National Computer Security Day - Cyber and Fraud Centre

National Computer Security Day (November 30th) raises awareness of the importance of cyber security and the fundamental need for everyone who uses and owns a computer to know computer security basics.

The day was created in 1988, after the first significant cyber attack on the internet’s predecessor, ARPANET. The first internet worm spread to roughly 6,000 computers (out of only 60,000 connected to ARPANET at the time!). It caused large portions of the network to become disconnected to prevent the virus’s spread. Although the vulnerabilities exploited by the worm were against systems that aren’t seen on the internet today, the accounts it attacked and the methods it used are still used by modern-day hackers, which looked for accounts with obvious passwords, such as those found in a short dictionary list or those who used the account name as the password.

The internet of today is almost unrecognisable from its 1988 predecessor. Now, every device we own is connected, and almost every service you could ever need can be accessed online. Having a public-facing space on the internet is necessary for businesses now, and getting your brand out there is as easy as creating a social media page.

However, our ever-increasing reliance on the internet is matched with an ever-increasing risk. The few businesses on the early internet generally only had one or two devices to protect, which starkly contrasts with the massive task organisations today face. Today, an office network is expected to have an internet-connected device for every employee, running a website and holding almost all business-related data on a computer or the cloud. Many businesses today cannot run without a connection to the internet, and an attack on a critical online service can significantly disrupt your operations.

The large number of organisation devices and services which require protection can quickly become overwhelming – it was almost more effortless when only a device or two were connected!

The Basics of Computer Security

If you’re unsure where to start when protecting your devices and data, the best way to begin is to map out what you have. Listing all your devices, software, and where data is stored will help you understand what you need to protect first. Don’t forget third-party services too; from your email provider to social media accounts, any third party that stores or processes your data should be included in your list.

Now that you have a good idea of what devices and software you use, identify which ones are most important to you or your organisation. Think about what would happen if a specific software became unusable or suddenly unable to access data held on a particular device – how would that affect your organisation’s ability to operate as usual? Additionally, think about the data and services the users on your network have access to and what would happen if one of those accounts got hacked. Would an attacker be able to access sensitive data if they successfully compromised an account? Knowing which software, devices, and data are most important to your organisation means you can get to work protecting it!

Some Simple Computer Security Practices

Some simple practices within cyber security can help protect any device or software. Following these on every online service you use can quickly improve your organisation’s security:

Create a unique and strong password for every account, regardless of the account’s importance. Creating a strong password is as easy as choosing three random words, a practice recommended by the National Cyber Security Centre.
Refrain from using passwords across multiple online accounts, especially business accounts. Doing so can risk multiple accounts being compromised if one account has its credentials leaked. Although creating a new password for every account can be hard, a password manager can help you track all your accounts’ credentials safely.
Turn on two-factor authentication (2FA) for any account that allows it. 2FA is available on most websites, including social media and online shopping sites. Typically, 2FA can be enabled by going to your account settings and then to the security section. If you’re unsure how to enable 2FA for an account, try Googling the website’s name and searching “enable two-factor authentication”.
Regularly update your devices and software. When a new update is released, the provider will generally release a list of bugs that the update fixes or patches. Hackers take advantage of this and will target internet-facing services that still need to be updated to the latest version. The easiest way to ensure all your devices and software stay up to date is to set them to update automatically. If you cannot do this, ensure you stay updated with the manufacturers of the software or device so that you know when a new critical update is released.
Backup important data, ideally using the 3-2-1 rule – have three copies on two devices and keep one offsite. Ensure that your backups cannot easily be written to if malware, such as ransomware, was to infect your network. Additionally, keeping a backup completely offline will help you recover data when you cannot access the online backups.
Keep antivirus and firewalls protecting all your organisation’s devices. Importantly, regular users should not be able to dismiss notifications or warnings from your antivirus or firewall and should be barred from accessing the site or downloading the file the software is warning against.

These steps can quickly take your online world from unsecured to protected, and most only require a look through an account’s settings or a change to how you create passwords.

Safely Navigating the Online World

While the internet is a great asset to society, it also comes with problems that previously could never have existed. The internet in 1988 did not have phishing attacks, scammers, or malware to anywhere near the extent the internet does today. Because of this, knowing the risks and how to protect yourself against these threats is more important than ever.

