Article updated for relevance and accuracy.
Keep yourself digitally secure with the 10 actionable ideas.
There are few worse faux-pas than having your online identity stolen. According to the Javelin Strategy & Research study cited on Comparitech, in 2017 there were over 16.7 million Americans who had their identity stolen, up from 15.4 million in 2016. It is estimated that nearly half of Americans will have their computer compromised or have been completely hacked every year. You’ve probably received the “Emergency; I’m in a foreign country and have been robbed!” emails that pop up in your inbox, or maybe you’ve been a victim of ransomware such as WannaCry.
Today, more than ever, it’s important to be aware of your online security and take steps to protect yourself.
1. Overconfidence in your system
Mac is marketed as being virus-proof. And PC comes with anti-virus software pre-installed and enabled. Yet that doesn’t make your system invincible and in fact, can lead to a false sense of security. While it will help it won’t protect you from everything. It is important to practice common sense when opening emails, attachments, and downloaded apps as well as being vigilant about what links you click on and what websites you visit when browsing the web.
2. Having out of date software and apps
Apple is notorious for sending you reminders if you don’t update their software and they have good reason to. Out of date software and apps are more vulnerable to attacks than those that are up-to-date. While there is the occasional instance that breaks this rule, generally manufacturers release updates to protect you against vulnerabilitiesthat they discover.
Is your anti-virus software out of date? That, just like other software and apps should be updated regularly as well. If your anti-virus company has the option to allow auto-updates and automatic scans of your system that is one less thing for you to think about.
This also applies to your organization’s website, CMS, themes, and plugins. Whether you’re using WordPress, Joomla, Drupal or another CMS, make sure that the different components of your website are regularly updated as new versions become available.
3. Change all of your passwords on a regular basis, and frequently.
Yes, it’s a pain. And then you have to remember what the dickens you made the new password. But the good news is you don’t have to do them all at the same time.
If it’s easier to have a reminder on your calendar and do them spread out, do it. Social media accounts could be one month, and emails accounts and your website the month after. The longer and more random the password, the harder for a hacker to gain access. Yet don’t skimp and rigorously change your password every 6 months by adding a few numbers to the end. This won’t help your security and may, in fact, hurt it.
If you deal in a lot of sensitive information, whether data, financial or research, it may be well worth your while to adopt two-factor authentication wherever possible. Two-factor authentication requires a separate additional action that must be taken beyond simply providing a username and password, and this makes it significantly more difficult for any unwanted intruders to access your accounts.
If you have problems remembering your password or have trouble coming up with new passwords that are secure, there are many companies that offer products to help you securely check and store your password. Check to make sure they themselves haven’t had security breaches though. We recommend Codebook and Dashlane
4. Using a common password.
5 common passwords in 2018, according to SplashData, were:
Are they easy to remember? Yes. Are they easy to guess? Yes! It is actually alarming how these types of simple or consecutively configured passwords continue to be the most used passwords year after year. The best types of passwords have a combination of upper and lower case letters, numbers and special characters, such as an exclamation point (!) or percentage sign (%). If you are not going to use a password generator, remember to avoid certain common (and lazy) practices such as only having the first character be the lone uppercase letter in your password or only using a numeral or special character at the tail end of your password.
While using a password that is 6 to 8 characters long might be the standard minimum, the longer you can make the password, the more secure you’ll be. Security experts now recommend at least 12-16 characters. Instead of trying to construct them from scratch, consider using a password generator. Some CMS’s such as WordPress even comescomecomes with a built-in password generator which you can use when registering new users for your website.
5. If you’re using cloud services, make sure they are secure too
Is your iCloud password 123456 or something similar that can be quickly guessed? Is the answer to your security question something that can easily be gathered from public information on your social media accounts? While it might be convenient to have your security question be “favorite pet” and the answer “Buddy,” it’s more secure if you use a nickname of the pet or incorporate numbers in place of letters, such as using “F1d0” instead of “Fido.”
6. Using the same username and password across many accounts.
While having different passwords and usernames across your various accounts is a pain it is also more secure. Your username can also be as simple as FirstName001 for one account and LastName002 for another. It’s important that you don’t repeat the information; if one account is compromised it is easy for hackers to gain access to all of the others that feature the same information.
7. Trusting an email address because it looks right.
Recently we have been seeing a few phishing emails that look as though they come from Itunes or Amazon. While they have almost entirely gotten the correct format and design there are a few things thay haven’t been able to fake (yet).
The first is that they don’t include your billing or mailing address, sometimes they don’t even include your name. They may have your full name, email address, yet your billing address is no where to be seen.
The second is that while their email may appear as though it is from, for example, email@example.com when you click to view who it is really from you get a long jumbled email with a mix of letters and numbers numbers. In the example below you will note the email is not from firstname.lastname@example.org & there is no name provider no billing address. All point to a phishing scam.
8. Not changing passwords when an employee or volunteer leaves.
While this may mess up your scheduled ‘change password’ calendar it’s important that if an employee or volunteer leaves, even if it was amicable, you should change all of the passwords they had access to.
It is also important to note that not everyone in your organization needs to have “administrator” access to the backend. It’s worth spending a few minutes to work through the authorized users but determine what level of permissions they need.
9. Not having backups of your system and files.
Your website houses photos, events, contacts, and information about you and your company. But if the worse happens and it’s hacked or disabled are you prepared to start from scratch? With a little preventive planning and monthly backups even if the worse happens you won’t have to start at the beginning again. Sure you may lose some information but you’ll still have the majority.
10. Not using websites that are https.
If you’re anything like us you often switch between Chrome, Firefox, and IE. Sometimes the URL is saved and easily comes up, other times you have to type it fully out. You may think you’re on the right site when you make your purchase but if you haven’t double checked you may be on a fake site. Always double check that it says https: before the URL
As all websites are being encouraged to switch over to an SSL site (“https” vs. “http”) for both security concerns as well as for better search engine rankings, some of the browsers are doing their part to help inform users of the status of sites they visit. For example, the Google Chrome browser has been rolling out extra warnings for those sites that do not have an SSL certificate. Those who have https will display a lock icon with “Secure” written in green next to it.
Other articles you may be interested in:
- 5 actionable tips for WordPress security and speed
- 4 common nonprofit homepage design mistakes
- 4 ways to ensure your emails don’t get caught in spam
This post was originally published: September 25, 2017.