July 1, 2014 By Derek Brink 5 min read

As consumers, most of us enjoy the innumerable benefits of the Internet — but we also need to pay more attention to protecting ourselves from its many threats. Below are three security best practices that every consumer should be aware of.

According to Cisco’s Virtual Networking Index “Global IP Traffic Forecast, 2013-2018,” by 2018 more than half of the world’s population — globally, nearly four billion users — are projected to be on the Internet, along with a total of some 21 billion devices and connections.

Talk about “the Internet of Everything!” That’s a lot of opportunity for criminals to exploit. From a consumer perspective, the vulnerabilities that cyber criminals are most likely to target for exploit are:

  • Your software (e.g., your operating system, your software applications, etc.)
  • Your digital identities (e.g., your passwords)
  • Your trusting, curious human nature (e.g., your email inbox, your Web-browsing habits, etc.)

If you’re not concerned about the likelihood of such attacks, you should be. IBM X-Force documented 8,330 public disclosures of new security vulnerabilities in 2013 — that’s pretty close to one for every hour of every day, seven days a week, 365 days a year.

If you are concerned about online attacks, there are basic security best practices you can employ to protect yourself:

1. Keep Your Software Up-to-Date

Software has vulnerabilities, and attackers find, target and exploit these vulnerabilities on a daily basis, which is why you need to be diligent about applying the patches and updates that your software providers issue. Most of these updates can be applied automatically, but you should schedule a regular time to review your software “portfolio” and manually apply any patches or updates that, for whatever reason, can’t be automated. Be aware that attackers may try to fool you into installing malware by making you think it’s an update, so be sure to apply only trusted patches that you have accessed directly from the software provider’s website.

2. Be Smart About Your Passwords

How many times have consumers been advised to change their password as a result of some security breach in the first half of 2014? For example, the Heartbleed bug affected dozens of popular consumer sites, including Facebook, Instagram, Pinterest and Twitter, and consumers were advised to change their passwords. A server breach at eBay compromised the passwords and personal information of 145 million subscribers who were advised to change their passwords. Hackers compromised servers at Domino’s Pizza in France and Belgium, exposing the passwords and personal information (as well as pizza topping preferences) of some 650,000 consumers — who were advised to change their passwords.

These examples alone should make it clear why using the same password at multiple sites — unfortunately, a common practice — is not a good idea. When one site is compromised, attackers will often try to use the same credentials to access other sites (we saw this recently in the breach of Club Nintendo). Yes, it’s a pain, but we really should use a unique password for every site.

We obviously need to choose passwords that we can remember, but using just numbers or words that can be found in the dictionary is not a good idea. From time to time, large-scale password breaches (such as the one at Yahoo!) provide some fascinating insight into the bad password choices that we make. The top 10 passwords in the Yahoo! breach were: 123456, password, welcome, ninja, abc123, 123456789, 12345678, sunshine, princess, and qwerty. The top 10 base words, when we try to make our passwords a bit more tricky: password, welcome, qwerty, monkey, jesus, love, money, freedom, ninja and writer.

Perhaps the most important password to keep strong, unique and well-protected is the one for your email account. Why? Because it’s common today for sites to provide consumers with the convenience of self-service password resets based on knowing the answers to security questions such as “what was your first school?” or “what is your mother’s maiden name?” These really aren’t that secure — how hard would it be for anyone to use the power of the Internet to find this information? The point is that these password resets usually require you to respond to an email message sent to your email account of record, so anyone with access to that essentially has access to most of your other online accounts as well.

So yes, it’s a pain, but we need to make sure that our passwords are unique and complex: at least eight characters, including letters, numbers and symbols. Many consumers are turning to password managers to help themselves out with this important but tedious chore.

3. Be Aware — Even Suspicious — of Email Attachments and Web Links

Attackers take full advantage of our human nature and engineer their attacks to prey on curiosity, greed, lust, humor and any other number of human characteristics that would get us to open that email attachment, click that link or visit that infected website. The popularity of tiny URLs makes it even easier for attackers to disguise malicious links, and attackers are even known to leverage search engine optimization (SEO) techniques to drive unsuspecting consumers to websites that have been infected with malicious code.

Some of the most basic things you can do to protect yourself include manually typing in the Web address for your bank, for example, as opposed to clicking on the link that purports to take you to your banking website. Most of us have developed a “street sense” about what to buy and whom to trust when we’re visiting a carnival, a street fair or a bazaar; we just need to develop the same street sense when it comes to emails, websites and the bizarre realm of the Internet. Trust your instincts: If it looks or sounds suspicious, it probably is.

That last point is important. Attackers are even using more advanced techniques that are referred to as “vishing” (a combination of “voice” and “phishing”), which incorporates fake phone numbers as part of their ecosystem for getting consumers to voluntarily give up private information. For example, you might receive an email requesting that you call a toll-free number, or you might receive a phone call requesting that you call a toll-free number or visit a website, but these numbers and websites are also set up by the attackers. Remember, you can always take a different path to be sure, such as visiting the sites or calling the support numbers that you know to be legitimate.

Will these three security best practices keep you perfectly safe and secure?

No; being perfectly safe and secure is not possible unless you don’t go online at all. But they’ll go a long way.

When you think about it, these three recommendations are analogous to the things we already know to do with respect to our automobiles: We keep them maintained and up-to-date; we lock our cars and keep the keys safe in our pockets; we try to avoid distractions and pay attention to the task of driving.

Which brings us back to the beginning. As consumers, we enjoy the innumerable benefits of the Internet, but we also need to pay more attention to protecting ourselves from its many threats. As they say, the price of freedom is eternal vigilance.

More from Risk Management

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today