital communications – don’t just rely on who the email says it’s from. For instance, if your sister is asking you to send $200, text or call her to make sure she really is the one sending the request. Even for seemingly harmless emails, such as someone sharing a link to photos from a recent event, check that they actually sent them.
According to the 2019 Verizon Data Breach Investigation Report, we are more likely to click a phishing link when we are on our phones. Be extra careful when checking messages on your phone.
HABIT: Be skeptical of digital communications. Especially with requests to send money or share secure information, verify who is on the other end.
6) Trust but verify what you install.
You should also take a trust, but verify approach to applications or software you install on your devices. In short, know what you’re installing. A number of hacks have happened because people installed untrusted, often pirated, software. Pirating software isn’t only illegal, it’s also a great way to infect your computer with a virus or malware.
When installing software, never install any that uses a licensing hack or cheat code. Software can be expensive, and it may seem like a good deal to download hacks or cheats for commercial software, but it’s also a great way for attackers to gain access to your systems.
Additionally, download software from official sites and avoid unofficial sites or sites that bundle or package adware with their installers. Adware is often as bad as malware when it comes to security risks.
HABIT: Only download software from official sites.
7) Trust but verify what you plug into your computer.
Avoid flash drives and other things you plug into or pair with your computer. Operation “Buckshot Yankee” was one of the worst computer breaches in the history of the U.S. Military, and it started with a USB drive intentionally left in a military base parking lot that someone picked up and put into their computer. It may sound like common sense, but don’t insert strange and unknown objects into your computer.
HABIT: Only plug in or pair devices with your computer if you know exactly where they came from.
Beyond the Basics: Good Hygiene & Industrial Strength Tools
These next tips are best practices and products that go beyond the basics, with a focus on the recent wave of industrial grade security products have become affordable and available to the public.
8) Buy products with security built in.
In an ideal world, security is a product feature not a standalone product. And in the last 10 years, more products are taking this approach and building security into products. When possible, opt for hardware that has security built in as a core product feature.
Chromebook is a great example of a product that has done this by building security in from the very beginning. Chromebooks autoupdate to ensure software stays patched and as secure as possible. They also have a secure boot, which prevents malicious software from loading on your computer while the operating system is booting up, and native mobile device management capabilities to improve security across devices.
Of course, once you have the hardware, you need to make sure you are taking advantage of the features. Use device pins, passwords and other security measures, and turn on the firewall and automatic updates (see tip #3 – patch your sh*t!).
NEXT STEP: Select hardware that has built in security.
9) Practice good browser hygiene.
Since web browsers are so widely used, they are also widely targeted. Good browser hygiene limits the data available to an attacker if they are able to exploit your browser.
While most modern browsers now allow you to save credentials or personal information in them, that’s a bad security practice. It’s better to save this information in a separate program like a password manager (see tip #2).
Tools, like Javascript and Flash, are incredibly feature rich and help dynamic content play on webpages. However, they were also developed before we had secure coding standards and frameworks. As such, they continue to be unsafe and commonly exploited. While disabling these will mean some content won’t load on webpages, your browser will be faster and more secure. Also, disabling Flash autoplay also save your ears from loud and obnoxious content that plays automatically when you visit a website.
NEXT STEPS:
- Clear cache/cookies/history regularly. (Here’s a handy resource for cleaning up your browser.)
- Turn off autocomplete.
- Turn off Javascript in your browser.
- Enable “click to play” for Flash in your browser.
- Follow the US Cert guidelines for Browser Security
10) Change passwords and close unused accounts.
In addition to setting good passwords, it’s important to practice good account hygiene. Passwords should be changed at least yearly, more if you think you can support it. However, even more important than regularly changing passwords is choosing strong, complex passwords (see tip # 2).
Additionally, there are a number of websites out there that can let you know if any of your accounts were compromised in a security breach. Some password managers also perform this check. If any of your accounts have been compromised, reset your password immediately. If you hear of hacks or security breaches for services you use, check if any of your information was part of the breach. Finally, if you are no longer actively using an account, close it.
NEXT STEPS:
- Change passwords on any accounts where you have been using the same password for longer than a year.
- Run a check using haveibeenpwned.com or some other service to find out if you’ve been compromised.
