20 ways to protect your online security

October is cybersecurity awareness month. The goal is to educate about online safety and protect against cybercrime. Estimates of worldwide cybercrime losses vary — some measure it in trillions of dollars per year.

It is crucial for all businesses and organizations to keep their cyber defences current in light of ever-changing attacks. There are best practices around things like keeping software, firewalls, and anti-virus tools up to date. Staff education is crucial. But those alone are not enough. Keeping security up to date requires ongoing attention from security experts.

Cyber Safe Guide

This Cyber Safe Guide for Small and Medium Businesses is a good place to start, or a good checklist to see if the fundamentals are covered.

There is a myriad of common scams against both businesses and individuals. The Canadian Anti-Fraud Centre lists common scams and how to avoid them.

An example of a common business fraud is business email compromise, which is an attempt to redirect a legitimate payment to the fraudster. The fraudster gains access to someone’s email account — often using credential stuffing by trying known passwords for the individual acquired on the dark web from privacy breaches. They then insert themselves into an email exchange and ask that payment be changed to a separate account. Some even use AI to mimic the voice of the person.

Tips to reduce risks

Here are a few things that businesses and individuals can do to reduce their risk.

1. Be skeptical about communications (email, text, social media, phone) that seem out of character for the apparent sender, are from strangers asking for or promising something, are badly written, have grammatical errors, or sound personal but don’t include your name.

2. Beware of engaging with a random stranger who “accidentally” communicates with you. It may be an attempt to start a pig-butchering scam.

3. Beware of any communication that instructs you how to pay something — especially if it is different than earlier instructions. To make sure, call the person you have already dealt with at an already-known phone number to verify the instructions.

4. AI tools are being used by fraudsters to mimic the audio and video of people you know. Be ultra cautious and confirm by alternate means any communication that deals with money or asks you to disclose personal information. That call that seems to be from someone you do business with who asks you for information to confirm your identity might be an attempt to get information from you they can use for fraud.

5. Be aware of any contact that urgently asks for money or asks for payment by gift cards or Bitcoin. No legitimate business or government agency will ask to be paid by gift cards or Bitcoin. Be especially aware of requests not to talk to anyone about it. Examples include apparent demands from tax authorities for immediate payment or threats of criminal actions. And calls claiming that a relative has been arrested and needs bail money.

6. Be wary of any message that suggests someone has used your credit/debit card or account to buy something. Card companies may contact you if there is a legitimate compromise to your account. But often it is just an attempt to get you to get information from you to “verify your account”. Sometimes it is obvious when the message relates to a card you don’t have. Sometimes it is easy to, for example, go on your Amazon account to make sure there are no orders you didn’t place. If you have any inkling that the message might possibly not be legitimate, hang up or don’t respond, and contact your bank or card provider using a known number.

7. Use strong effective passwords. Avoid common ones. This post lists common passwords, and how little time it takes to crack them. This post talks about the types of password attacks, and how to create a strong one.

8. Don’t reuse the same password on multiple sites, especially for sensitive ones like work access and banking. Given the number of successful hacks over the years, it is almost guaranteed that every one of us has a username and password for something available to hackers. A common hack is to try a person’s known password for other sites.

9. Use a password manager to create and remember strong, unique passwords. Make sure your password to access the password manager is strong and something you can remember.

10. Take advantage of MFA (multifactor authentication) for any service that offers it. Not all MFA is equal, though. While the type that texts a one-time code to your phone is good, app-based authenticators are better.

11. Keep the software on all your devices up to date. Updates often contain bug fixes and defenses against new threats.

12. Your workplace may implement security measures that seem like a nuisance. But those are put in place for a reason. Be sure to follow them.

13. Don’t input any information into a website that is not HTTPS.

14. Take advantage of in-private or incognito settings on your browser. Or use a browser like Brave that doesn’t track by default.

15. Take advantage of privacy settings for your online accounts.

16. Be extra vigilant when using public wifi — meaning any wifi connection other than your home or work. If you must use public wifi, follow these tips.

17. Always change default passwords on devices connected to the internet to something secure. This includes your router/firewall/access point and any device that talks to a cloud service or communicates over the internet, such as IoT, security cameras, TV boxes, printers, and scanners.

18. Make sure your home router and wifi settings are set up properly and securely.

19. For the most part, QR codes are innocuous and take you to a web page of whoever published them. But don’t scan random ones, as they can take you to nefarious sites.

20. Those simple surveys or knowledge tests on social media could be bots collecting data about you. The info you provide may seem innocent enough. But at some point, it could tie an answer to you which could be one of your password recovery responses.

David Canton is a business lawyer and trademark agent at Harrison Pensa with a practice focusing on technology, privacy law, technology companies and intellectual property. Connect with David on LinkedIn and Twitter.

Image credit: ©Rokas – stock.adobe.com