Though there are many sources out there with regards to staying safe online, and best practices and so on but primarily only tell you how to do this in your personal setting. So, I have put together a few from my own thoughts of the ones that I feel are most important and impacting, and ones that apply to both business and personal. I want to address these online best practices from a security standpoint covering personal and professional tips as we are at a stage now where we have computer devices of some sort in our lives. It goes without saying how important it is to protect yourself in both environments, the consequences could be heavy and damaging, especially financially.
Working in a SOC or Information Security role, I feel that we should be sending out these kinds of updates to your employees, and your clients if this applies. You should be the ones who are raising awareness. I feel that doing this is a given in this role but also a way to promote your sector of the business and get people talking about it because this is where the future is.
As mentioned, I am going to discuss a few of the ideas I have had around what you can do to stay safe online, how you can do it, and also my best practices in staying safe online, both personal and professional.
First and foremost, I think what you can do to spread the message is quite simple. Use common communication methods such as:
– Security Bulletins and or Advisory Notices
– Company social media (Yammer for example)
– Campaigns
– Training courses/ videos
– Weekly / Monthly Updates
– Carefully choosing the time of your posts and tailor them to upcoming events, both calendar and political.
A security bulletin is a good method and could be done via an email to all staff, or even pushed out to other clients if that’s your goal. Keep it to the point so what it is, what it looks like, what to do. For example, a phishing campaign on Black Friday deals. Your bulletin would address what the campaign is, how it operates and what it looks like, and what you should do (typically report it).
Company social media is becoming a trend now whereby updates of the business are posted to this page and users can interact with it. This is the perfect space to get your message out and allow users to get involved like they would with their own social media. Keep it to what they know rather than confusing things.
You could run campaigns to raise awareness around Cyber Security attacks and log all results. The most common is conducting a phishing campaign and only notify a select few users. You can then collate results to see who clicked the link(s), who reported it and so on. These results are imperative to the organisation as you can identify the weak links and provide support as and where required. Furthermore, it also allows you to test your teams in how they respond and react! But, linking back to this post, you will understand why I say to be proactive and preventative.
This then leads us on to training. Doing user awareness training is essential to covering the basics of common Cyber Security attacks and how people will try and take advantage for their benefit or gain. This training is transferable and will stick with the user both professionally and personally. I’ve told things to people that I’ve seen and they have then noticed anomalies from this and the message has continued to travel. It’s almost like a game of Chinese whipsers! The most common target in a Cyber Attack is the end user so address it straight away by performing awareness training to your organisation!
Weekly and or monthly updates can also be linked to the final point around the timing of your posts. You may wish to do a periodic update around Cyber, what’s common and being seen out in the wild, you could do calendar events such as sending a notice out in February around Valentines scams, December for Christmas scams and so on.
I think if you are going to do this you should also aim to get further information that compliments and gives back to your organisation. From the statistics you gather, start to piece together information around how many users reported a security incident (breach, phishing, lost/stolen equipment etc.) and do a trend analysis to find out how successful your work was as well as promoting and celebrating the end user’s skills. Looking at the results could prompt the security team to become more prominent to raise awareness or tweak information/training if the results were poor, or it could be the opposite in that the users have paid attention and are contributing to the greater good and are contributing to a secure working environment.
