These are the simplest and most effective security practices I recommend for individuals looking to bolster their personal cybersecurity and minimize the likeliness or impact of a cyber attack against them.

1. Use a Password Manager

Real Life Example:

Someone I knew was phished - they had their credentials stolen for a company user account. This happens a lot more than you think, especially to workers in non-tech industries.

Username: john doe

Password: goldfish99

This is bad enough - a threat actor has access to your company account!

But worse is that this leaked credential could be reused for many other accounts, including their social media, dating apps, email… obviously the impact of just this one leaked credential is much more catastrophic.

This individual had a very bad (yet common) habit of Password Reuse. This allowed for a Password Reuse attack to be successfully performed against many sensitive accounts - leading to their ex receiving Instagram messages 😱

So how do we eliminate Password Reuse? Through using a Password Manager.

Instead of having to remember every single username + password for all your accounts, you now only need to remember a strong master password to access the password manager, which can securely store and retrieve all of these login details for you. Neat.

This not only makes it easy to defeat Password Reuse Attacks since you don’t need to repeat the same password for the sake of memory - it also allows for the use of much stronger passwords as well.

PREVIOUS PASSWORD: GOLDFish99

NEW PASSWORD: *uscvlp3x#qve%1pr@$u

Having more secure passwords makes some other attacks where attackers try guess or “crack” your password, infeasible.

Rewind: How would it have ended differently?

If this person, John Doe, migrated their account credentials to a Password Manager and then regenerated secure passwords for all of their accounts, even if the attacker phished their company user account - they would try use the stolen password for John’s social media, dating apps, bank account… to no avail. It wasn’t reused across multiple accounts, so the attack ends there. They may try guess further passwords, but the passwords are very strong due to their length and complexity, so that’s not gonna happen. The damage is contained to just this company account.

Not ideal, but WAY LESS catastrophic. No embarassing messages to your ex 😉

I personally find NordPass a very intuitive Password Manager to use and relatively cheap. There are also plenty of free options to look into.

This is your first priority - migrate all your passwords to a Password Manager and regenerate secure passwords (at least for sensitive/important accounts).

2. Enforce 2FA

Real Life Example:

Remember John Doe? They got their company account password stolen. With use of a Password Manager, the attacker can’t access any other accounts than this company account. Which is an improvement on before.
But even better, would be to secure sensitive accounts, like this company account, so just a password isn’t enough to gain access.

A password is known as a factor of authentication - basically a method for proving you are who you are saying to be. It is something you know. If the attacker knows it, they can pretend to be you.

We need a second, completely different method for proving you are actually you - what about something that you have? It would be extremely hard for an attacker to learn my password and then ALSO steal something I have.

This would be known as a second factor of authentication (2FA) - most commonly done by proving you have physical access to a device that belongs to you;

• Smartphone

• Tablet

There are many time-based code generating applications, which generate short codes that change every 30-60 seconds. Our device we own and access, has an application installed which synchronises this code with the account we are securing. This code just proves we own and can access a device that the attacker can’t.

For example, we setup 2FA for our company email account, by installing an authenticator app that generates these shortlived codes, synchronize it with our company email account, and now a correct code is required from our smartphone or tablet after giving the correct password. Two factors of authentication!

Note: Some accounts won’t be able to enforce 2FA. But usually sensitive accounts like email, bank, social media… all have this capability.

Any reputable authenticator app will work. I recommend installing on your smartphone as this is usually on us. Google Authenticator, Microsoft Authenticator and Okta are all good options. Google search how to setup 2FA for your email, banking, social media… they will guide you through the exact process.

Rewind: How would it have ended differently?

The attacker is still able to steal John’s company account password. Damn.
But when they try login to John’s company account, they are prompted for an Authenticator Code. This wasn’t part of the plan - they don’t have access to John’s smartphone. They don’t know who John is or where John lives. The password alone is useless to the attacker 😎

3. Assess domain legitimacy

Real Life Example:

How did John’s password even get stolen in the first place?

Well he thought he was signing into JohnDoeCompany company portal but it wasn’t the real website. It was made by an attacker to steal whatever login information he entered.

Obviously this is a silly example, with the domain of

attackerowneddomain[.]com

Being the domain chosen by the attacker to host this website.
Think of the domain as the part of the URL that represents a single website.

http[://]attackerowneddomain[.]com/signin

It is the part in the URL after http:// or https:// and before any / on the right of the URL. We must pay special attention to the domain of the URL when evaluating if it is legitimate or malicious.

First, does the domain have any spelling errors or weird grammar?

LEGIT: johndoecompany[.]com

EVIL: johnnnnndoeecompany[.]com

Second, does the domain match the actual domain of the website? Run a google search and see if the domain that returns is the same.

Third, navigate to VirusTotal and paste the domain here. If marked as malicious, the domain is likely not the real one or untrustworthy.

Rewind: How would it have ended differently?

The attacker setup a fake login page at http[://]johndoecompannnnny[.]com/signin to try steal John’s company password.
When John is sent a link to this website, he looks carefully and notices it looks a bit suspicious, with weird spelling mistakes, doesn’t match the website returned by a Google search and returns as malicious by VirusTotal. He chooses to exit the webpage without entering any details. The attacker doesn’t steal John’s password 😊

4. Device Locking

Real Life Example:

John is eating overpriced avo toast at a café while doing some life admin on his laptop. He gets up to grab some napkins, leaving his laptop open and unlocked.
Someone passes by and notices he is logged into his work email account. They send a profane email to the HR team and run away giggling.

One of the biggest cybersecurity risks individuals have are a threat actor accessing their physical devices while they are still unlocked. They may be logged into sensitive applications like email, banking, social media already and much damage can be done. It is so simple but vital that we maintain good habits and controls with ensuring our devices are locked when unattended.

First, make sure that all personal or company devices are locked using a secure, memorable password or a secure biometric gesture (like fingerprint scan).

Second, set a Lockout setting within the device, so after a short duration of inactivity like 1-2 minutes, the device will lock and require authentication to access again.

Third, always lock devices when leaving them unattended. Ideally, take your device with you. But if you can’t, lock it manually before getting up and leaving. Keyboard shortcuts can be used on computers, whereas hardware buttons are usually used on smartphones and tablets.

Rewind: How would it have ended differently?

Before John gets up to grab napkins, he types a keyboard shortcut to lock his laptop.
The mischievous stranger sees the lock screen shown on the laptop and passes by without accessing the laptop 🔒

5. Keep Devices Up-To-Date

Real Life Example:

John constantly forgets to update his laptop to the latest Operating System. It is years behind where it should be and lacks the latest bug and security updates pushed by vendors.
A hacker tries to exploit vulnerabilities found on John’s dated laptop and successfully is able to control the laptop remotely. They steal John’s photos and documents, and publish them online without John’s permission or knowledge.

As new vulnerabilities (weaknesses) are found in devices, the manufacturers of those devices or Operating Systems push out timely updates to fix them. This prevents the vulnerability from being exploited for malicious purposes by a hacker.

We should strive to keep our devices up-to-date with these updates, by enabling automatic updates within device settings. This will exponentially limit the number of known vulnerabilities available to hackers to try compromise your device.

Rewind: How would it have ended differently?

John’s devices, including his laptop, automatically update because he ensured the settings enforced this.
When a hacker tries to find common, known vulnerabilities to John’s laptop, they find no success with their usual easy ways in. Too much effort, and they move on to a new victim 👏

Thoughts?

While these are my personal top 5 recommendations for bolstering personal cybersecurity, I would love to hear if you agree or believe there are some other controls or habits that may be more important.