- If you have, change passwords for those accounts.
- Close any inactive accounts.
11) Go Cloud!
Another pillar of good security is backing up your data so it can be restored in the case of a breach or data loss. The cloud is more secure than backing software up locally (e.g. using an external hard drive or local server) for a few reasons. First, your data no longer sits only on your computer. If your computer or hardware is stolen or physically damaged, you are able to recover it. Secondly, cloud services usually automatically patch their software, so it’s one less thing for you to think about.
NEXT STEP: Automate data backups with cloud services, such as Dropbox, Box, or Google Drive.
12) Set up detection traps.
Security is fundamentally a game of cat-and-mouse. We develop more secure systems, and hackers find ways to break into them. Breaches will happen. And rapid detection is just as important as prevention. Setting traps, the equivalent of digital tripwires, can help you know when you have been hacked.
NEXT STEP: Set up digital tripwires.
- Use canaries. It’s a classic heist movie twist for someone to be duped, steal a briefcase supposedly full of money, and then discover it’s full of worthless paper. Canaries – small hardware devices (e.g. tokens) that mimic a device a hacker would want to break into – are the digital equivalent. They are designed to detect malicious or abnormal behavior and alert you. Thinkst Canary is one of our favorites because it’s affordable for the average consumer and quick to set up.
- Set up email aliases when for online accounts. Gmail, for example, allows me to create aliases linked to my main account. If ever an email shows up in a breach database, this makes it easy to know exactly where my information was compromised. For example, if I open up a bank account online, I can create the alias joel+bankname@gmail.com. If I ever show up in a breach database, or start receiving unwanted email at that address, I’ll know which account was responsible.
13) Encrypt.
Encryption is using very large numbers and fun math tricks to make data unreadable unless you have a key to crack the code. (Fun fact: the use of ciphers, one encryption method, dates back to the Ancient Egyptians circa 1900 BC.)
When it comes to software, encryption is often the last line of defense for protecting data when dealing with a determined attacker. It represents a final code that has to be cracked before they can see sensitive information. As a best practice, you should encrypt your operating system and backups and use SSL or TLS3 (two security standards for transmitting information over the internet).
NEXT STEPS: .
- Encrypt all hardware drives/storage. For your hardware, operating systems typically offer built-in protection – use BitLocker to encrypt Microsoft’s operating system, and FileVault for Apple. ChromeOS is encrypted by default, no action needed.
- SSL everything. If you don’t see the SSL turned on for a webpage, do not put your data into that page. To check for SSL make sure you see a closed lock icon in your web browser. Even better, use a browser plug-in, such as SSL from the Electronic Frontier Foundation, that turns on SSL for everything. Encrypt backups. Make sure you never leave your back-up data laying around unencrypted.
- Encrypt your backup data. OSX, IOS, Android, and Windows can be encrypted by using a password to protect the backup.
14) Use a VPN, not public networks or computers.
Nothing in this world is free, including WiFi. In general, avoid unknown wifi networks, especially open public networks, because attackers may have control of the network and launch a person-in-the-middle attack, where they intercept and change traffic going to and from computers on the network.
And never use a public computer as even those in internet cafes and business centers almost always have something bad running on them. If you have to use a public computer, immediately change all passwords from a trusted machine. Think of it as the digital equivalent of washing your hands after riding the subway.
NEXT STEPS: Set up a VPN or mobile hotspot for connecting to private, secure internet when in public.
For the extra paranoid
These final two steps are for those who want their cybersecurity to be Fort Knox level.
15. Read the fine print.
It’s a pain to read end user agreements, but it’s especially important when installing applications that access your data. Make sure you’re comfortable with the level of access the app is asking for. Should you give a random photo app access to all your photos? Does a Dog Walker app need to have access to all your email? Sensible questions about data access go a long way.
16. Keep master passwords and hardware keys in a safe.
Stuff happens and passwords/keys are often lost or forgotten. It’s great to have an extra set of keys saved somewhere in case you ever need them. And even in a digital world, physical safes improve security. Keep your master passwords and back up hardware keys in a high quality fireproof safe. If you do not have a place to install a safe, a safe deposit box at a local bank branch also works.
And now that you’ve completed the security audit, bookmark this link and set a reminder for your next digital security check up. See you then!
