Our devices. Whether it's a phone, laptop, or tablet; chances are it contains (or at least this access to) some pretty sensitive information. Think about it. How do you access your bank? Where are your family photos? Your personal messages? What about your work? If your device gets hacked, that information could be destroyed, stolen, or published for the whole world to see. I'm going to give you some tips to help prevent that happening.
We've already covered your online accounts, and now we're going to talk about your devices. I'm going to start by making sure we have the basics covered, and then we'll move on to a few tips that may be less obvious.
1. Always use protection
Yeah, you heard me... but I'm talking about anti-virus. Anti-malware might be more accurate, but most people don't care about the distinction, so I'm going to stick with the "V" word for this article. Sounds obvious, right? Well, sometimes it can be the case that the more you know, the lazier you get. Some tech-savvy people will disable their antivirus, thinking it slows down their computer; but hey, it doesn't matter because the best antivirus is common sense... That's actually true, to a point. Educating yourself will cut down your chances of encountering malware more than any antivirus will. The problem is it doesn't reduce your chances to zero, and once you encounter one you're now wide open. Even if you only visit trustworthy websites, you can't guarantee that one of those good websites won't get breached themselves and have malware embedded on their site without their knowledge. If it's using a zero-day exploit, there's basically nothing you can do. What if you use your laptop on public wi-fi in a coffee shop? Do you trust everyone else's device in that coffee shop? You might think you know better, but do you think all of the other customers know better too? Because if one of them is infected, that malware is going to try and exploit its way onto your computer.
I was once sent to help an organisation that was struggling to contain a malware outbreak. They knew how it started: someone brought an infected laptop back from a foreign trip and plugged it into the network. They knew how it spread: it was exploiting an unpatched vulnerability in a Windows service. They'd patched the vulnerability, disabled the service, and run removal tools on every device on the network; but it just kept reappearing within minutes. Do you want to know why? Two of the senior IT guys had disabled their antivirus, because "they knew better". Well, guess what? Their computers got infected, they didn't realise, and because they were also logged on using admin accounts their computers were sat there installing malware on every device in the network, no exploit required. This was a network with thousands of users. Don't be those guys.
You don't need to spend money on this if it's for personal use. A lot of computers come with some nagware trial rubbish installed that harasses you for payment, but it's just not necessary. There's nothing wrong with a paid product, but there are plenty of free options, and Windows comes with Defender built right in. Tt's not about having the best or most expensive product. Just use something.
If you're running a business, though; you probably do want to get your wallet out for centralised management and reporting. Free is all well and good until you've got a growing collection of devices that you need to check are up to date and healthy every single day. That's going to become a waste of time pretty quickly, so you'll want to pay for the automation. And before you say "buy a Mac", know that Mac malware is currently growing at a faster rate than Windows malware. Admittedly it's also usually less dangerous, but it's still a good idea to protect yourself. Macs aren't magically immune. The simple fact is that the more popular a platform becomes, the more it's going to get targeted. As Macs grow in popularity this is going to become more of an issue.
2. Use firewall
I'm talking about the host-based firewall on your device, not your network firewall or the one built into your router. Firewalls get misrepresented a lot on TV, but a basic firewall is not that complicated. Its job is to block network connections to your device, unless you've chosen to allow them. As an example: if you want to stream video from your laptop to your TV, your firewall needs to allow the TV to connect to the media on your laptop. If you go to a coffee shop the firewall shouldn't allow other customers to connect to your photos or your documents as well. Almost any modern device will come with a firewall enabled by default. The problem with firewalls is much the same as a problem with antivirus: a lot of people turn them off! Sometimes people do this at home to try and work around an issue with the game, but this is actually a much bigger problem in the corporate world than it is for home users; and it's all down to laziness.
Here's a typical scenario: an IT admin is rolling out a new application, and for some reason it isn't working. As a troubleshooting step they disable the firewall on their test computer, and suddenly it works. Right. So now they know the firewall is blocking the application, but firewalls are a network thing and they're an apps person, and they need to get this application rolled out today. They could figure out what configuration is necessary to make the firewall play nice, but that would take too long, so instead they roll out the application anyway and disable everyone's firewall. This is a temporary measure, of course. They'll go back and fix it later... Yeah, right! Any IT pro will tell you that there's no such thing as a temporary fix. Once something's working, focus shifts the next urgent problem, and the temporary fix becomes... kind of permanent.
This is how most disabled firewalls I come across get that way. The problem is that when someone does get around to doing something about it, that could be six months or a year later. But what about all the apps have been deployed since? Did any of them have a problem with the firewall? The issue now is: nobody knows, because the firewalls were disabled and those apps were never tested with the firewall turned on. This is the situation a lot of IT pros find themselves in. If they enable the firewalls now, they have no idea what might break.
The way to avoid this is obvious. Don't take shortcuts. Do it properly the first time. Chances are though that this wasn't your fault. Maybe you just inherited it. If you are in that situation then the best time to tackle it is now. The problem isn't going to go away. The longer you leave it, the worse it gets, and the more risk you expose your business to.
I've heard some IT pros say that it doesn't matter if firewalls are disabled, as long as the device has antivirus installed. This is nonsense. If your firewall is disabled, malware doesn't need to infect your device - it can just grab the data over the network. In fact, there's a good chance it can connect your device over the network and tell it to switch off its antivirus before it tries to infect it. Guys: remote management is a thing, and the bad guys can use it too.
