July 1, 2014 By Derek Brink 5 min read

As consumers, most of us enjoy the innumerable benefits of the Internet — but we also need to pay more attention to protecting ourselves from its many threats. Below are three security best practices that every consumer should be aware of.

According to Cisco’s Virtual Networking Index “Global IP Traffic Forecast, 2013-2018,” by 2018 more than half of the world’s population — globally, nearly four billion users — are projected to be on the Internet, along with a total of some 21 billion devices and connections.

Talk about “the Internet of Everything!” That’s a lot of opportunity for criminals to exploit. From a consumer perspective, the vulnerabilities that cyber criminals are most likely to target for exploit are:

  • Your software (e.g., your operating system, your software applications, etc.)
  • Your digital identities (e.g., your passwords)
  • Your trusting, curious human nature (e.g., your email inbox, your Web-browsing habits, etc.)

If you’re not concerned about the likelihood of such attacks, you should be. IBM X-Force documented 8,330 public disclosures of new security vulnerabilities in 2013 — that’s pretty close to one for every hour of every day, seven days a week, 365 days a year.

If you are concerned about online attacks, there are basic security best practices you can employ to protect yourself:

1. Keep Your Software Up-to-Date

Software has vulnerabilities, and attackers find, target and exploit these vulnerabilities on a daily basis, which is why you need to be diligent about applying the patches and updates that your software providers issue. Most of these updates can be applied automatically, but you should schedule a regular time to review your software “portfolio” and manually apply any patches or updates that, for whatever reason, can’t be automated. Be aware that attackers may try to fool you into installing malware by making you think it’s an update, so be sure to apply only trusted patches that you have accessed directly from the software provider’s website.

2. Be Smart About Your Passwords

How many times have consumers been advised to change their password as a result of some security breach in the first half of 2014? For example, the Heartbleed bug affected dozens of popular consumer sites, including Facebook, Instagram, Pinterest and Twitter, and consumers were advised to change their passwords. A server breach at eBay compromised the passwords and personal information of 145 million subscribers who were advised to change their passwords. Hackers compromised servers at Domino’s Pizza in France and Belgium, exposing the passwords and personal information (as well as pizza topping preferences) of some 650,000 consumers — who were advised to change their passwords.

These examples alone should make it clear why using the same password at multiple sites — unfortunately, a common practice — is not a good idea. When one site is compromised, attackers will often try to use the same credentials to access other sites (we saw this recently in the breach of Club Nintendo). Yes, it’s a pain, but we really should use a unique password for every site.

We obviously need to choose passwords that we can remember, but using just numbers or words that can be found in the dictionary is not a good idea. From time to time, large-scale password breaches (such as the one at Yahoo!) provide some fascinating insight into the bad password choices that we make. The top 10 passwords in the Yahoo! breach were: 123456, password, welcome, ninja, abc123, 123456789, 12345678, sunshine, princess, and qwerty. The top 10 base words, when we try to make our passwords a bit more tricky: password, welcome, qwerty, monkey, jesus, love, money, freedom, ninja and writer.

Perhaps the most important password to keep strong, unique and well-protected is the one for your email account. Why? Because it’s common today for sites to provide consumers with the convenience of self-service password resets based on knowing the answers to security questions such as “what was your first school?” or “what is your mother’s maiden name?” These really aren’t that secure — how hard would it be for anyone to use the power of the Internet to find this information? The point is that these password resets usually require you to respond to an email message sent to your email account of record, so anyone with access to that essentially has access to most of your other online accounts as well.

So yes, it’s a pain, but we need to make sure that our passwords are unique and complex: at least eight characters, including letters, numbers and symbols. Many consumers are turning to password managers to help themselves out with this important but tedious chore.

3. Be Aware — Even Suspicious — of Email Attachments and Web Links

Attackers take full advantage of our human nature and engineer their attacks to prey on curiosity, greed, lust, humor and any other number of human characteristics that would get us to open that email attachment, click that link or visit that infected website. The popularity of tiny URLs makes it even easier for attackers to disguise malicious links, and attackers are even known to leverage search engine optimization (SEO) techniques to drive unsuspecting consumers to websites that have been infected with malicious code.

Some of the most basic things you can do to protect yourself include manually typing in the Web address for your bank, for example, as opposed to clicking on the link that purports to take you to your banking website. Most of us have developed a “street sense” about what to buy and whom to trust when we’re visiting a carnival, a street fair or a bazaar; we just need to develop the same street sense when it comes to emails, websites and the bizarre realm of the Internet. Trust your instincts: If it looks or sounds suspicious, it probably is.

That last point is important. Attackers are even using more advanced techniques that are referred to as “vishing” (a combination of “voice” and “phishing”), which incorporates fake phone numbers as part of their ecosystem for getting consumers to voluntarily give up private information. For example, you might receive an email requesting that you call a toll-free number, or you might receive a phone call requesting that you call a toll-free number or visit a website, but these numbers and websites are also set up by the attackers. Remember, you can always take a different path to be sure, such as visiting the sites or calling the support numbers that you know to be legitimate.

Will these three security best practices keep you perfectly safe and secure?

No; being perfectly safe and secure is not possible unless you don’t go online at all. But they’ll go a long way.

When you think about it, these three recommendations are analogous to the things we already know to do with respect to our automobiles: We keep them maintained and up-to-date; we lock our cars and keep the keys safe in our pockets; we try to avoid distractions and pay attention to the task of driving.

Which brings us back to the beginning. As consumers, we enjoy the innumerable benefits of the Internet, but we also need to pay more attention to protecting ourselves from its many threats. As they say, the price of freedom is eternal vigilance.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today