5 Ways to Protect Yourself From a Cyberattack
The world is reeling from news of Russia’s attack on Ukraine and its effect on the people of Ukraine and the world beyond its borders. The situation is evolving rapidly[1], but just before the invasion, I got a call from NBC Bay Area business and tech reporter, Scott Budman, for his report on what a Russian attack on Ukraine might mean for us in terms of cybersecurity. His reporting centered on advice for Bay Area locals about what they need to be thinking about in terms of cyberattacks, considering Russia’s use of cyberweapons in Ukraine and beyond. Highlights of our chat made the evening news.
Since the airing of the NBC News piece, people have reached out from near and far to ask me what else they should be doing to protect themselves from cyberattacks. My response? Same thing I said in the extended interview.
I’ve spent more than half of my career studying, tracking, and thwarting cyberattacks against individuals and large corporations alike. How do I take complex attacks — like those that take advantage of kernel-level exploits to turn your smartphone into an unparalleled surveillance device — and distill them into something that anyone can understand? In a nutshell, it’s this…
Cybersecurity can seem hard and complex. It is. Nation-state attackers, device compromise, zero-day exploits? These can be challenging concepts to get one’s head around. Your IT service providers, banks, government agencies, and employers spend millions on cyber-defense in the form of threat intelligence, advanced threat detection, offensive security, and incident response.
But as a consumer, there are actually many simple things you can do to protect yourself. It is not effortless, but it doesn’t require an individual to spend millions of dollars (or a degree in cybersecurity!) to protect yourself and your family from many forms of cyberattack.
Tips for protecting yourself against a cyberattack:
- #1: Routinely install updates on all of your devices. This should include your browsers and your laptop/desktop operating systems (i.e., Windows, MacOS). Check your phone and tablet for updates. On your TV: go to settings and choose “automatically install updates.” Login to your router and apply the latest updates. (If you don’t know how, Google your router name and find instructions from the manufacturer.) Same for your IoT devices. This is, in my opinion, the single most important step for you to take. Why? Because attackers (including highly sophisticated ones) routinely exploit recently-patched vulnerabilities as one of their tactics for gaining residence on your device.
- #2: Don’t click on links in email, text messages or even privacy-minded encrypted messengers, unless you know and trust the sender and you are sure that you’re navigating to a legitimate site. You can no longer find lots of typos or poorly-written English as clues — these days, sophisticated attackers create phishing messages that are very hard to distinguish from real ones. If you’re unsure, call the person and ask if they sent you something, or just ignore it. Some of the most sophisticated cyberattacks I’ve seen in my career cannot deploy if the end-user does not click on a link. The seemingly-legitimate-but-slightly-off link is the attack vector, the front door, for cyberattack.
- #3: Backup your devices. This is one of your best defenses against ransomware — especially if you backup your computer to a device that you keep at home.
- #4: Use a multi-factor authentication app where you can. Use a password manager. If all else fails, use long, complex passwords that you can remember. Do not use the same password for more than one website or service.
- #5: Be vigilant on social media. Limit your use if you can, but if you go there, be extra vigilant. Check the authenticity of your sources. Misinformation thrives on social media, and for decades, Russian adversaries have used misinformation strategically and skillfully[2]. Rely on trusted, mainstream media outlets.
- Bonus Tip #6: Don’t take a picture of a random QR code if you don’t know (in advance) where it’s taking you to — whether it bounces around on your TV or anywhere else unexpected. It is usually ok to access a menu at a restaurant via QR code, but not a random one you may come across unexpectedly. See Tip 2 — if you don’t know where the link, QR code, or bit.ly link will take you, you could be visiting a malicious (or compromised) website. That site might be serving up malware or be part of the threat actor’s next stage of a cyberattack. You may not know if malicious code is being installed on your laptop, tablet, or phone upon visiting the webpage.
There are more precautions to take, including using a Virtual Private Network (VPN), using anti-virus and endpoint security software, special considerations on mobile devices, logging, deletion of data, and so much more.
As a consumer, you can start now with these six actions. That’s because most of the attack vectors that sophisticated nation-state actors use for breaking into our systems require the end-user to make a mistake in one of these six areas. Yes, sophisticated cyber-defenses, IT resources, and industry-specific knowledge are required for governments and organizations to fight well-funded adversaries. But as an individual, these precautions can protect you, your family, and your data without extensive knowledge or a large budget.
[1] The situation is evolving rapidly, and the cyber risk is likely to change as a result. Continue to watch your trusted technical and media sources for up-to-the-minute stories on changing cyber threats and risks relevant to the invasion.
[2] A good read on this topic is Thomas Rid’s Active Measures: The Secret History of Disinformation and Political Warfare.
Kristy Edwards is the president of PrivacyCode Inc, a privacy engineering platform that translates complex privacy policies into consumable tasks for developers. She is a globally renowned expert in cybersecurity, product development, and entrepreneurship with more than 20 years of experience. A lifelong learner, she is also pursuing a Master of Information and Cybersecurity at the UC Berkeley School of Information.