Level 1: Your own checks
| Measure | Description | Personal | Professional |
| Check breach sites | Good practice is to check websites such as haveibeenpwned and Firefox Monitor to see if your email has been found in any breaches. If so, you should consider changing your password as the provider was most likely hacked and personal data was leaked to the public. With emails being out in the wild, it can lead to phishing/targetted campaigns. | Check your personal emails and family member emails to see if they appear. Common leaks are emails and sometimes passwords and addresses etc. that you have entered to a website. | Check your work email and service account emails to see if they appear. |
| Hover over URL’s | Sometimes a link can hide the actual website to which it links. If you hover over a link without clicking it, you’ll notice the full URL of the link’s destination | Before clicking any links within an email/attachment/message etc., either hover over it to find the URL, or right click the link and copy URL address. Paste this in to a notepad and see if it differs from where it should. If you are unsure, don’t proceed. | Before clicking any links within an email/attachment/message etc., hover over it to find the URL. If the URL is different or masked, report it to your security team instantly as it could be a Security Incident and you are the first to spot it! Help them to help you. |
| Check for secure WiFi / Websites | WiFi should always be secured and websites should always have a lock. This indicates there is encrpytion applied. | Do not connect to any open public WiFi hotspots. These can be rogue and are known to be so whereby a hacker has setup their own in a public place in order to get people to connect and enter details. Upon connecting your other activity could be logged. Never connect to HTTP sites, only HTTPs. | Similar to personal but be more careful when travelling for work or using work equipment as you could be exposing this to a hacker without knowing. It is critical to have a VPN installed and in use and where possible tether of your phone as a better measure. |
| Check spelling and grammar | Bad spelling or grammar is a huge red flag for a scam, as well as urgency. | Any email you receive to your personal account, or messages to social media etc., always check the spelling and grammar, even if you know the person – but more so if the person is unknown! You can report these messages in your client so take advantage of that as it could help others! | For anything unsuspecting, you should always report. Bad spelling and grammar is a key indicator to spam. Never reply until it has been checked over by your security team. Replying can also validate your email address/domain to a hacker and they can start to setup further reconnaissance. |
| Watch what you post / say online | Think about what you post and say on any platform because once it is there, it has been seen and it is very hard to remove it from the Internet. | In a personal setting, be extra wary of social media. Think about what you post, who will see it, who can see it. Tailor your privacy settings to friends only as opposed to public. Don’t get involved in share campaigns as these can be filtered for in a search and you can become a target. | Remain professional. Don’t post social things on work settings unless advised or applicable. These things can be used against you both in and out of work. Definitely don’t share work information outside of work either as this could be picked up by an unauthorised user. |
Level 2: Extra measures
| Measure | Description | Personal | Professional |
| Password manager tool | Gone are the days of struggling to come up with clever, cryptic passwords that you have a hard time remembering. A password manager allows you to manage your login credentials across all your devices, keeping your passwords secure, automatically filling in forms, and syncing your data across MacOS, Windows, Android phones, iPads, iPhones and more. | Personal options can include the built in iOS Keychain, free downloads of KeyPass / LastPass, or Android’s Keystore. | Professional or work options should be KeyPass or LastPass. It is essential to use one of these so not to use personal passwords but rather ones via an algorithm to generate one for you. These are typically more secure. You can still create your own, just remember to save the database file! |
| Webcam cover | An extra measure to stay safe and private. If an undetected RAT / Malware was to get on your computer it could have access to your webcam. Keeping it covered or disconnected should be done and only unveiled when required. | Cover any personal devices that have a camera. Laptops, tablets, and portable webcamera’s are the most common. | Mainly laptops / portable cameras. Operate a zero trust thought process. |
| Password complexity | Password complexity is where you choose a complex password that is hard to guess. A password should be made hard to guess and it is recommended to do it as a phrase and then include numbers, upper and lowercase letters, and symbols/special characters. For example, “to be or not to be, that is the question” could be “2b3Orn0t2beth$t1$th3qu35tion”. Try https://howsecureismypassword.net/ to see how strong your password is! | Choose one that you can remember, but is hard to guess. Do not write these down anywhere besides a password management tool because you only need to remember the password to that vault (make this secure too). | The use of password manager tools is also essential, but ensuring your passwords meet the domain policy requirements is equally as important. You may be denied a new password if it does not meet the complexity requirements. Default requirements are usually a minimum of 8 characters, 1 special character, 1 number, 1 lower and 1 uppercase letters. |
