6 Simple Ways to Lower Your Internet Risk
A few weeks back, this March, the Internet turned 100000 [efn_note]100000 in binary equals 32, for those who don’t want to count zeros.[/efn_note]. At least what we generally call the Internet, i.e. the World Wide Web, which was proposed in 1989 by Tim Berners-Lee at CERN as a radical new way of linking and sharing information.
The Web changed our life in lots of ways. For example, it’s currently hard to imagine how the still ongoing pandemic with its lockdowns and other restrictions would have turned out without the option for many to work, shop and even meet online via the Web. But the Web also opened the the door for whole new groups of risk.
Mark already highlighted some aspects inherent in the social media layer of the Internet. But cyberrisk – the term we coined for the risks of being connected – go much deeper, and it affects all of us with very few exceptions for truly off-the-grid people.
On the surface, cyberrisk issues seem to mainly affect large companies, as highlighted by major data leaks that were reported in the recent past and that hit millions of users. But while it is true that large hacks make better news (and probably generate more fame for the hacker), smaller organizations where data are less well protected, or private citizens, have the same or even higher cyberrisk.[efn_note]The fact that cyberrisk seems to be larger for larger companies is a form of cognitive bias called “availability bias”. It is similar to the perception that flying is more dangerous than driving, even though it is much safer – a plane crash is highly publicized and more people die at once.[/efn_note]
I just had quick look at a study I wrote about this a while back, where we surveyed organizations on their cyberrisk preparedness, with some concerning results. Around half of organizations surveyed had been affected by a cyber incident, most of which had caused real financial damage, but only 42% did regular risk assessments, and a measly 14% had an institutionalized risk management program for cyber. Those numbers were hardly higher for those organization that had actually had a breach. And these are large organizations (with more than US$ 50m revenue) we are taking about. Even though the data are a few years old now, I don’t expect the situation to have progressed all that much.
While actual black hat hacks are great for movies, they are just the tip of the iceberg in terms of cyber-incidents. I haven’t found exact numbers (especially since the dark figure is high) but my guess is that the vast majority of damage caused is less due to a technological break-in and more to modern forms of social engineering. Probably most well known is the advance-fee or 419 scam, which most people will know by the name of “Nigerian prince scam”.[efn_note]The scam neither originated in Nigeria nor are the majority of scammers located there, but the name still stuck.[/efn_note] In this con, people will receive an email with a promise of large sums of money from dubious sources, but to get the transfer started the victim will need to advance a modest amount of money to pay for bribes, fees or whatever. Surprisingly, this works often enough to be a worthwhile endeavor for would-be scammers; I guess there is still a sucker born every minute.[efn_note]As an exercise in reversing gullibility, “419 baiting”, i.e. scamming the scammers, has become something of an Internet sport, with whole websites devoted to it.[/efn_note]
Other more sophisticated scams prey on users’ lack of tech savvy. For example, when opening an innocuous seeming website, the user gets a popup warning of a computer virus infection with the advice to call a “tech support hotline”. The user is then coaxed into giving the “tech specialist” remote access to their computer to “fix” the issue – bingo!
Whatever the scamming or hacking method, all exploit the connected user’s lack of protection, attention or knowledge, i.e. the lack of cyberrisk awareness. That is surprising, because a few fairly simple principles can keep the vast majority of people reasonably “cyber-safe”:
Whether computer, tablet or smartphone, never click on any unsolicited link, even when it looks like it’s coming from a reputable source such as your bank or PayPal. Some phishing emails can look quite real, but your bank would never ask you to click on any link they send you and enter your ID/password there.
The same goes for unsolicited calls. Offers that sound too good to be true ARE too good to be true 99.99% of the time.
Maintain reasonable password security. That means not having the same password for everything on the Internet, the passwords being hard to guess (the more random the better) and ideally changing them regularly. Considering the number of website where we tend to have accounts nowadays, that sounds like a bit of a chore, but password safes like KeyPass (which I personally have been using for years) make the task relatively straightforward.[efn_note]For me, the passwords I can choose on my own are always random-looking combinations of numbers and upper-/lower-case letters. They aren’t random, though – I have an algorithm that allows me to create an (almost) unique high strength password for each site while still being able to remember, or rather derive, all of them. I still need KeyPass for the accounts that don’t allow my own password.[/efn_note]
Don’t do anything sensitive on public networks, whether on a computer in an Internet cafe, or via the public Wi-Fi at Starbucks. At a conference a few years back I heard a really interesting talk by Tony Sales, “Britain’s greatest fraudster”, who laid out how easy it is for intruders to listen in to your device on these open channels.
On social networks, don’t share information that you don’t want a criminal to have about you. Example: posting your adress with an additional “by the way, I am going on vacation tomorrow”. A few years ago people could be excused for believing their data was secure on social networks, but that time is long past. In my personal netiquette I go a lot further: never post anything you wouldn’t want the recruiter at your next job interview to know about you.[efn_note]Stuff you put up on the Internet almost never disappears.[/efn_note]
Invest some time and/or money in checking out anti-virus software, again for all devices, and then installing and maintaining it. And of course having it run regularly.
None of these measures on their own will reduce cyberrisk to zero – a truly determined attacker will always find a way to get at your data – but in combination it makes you be more of a hassle as a target than most fraudsters are willing to shoulder. Worked for me so far, and I have been online since 1994...[efn_note]Remember those old modems with the screechy noise?