BLOG

10 online security blunders to avoid

Article updated for relevance and accuracy.

Keep yourself digitally secure with these 10 actionable tips.

There are few worse faux-pas than having your online identity stolen. According to the Javelin Strategy & Research study cited on Comparitech, in 2017 there were over 16.7 million Americans who had their identity stolen, up from 15.4 million in 2016. It is estimated that nearly half of Americans will have their computer compromised or have been completely hacked every year. You’ve probably received the “Emergency; I’m in a foreign country and have been robbed!” emails that pop up in your inbox, or maybe you’ve been a victim of ransomware such as WannaCry.

Today, more than ever, it’s important to be aware of your online security and take steps to protect yourself.

1. Overconfidence in your system

Mac is marketed as being virus-proof. And PC comes with anti-virus software pre-installed and enabled. Yet that doesn’t make your system invincible and in fact, can lead to a false sense of security. While it will help it won’t protect you from everything. It is important to practice common sense when opening emails, attachments, and downloaded apps as well as being vigilant about what links you click on and what websites you visit when browsing the web.

2. Having out of date software and apps

Apple is notorious for sending you reminders if you don’t update their software and they have good reason to. Out of date software and apps are more vulnerable to attacks than those that are up-to-date. While there is the occasional instance that breaks this rule, generally manufacturers release updates to protect you against vulnerabilitiesthat they discover.

Is your anti-virus software out of date? That, just like other software and apps should be updated regularly as well. If your anti-virus company has the option to allow auto-updates and automatic scans of your system that is one less thing for you to think about.

This also applies to your organization’s website, CMS, themes, and plugins. Whether you’re using WordPress, Joomla, Drupal or another CMS, make sure that the different components of your website are regularly updated as new versions become available.

3. Change all of your passwords on a regular basis, and frequently.

Yes, it’s a pain. And then you have to remember what the dickens you made the new password. But the good news is you don’t have to do them all at the same time.

If it’s easier to have a reminder on your calendar and do them spread out, do it. Social media accounts could be one month, and emails accounts and your website the month after. The longer and more random the password, the harder for a hacker to gain access. Yet don’t skimp and rigorously change your password every 6 months by adding a few numbers to the end. This won’t help your security and may, in fact, hurt it.

If you deal in a lot of sensitive information, whether data, financial or research, it may be well worth your while to adopt two-factor authentication wherever possible. Two-factor authentication requires a separate additional action that must be taken beyond simply providing a username and password, and this makes it significantly more difficult for any unwanted intruders to access your accounts.

🌶Hot tip:

If you have problems remembering your password or have trouble coming up with new passwords that are secure, there are many companies that offer products to help you securely check and store your password. Check to make sure they themselves haven’t had security breaches though.

Our project manager swears by Codebook for all her devices and is able to sync her content so it’s always up-to-date no matter where she looks.

4. Using a common password.

5 common passwords in 2020, according to Nord Pass, were:

  • 123456
  • 123456789
  • picture1
  • password
  • 12345678

Are they easy to remember? Yes.

Are they easy to guess? Yes!

It is actually alarming how these types of simple or consecutively configured passwords continue to be the most used passwords year after year. The best types of passwords have a combination of upper and lower case letters, numbers and special characters, such as an exclamation point (!) or percentage sign (%). If you are not going to use a password generator, remember to avoid certain common (and lazy) practices such as only having the first character be the lone uppercase letter in your password or only using a numeral or special character at the tail end of your password.

🌶Hot tip:

While using a password that is 6 to 8 characters long might be the standard minimum, the longer you can make the password, the more secure you’ll be. Security experts now recommend at least 12-16 characters. Instead of trying to construct them from scratch, consider using a password generator.

Some CMS’s, including WordPress, even comes with a built-in password generator which you can use when registering new users for your website.

5. If you’re using cloud services, make sure they are secure too

Is your iCloud password one of the above mentioned most common passwords, or something similar that can be quickly guessed?

Is the answer to your security question something that can easily be gathered from public information on your social media accounts?

While it might be convenient to have your security question be “favorite pet” and the answer “Buddy,” it’s more secure if you use a nickname of the pet or incorporate numbers in place of letters, such as using “F1d0” instead of “Fido.”

6. Using the same username and password across many accounts.

While having different passwords and usernames across your various accounts is a pain it is also more secure. Your username can also be as simple as FirstName001 for one account and LastName002 for another.

It’s important that you don’t repeat the information; if one account is compromised it is easy for hackers to gain access to all of the others that feature the same information.

7. Trusting an email address, or SMS because it looks right.

Recently we have been seeing a few phishing emails and even texts that look as though they come from Itunes or Amazon. While they have almost entirely gotten the correct format and design there are a few things they haven’t been able to fake (yet).

The first is that they don’t include your billing or mailing address, sometimes they don’t even include your name. They may have your full name, email address, yet your billing address is no where to be seen.

The second is that while their email may appear as though it is from, for example, support@apple.com when you click to view who it is really from you get a long jumbled email with a mix of letters and numbers numbers. In the example below you will note the email is not from support@apple.com & there is no name provider no billing address. All point to a phishing scam.

8. Not changing passwords when an employee or volunteer leaves.

While this may mess up your scheduled ‘change password’ calendar it’s important that if an employee or volunteer leaves, even if it was amicable, you should change all of the passwords they had access to.

It is also important to note that not everyone in your organization needs to have “administrator” access to the backend. It’s worth spending a few minutes to work through the authorized users but determine what level of permissions they need.

9. Not having backups of your system and files.

Your website houses photos, events, contacts, and information about you and your company. But if the worse happens and it’s hacked or disabled are you prepared to start from scratch?

With a little preventive planning and once a month backups even if the worse happens you won’t have to start at the beginning again. Sure you may lose some information but you’ll still have the majority.

AmDee offers monthly backup and priority service if anything does go wrong through our Maintenance Subscription options.

10. Not using websites that are https.

If you’re anything like us you often switch between Chrome, Firefox, and IE. Sometimes the URL is saved and easily comes up, other times you have to type it fully out.

You may type it out and think you’re on the right site to make a purchase, or enter your email for a resource but you may be on a spoof site if there’s no “https:”.

🌶Hot Tip:

Google search results are penalizing sites by pushing them further down the rankings if they don’t have https.

If you’re website doesn’t display https that means you don’t have an SSL certificate. While it is fairly easy and not too expensive to purchase an SSL certificate, if you have questions feel free to reach out to us.

Other articles you may be interested in:

This post was originally published: September 25, 2017.

Thumbnail image
Jeff C.

Jeff Creamer is a DC-based WordPress website administrator, tutor and consultant. He has been helping small businesses and nonprofits launch and manage their WordPress sites since 2013.

Thumbnail image
Kristy Bauman

You May Also Like

3 Important Reasons For Web Accessibility

The average American now spends over half of their day staring at a screen. A recent Nielsen report reveals that adults in the United States spend over 12 hours a day on digital devices. This includes time spent using apps, browsing the web on smartphones, streaming services, and using desktop…

read more >
Struggling to Stay Productive in the Heat? Try a Digital Assistant

Summer is coming and we all know what that means: lazy afternoons at the pool, evening BBQs, the scent of sunscreen, the packing of suitcases, and the ever-growing pile of work that still has to be done. Staying productive in the summertime can be tough. After all, we want to take…

read more >