John Harrison ACSI, CISI Fintech Forum Committee member and head of information and cyber security at Charles Stanley, outlines some important security measures we can all adopt to help prevent and prepare for cyber attacks
Preventing a cyber attack
Credit score checking
Create an account with a free credit score service and check it regularly, as an unexpected change might indicate a criminal is trying to steal your identity. Pay particular attention to credit application searches; if you see a search that you don’t recognise, this could be because someone has applied for credit in your name. If this happens contact your bank and Action Fraud.
Email and cloud
An email account is an attractive target. Hacking it allows criminals to reset other online account passwords, impersonate you, amend emails, activate auto-forwarding (so they receive a copy of emails you send or receive), and phish your contacts. Your cloud service accounts, e.g. Office365, are a close second. Use ‘Two Factor Authentication’ for your email accounts and cloud services. Change each account password to something unique, long (>15 characters), and strong (three random words with some numbers and symbols). Never reuse an email or cloud password; criminals have tools that automatically try one compromised password with other popular online accounts.
Insecure email and secure portals
Adopt a zero-trust mindset with emails, messages and calls until you know they're genuine
The global internet is a public network. Standard email sent across the internet is insecure: it can be read or intercepted. Email accounts belonging to individuals are increasingly being hacked. Some websites offer a ‘secure portal’ that provides a safer messaging service than email. With a secure portal the message content stays inside the provider's network: it is not sent across the public internet, meaning the risk of a message being intercepted or tampered with is greatly reduced.
Preparing for a cyber attack
Always have at least two copies of data. You can either upload it to a cloud storage account, and/or copy it to another hard drive which you keep nearby (so you can update it easily). If possible, keep a second copy away from your home so it won’t be affected by things like fire, flood or theft.
Consider putting a call recording app on your mobile phone. If you are called by a criminal you will have a copy of the call. This might be useful for Action Fraud (0300 123 2040) or the police.
Separate your electronic content from your internet connected computer
Clone your hard drive
Cloning takes an exact copy of your computer’s hard drive and puts it on another disk drive. This means that if you have a problem with your computer, like a ransomware attack, you can swap the ruined hard drive for the cloned hard drive. Refresh the cloned drive each time you add or remove programs or update your operating system, keep it disconnected from your computer and somewhere safe.
Separate your electronic content (photos, video, spreadsheets, document, purchased software) from your internet connected computer by moving it to a separate, external hard drive. Then keep this hard drive disconnected (known as ‘air gapped’) from the computer when using the internet. If the computer is attacked by malicious software (‘malware’) or a cyber criminal, only the computer will be affected; the digital content will be safe on the separate hard drive. It is important to also back up your data (see ‘Backup’) and create a copy of your computer’s hard drive (see ‘Clone’).
Starting with your email account, make the password long (over 15 characters) and strong (containing numbers, letters and symbols). You can try using three random words that you can remember easily but mean nothing to anyone else. Then replace some of the letters with numbers and symbols.
Only use this password for your email account. Then go through your other important online accounts, those that can complete transactions or hold useful information about you, and do the same to those passwords, but crucially don’t use a password (or a variation of it) for more than one online account.
A password manager stores all your online passwords in a secure vault that is protected by a single master password (this must be long, strong and not used for any other accounts). This means every website account you have can have a unique password. Password managers can also automatically sign you in when you visit a website, and can check the passwords in your vault and tell you which ones need improvement.
Push payment fraud
This is when a cyber criminal tricks you into sending a payment to their bank account. Try to use a secure payment service like PayPal, or pay by credit card, instead of sending a bank transfer. If you have no other option, always independently verify the bank account details first: never rely on bank account details in an email. You can also keep the balance of the bank account that you use for internet banking to a convenient minimum. That way if a cyber criminal does transfer money out of it, the amount taken will be much smaller.
Keep all your software updated, not just your operating system, e.g. Windows. If you are running Windows 7 or older, upgrade it now, as any new security holes are no longer being fixed by Microsoft and cyber criminals can exploit them.
Two Factor Authentication (2FA)
2FA uses two pieces of information to prove (authenticate) your identity. Your password, ‘something you know’ is the first factor. The second factor will typically be ‘something you have’, like your mobile phone. After entering your username and password, a code is required before the account can be accessed. This might be sent as a text message or within an app on your mobile phone. 2FA greatly reduces the likelihood of your account being hacked. An unexpected 2FA code also indicates a cyber criminal has your password, so you can immediately change it. 2FA is free and straightforward. Activate it for important accounts, starting with email and any cloud services.
People trust unexpected emails, text messages and phone calls, until their suspicions are aroused. Protect yourself by instead adopting a zero-trust mindset, when emails, text messages or phone calls are not believed until proven genuine. If you receive an email, text or phone call that is a) unexpected and b) asking you to do anything at all, even if it’s from someone you trust, like tradesperson or a friend, pause and consider the possibility that it might be a cyber criminal. Independently verify the sender by, for example, contacting them using details obtained from a search engine or official web site.