Your Cybersecurity Starter Pack

Basic security best practices to share with your non-technical friend.

Victoria Drake
Oct 18, 2020 · 6 min read
Image for post
Image for post

Readers of my blog typically know more about technology and cybersecurity than most people. This article is for most people. If someone you know could benefit from a simple and straightforward cybersecurity starter pack, please share this article with them — it benefits everyone!

My articles are evergreen, but this note is not. If you’re reading this, it means you can still get 3 extra months free with ExpressVPN for Black Friday.

If you’ve ever said to yourself:

“There’s no one targeting lil ol’ me.”

“I have nothing to hide, anyway.”

“I’m too busy to learn all this stuff. Why can’t someone just give me a simple summary of best practices that I can skim in approximately seven minutes?”

First of all, you might want to stop talking to yourself in public. Secondly, here is a simple summary of best practices that you can skim in approximately seven minutes.

Introducing your three-step starter pack

  1. Use a VPN
  2. Use multifactor authentication
  3. Develop a healthy sense of skepticism

I’ll discuss each of these and help you get started with your security upgrade. But first…

Why is cybersecurity important?

Cybersecurity isn’t about finding some magic spell that completely secures your online activities — that would be nice, but it’s unrealistic. Good security practices are about employing some thoughtful habits that make your online activities more secure than the next guy, in much the same way as you learned to lock your front door.

Security breaches and incidents happen every day. Most of them occur because an automated scanner cast a wide net and found a person or company with lax security that a hacker could then exploit. Don’t be that guy.

1. Use a VPN

When you use a Virtual Private Network, or VPN, especially if you often connect to public WiFi, it’s like putting your letters into cryptographically-sealed envelopes and sending them via a special invisible courier service. No one but the intended recipient can read your letters, and no one but you and the courier know to whom the letters are sent.

Image for post
Image for post
Encrypted mail still won’t stop you from the accidental reply all, unfortunately.

VPNs prevent others from reading your communications. This may include opportunistic attackers who scan open WiFi, and even your own Internet Service Provider (ISP) who may sell your usage data for advertising dollars.

Choosing a VPN

  1. Is it free? VPNs cost money to operate; if one is offered for free, consider what they might be doing in order to cover their costs. Generally, I recommend avoiding free VPN apps and services; they’ll typically cost you much more than you’ll know. Expect to pay between $5-$10 USD monthly for the service.
  2. Where is it based? Understand where your VPN provider is based, and what that country’s laws allow them to do with your data.
  3. Do they keep logs? Part of the philosophy of using a VPN is that no one has any business getting into your business when it comes to online activities. When a VPN provider keeps logs of your usage, that defeats the purpose. Instead of your ISP knowing just what you’re up to online, that knowledge is simply transferred to the logging VPN. Look for VPN providers with a strict no-logging policy.

I use ExpressVPN. I go into greater detail about choosing a VPN in this post.

2. Use multifactor authentication

Unfortunately, many people still help to speed up the process by using the same compromised passwords for multiple accounts, putting themselves at further risk.

The answer, at least for now, is multifactor authentication (MFA). MFA is made up of three kinds of authentication factors:

  1. Something you know, like a pass phrase;
  2. Something you have, like a chip pin card or phone; and
  3. Something that you are, like your face or fingerprint.
Image for post
Image for post
Also the name of my next beatboxing team.

Two or more of these factors are infinitely better than a password alone, especially if your password is on this list.

Multiple authentication factors are now widely supported by account providers and social media sites. If you have the choice, avoid using text messages, or SMS, as a way of receiving authentication codes. SMS authentication leaves you vulnerable to the SIM swap attack — please direct further questions to Jack Dorsey.

Instead, use a One Time Password (OTP) app such as Authy to generate codes on your device. This ensures that you alone, using that particular device, will have the correct authentication code.

You can also use hardware authentication keys such as the YubiKey, but these aren’t yet as widely supported as OTP apps.

3. Develop a healthy sense of skepticism

While some attacks are easier to spot, others use cognitive biases very effectively and are difficult even for security professionals to avoid. No human is immune.

Ultimately, the weakest link in your cybersecurity defense is you. All the VPNs and MFA on the Internet won’t protect you if a scam can trick you into opening the front gates. Always look a Trojan gift horse in the mouth.

Image for post
Image for post

Yes, I know it’s a very nice looking wooden horse. Also free. Did you order it? No? Then it can stay outside.

Develop the habit of second-guessing things delivered to your virtual doorstep. Email, phone, and messaging scams range in sophistication. Even security professionals can fall for a good scam.

One way to protect yourself is to practice a healthy sense of skepticism. Question communications that ask you to click on links or visit a website, even if they come from someone you know or a company you use.

If you’re not certain that your bank or mother sent this email, pick up the phone and call them. Even if you think you are certain, pick up the phone and double check. You don’t call your mother enough, anyway.

Oh, and if the person on the phone is from your local tax office or the IRS or the CRA and they’re about to freeze your accounts because a case of mistaken identity has resulted in you being criminally charged for not repaying a loan on a 600-foot yacht in Malibu, just hang up. You know better than that. Tax agencies don’t have phones.

A safer Internet

If this article piqued your interest, you can go further and outsource your security with a password manager and temporary virtual credit cards.

Cheat sheets and other resources

  • The Electronic Frontier Foundation website Surveillance Self Defense offers many great guides and how-to’s, such as setting up the encrypted messaging app Signal on your mobile device, and protecting yourself on social media.
  • The Cybersecurity and Infrastructure Security Agency (CISA) offers many shareable starter resources.
  • Working from home? The National Security Agency Central Security Service has Telework and Mobile Security Guides that discuss best practices for an unprecedented era of remote work.

For more about privacy, cybersecurity, and reliable cartoon dad jokes, go to victoria.dev or subscribe via RSS.

The Startup

Medium's largest active publication, followed by +756K people. Follow to join our community.

Victoria Drake

Written by

Director of Engineering. Core maintainer, OWASP Web Security Testing Guide. Only a slice of my posts are here. Get the full pie 👉 https://victoria.dev

The Startup

Medium's largest active publication, followed by +756K people. Follow to join our community.

Victoria Drake

Written by

Director of Engineering. Core maintainer, OWASP Web Security Testing Guide. Only a slice of my posts are here. Get the full pie 👉 https://victoria.dev

The Startup

Medium's largest active publication, followed by +756K people. Follow to join our community.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store