Phishing Attacks

Phishing attacks are the first step in most attacks against businesses today and are one of the most prolific forms of attack on the internet. Of the organisations that have identified a breach or attack, 83% were from a phishing attack, according to the UK Government’s 2022 Cyber Security Breaches Survey.

Knowing how to spot a phishing attack is one of the best human-level defences you can have. Many phishing attacks come via email, but you may also see them in direct messaging platforms like text or social media.

The following techniques are typically used in phishing attacks:

The message sender has an unusual and odd email domain, name, or phone number. Domains used for phishing attacks get taken down regularly, and hackers must quickly cycle through email addresses and phone numbers to get their messages sent out to enough people. With email, this often looks like a misspelling of the company name or individual they are trying to impersonate
There are grammatical and spelling errors in the message. You may notice random capital letters, exclamation marks, and spelling mistakes.
The message encourages you to click on a link or open an attachment. The message may push you to open a PDF, Word, or Excel document. Even if it looks innocent, documents included in phishing attacks often have hidden malware which executes once the recipient opens the document.
The topic appears urgent or too good to be true. Phishing attacks use urgency in hopes you’ll miss the other obvious signs that the message is fraudulent. This can include mentioning that your account has been closed, your parcel cannot be delivered, or it may involve using a trending news topic to catch your attention.

Phishing attacks may also be specifically targeted at you or your business. These attacks, known as spear phishing attacks, can be harder to spot and are designed to look like genuine business correspondence. They may ask you to fill out a form or approve a financial transaction but will typically have many of the same features as a phishing attack, such as a suspicious or misspelt email name.

Staying safe online also includes keeping your identity safe from cybercriminals and identity thieves. As social media use has skyrocketed in recent years, many threat actors have begun to take advantage of the trust users give their online information. Many phishing attack campaigns have been created because of this, alongside scams that impersonate popular influencers or brands.

Keeping your identity safe online can be done quickly by following some of these steps:

Review Your Privacy Settings

Consider if your social media accounts should be set to private or public – while posting on social media is fun, remember that public accounts on most sites can be seen by everyone, from your friends to your future employers and even malicious users. Take time to consider whether you are happy for your content to be in the public view – if not, consider setting your profile to private or creating a new account just for your family and friends to follow.

Most major social media sites allow for accounts to be set to private, and the following links explain how to change the privacy settings for each website:

Think Before You Post

Everyone can see public accounts, and search engines make finding information about someone incredibly easy. Cybercriminals take advantage of this and can easily target someone sharing their day-to-day life online.

Before you post, think about what information you are sharing and if you want the whole world to know it. For example, posting a photo of your kids before their first day at school is a great way to share the moment with family and friends, but consider that the photo may include your house name or number, the logo and the name of the school your kids go to, and what the front of your home looks like – information that you probably wouldn’t want an online stranger knowing! Posts like these are best shared on private accounts or through direct messages.

Watch Out for Social Media Scams

The rise in social media use has been matched by a rise in social media scams. Cybercriminals take advantage of the trust users place in other users online and have created scams that fit in perfectly with the posting culture of the site they are using.

Some things to keep in mind while online:

Know who you’re talking to. Scammers use direct messaging as a way to build trust with victims. If someone you don’t know or don’t often talk to online is asking you to click on a link, send money, or buy, someone, think twice before responding to them. If it is someone you know, consider if they usually send messages this way. If unsure, message the person on another platform to check that it is them.
Consider if a post is too good to be true. Is someone offering a job that can earn you thousands in just a few months? Or is a post advertising merchandise, technology, or concert tickets for a price cheaper than anywhere else? Think before you go to buy it if the price advertised is realistic. Unfortunately, low prices usually mean the advertisement is a scam.
Watch out for bot accounts. Most social media platforms make it easy for someone to set up accounts run by bots. These accounts can reply to posts, follow other users, send direct messages, and make posts of their own to look realistic. Often, these bots are designed to attract users to a scam, such as a new cryptocurrency or a company that can get you rich quickly. Some of the noticeable red flags of a bot account are its activity – they often don’t have many followers yet follow many accounts. They may reply to many posts with a common phrase or words and will reply with the same or similar message to the one you received.

If you are concerned that an account is posting links to scams, the easiest way to help prevent anyone else from becoming a victim is to report profiles or content and then block them. If you suspect an account belonging to a friend or family member has been hacked, message them privately on another website or text to tell them so.

30.11.22