Let's look at WannaCry for your example: it caused carnage in 2017. Most of the affected machines had antivirus installed. Despite what was widely reported, its spread had very little to do with Windows XP. In fact, the initial version of the WannaCry malware wasn't even compatible with Windows XP! The initial spread happened largely because of firewalls had been switched off or misconfigured, allowing the malware to exploit a flaw in a file sharing service that should never have been exposed to the internet in the first place.
Make sure your firewall is enabled. Again you don't need to buy anything - the one built into your device is sufficient.
3. Keep your software up to date
You don't necessarily need to be on the latest version of everything, but you do need to be on a version that is receiving security updates; and you need to install them. This means your operating system, as well as all of your applications. Some of these will prompt you when updates are available, as long as you've got the option enabled. Others require a little more manual effort.
Every security update has a purpose - a flaw that it fixes. As soon as it gets released, the bad guys are going to analyse the update and try and figure out what flaw it fixed. Then they're going to try and exploit that flaw on any computers that haven't been updated. It's basically an arms race, and you don't want to be the loser. The good news for home users is that it's pretty easy to keep your computer up-to-date, and I'm going to share something that will help with that. For businesses... well trying to keep hundreds or thousands of computers up to date is a whole different challenge; but you need to, because if you look at the high profile hacks that hit the news, they quite often start with out-of-date software. Keeping track of all the updates on your computer can be a major pain, but you can use a tool to help you.
For businesses, there are a lot of options out there and i don't have time to cover them all. You will want to look at a business-focused solution though to give you centralised monitoring and management. For home users, make sure you've got your built-in automatic updates enabled (for most of you that will be Windows Update,) and there's a handy little called Patch My PC. It'll scan your computer and tell you what needs to be updated. There are more comprehensive solutions, but this one's easy to use; and it's free. It covers the most common software, which is what malware authors are going to be targeting.
4. Use authentication
Those tips will help prevent your device getting hacked over a network; but what if somebody gets physical access to it? The most obvious case being if it was stolen, but also maybe if you sell it on when you're done with it. The first thing you need to make sure you're doing is using a login. Whether that be a PIN, password, or fingerprint; make sure that somebody can't simply pick up your device and access your data. Maybe don't use one of those pattern unlock things where you swipe over the dots... They're not great. Try it yourself - unlock with a pattern swipe, then switch off the screen and hold your phone up to a window. Chances are you can still see the swipe marks left on the screen. Oops!
5. Use encryption
This might stop a casual thief, but there's a saying in cybersecurity that if a hacker can get physical access to your computer, it's no longer your computer. All the firewalls and passwords in the world mean nothing if i can yank out your hard drive and read it in a different computer; or plug in a USB drive and overwrite your password. There are a few things you can do about this, but the most important one is encryption. If you encrypt your drive, then it is highly unlikely anyone will be able to simply yank it and read your data. There are ways of breaching certain types of encryption, and if you're working on something top secret you would need to be aware of that, but your average thief or even your average IT professional is not going to have the specialist skills or equipment to do that.
A lot of consumer devices these days come with support for encryption baked in. If yours has it, turn it on. If your computer doesn't have an option for encryption out of the box then it's still possible to use free tools to encrypt your drives. Just be aware that the user experience may not be as great. If you're a business, then it's honestly not even a question worth discussing. If you have data floating around on unencrypted devices you may as well just publish that data on the internet yourself. Encrypt it!
6. Wipe your device before you sell it
When you come to sell or dispose of your device, make sure that the data on it has been destroyed. If you're a business with a lot of devices to deal with, then there are companies who will do this for you and certify the destruction. If you're a home user, it's probably going to be up to you. There are so many devices out there that I don't have time to properly cover the options. If it's a phone, you're usually looking for a factory reset option. If it's a computer then you either want a secure wipe program, or you can physically destroy the drive itself. The correct way to do each of these is going to depend on what kind of drive you have, and whether you want the device to be usable when you're finished. Not all software is appropriate for all types of drive.
I've got enough to cover this article already, so what I'll do is I'll create a follow-up review showing you how to figure out what type of drive you have, and how you can wipe it securely. For now, just be aware that simply deleting the files doesn't actually destroy them; and the data can be easily recovered using readily available tools.
7. Always have a backup
You can take all the precautions you want. Something can still go wrong; but if it doesn't, you should have a backup anyway in case your device breaks or gets stolen. A lot of malware these days is what you'd call "ransomware". It encrypts your data, then demands money to get it back. Obviously, you'd prefer not to do that. It costs money. If you do pay, there's no guarantee you'll actually get your data back. Even if you're doing well enough that the money isn't an issue, and they do give you all your files back as promised, you've still funded criminals. I'm not here to judge for that. I know it's a difficult situation if it's the only way to get your precious memories back, or save your business; but we can all agree that you'd rather not be in that position in the first place. If you have a backup then you can simply give them the middle finger, and restore your own files; but it needs to be a proper backup. A lot of computers get sold to consumers with an included backup program; and a lot of these are a complete sham, because they back up your laptop... to your laptop. What's the point of that? If your laptop gets trashed, your backup is trashed too. Your backup needs to go to a physically separate device to be worth anything. That could be a USB drive or cloud storage, or for a business it could be an encrypted backup tape that gets collected and stored off-site. The important thing is that it needs to be offline from the computer or network you're backing up. If you can get to the backup from your computer, then the bad guys can destroy the backup from your computer. For a USB drive, this means you unplug it after each backup is complete. For network storage... well you probably need an extra offline tier as well, or at least some way to make it immutable even to an administrator.
Of course the most secure device in the world is worth nothing if your account itself has been compromised.