| Avoiding pop-ups & adverts | These things are bloody annoying to say the least! But try not to be tempted to click on them as you could be redirected to somewhere that infects your machine with malware. | You could use different browsers, such as Brave, that would block pop-ups and scripts. Be careful of which sites you visit and ensure they are HTTPs as a minimum. | Ensure the business uses web filters to block sites based on reputation and classification. This will help to tackle the adverts and pop ups.If you wanted to fully lock the estate, operate a system whereby you have a base image and applications can only be installed through a application library whereby they are approved applications only. From this, have managed patching / updates that keep systems and applications updates – WSUS and SCCM are good options. |
| Anti-Virus and firewall use | Anti-Virus software is used to detect, prevent and remove malware from a system that has become infected. Firewalls are used to control incoming and outgoing network traffic based on rules. | Do not download FREE Anti-Virus tools. These are most likely riddled with malware and are “too good to be true”. Do your research or ask that techy person on which Anti-Virus software to use on your personal devices. Secure as much as you can including mobiles / tablets / desktops / laptops etc. Ensure your Windows / Mac firewalls are turned on, this will help protect you from malicious actors and intent. | Ensure that your company has an organisation wide Anti-Virus tool that can manage all endpoints as well as enforcing containment where required. This should be monitored to cover false positives (in-house scripts for example), and managed to keep devices updated. Company firewalls should be active and managed to keep users safe online and stop unauthorised access where required. These can also be used for blocking access. |
| Leaving your desk / computer | Leaving your desk every so often is fine, and recommended, however be careful! | If you’re on your own, you are more than likely to be OK with leaving your desk/equipment unattended and unlocked. If you’re heading out, definitely lock it and secure it! Best practice is to always lock your computer/workstation when it is not in use to stop any unauthorised access. Think of worst case scenario when leaving. | Most companies will have auditors and policies in place and one of the requirements to this is that it requires you to lock/secure your workstation when it is unoccupied. Not doing so can result in pranks or even exfiltration; depending on how nice the other person is! Don’t be a victim of this. Tip: CTRL + ALT + ARROW button to flip the screen 😉 |
| User training | Training your users on how to be safe when online or on a computer. This is essential to ensure your first line of defence is clued up in common risks and attacks. | Training could be from your relative, friend, teacher, colleague etc., but having that extra bit of knowledge around Cyber attacks and risks will do you a whole world of good! | Your company should require you to undertake awareness training as well as signing the policy to state you have completed this. This will cover their back but also make you liable if you fail to comply so don’t take it lightly as the damaging effects could be worse than you’d imagine! |
Level 3: Final thoughts and Recommendations
| Measure | Description | Personal | Professional |
| Disable IMAP / POP | IMAP/POP are legacy protocols that are enabled by default on O365 and on-premise Exchange. The issue with IMAP/POP is that you cannot enable MFA against it and more importantly, it does not log authentication attempts and can be brute-forced. | This protocol may be used on old email domains such as Yahoo, BT Internet, Hotmail etc., but not limited to, and is used on clients such as Outlook. Ideally, avoid this and use a secure client that can enforce 2-Factor Authentication. | This is a heavy requirement within an organisation to assist in stopping breaches occurring! Essentially, unless you have any really old systems accessing and sending emails, you should notice absolutely no change but will vastly improve your security posture. |
| Produce awareness training | As stated by NCSC, “Users have a critical role to play in their organisation’s security and so it’s important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure.” | This can be achieved via online videos, self study, hearsay, friends, family, colleagues, online articles, news etc. | This should be mandatory in an organisation, but going that extra step to educate is very welcomed. Companies will do training and compliance such as health and safety, so why overlook Cyber? Both are equally as important in their respected fields. |
| Enforce policies | Policies are there for a reason. It is impotant to note they can be in different form and may not directly involve you but will impact you in some way. | These could be indirect such as social media rules, age rating on material, unauthorised access to areas (such as VPN to USA Netflix from the UK), copyright and more. | Policies within an organisation could be health and safety, equal opportunities, acceptable use policy, code of conducts and so on. Increasingly apparent is user awareness including Cyber risks and attacks, but this should be the norm! |
| Force MFA / 2FA | Multi-factor authentication (MFA /2FA) is an authentication method in which a user is granted access when two or more pieces of evidence is provided to an authentication mechanism. This is usually something you have (token), something you know (password), and something you are (biometrics). | Apply MFA to as many things as you can to ensure there is an extra layer of security around your account/access. This could be as simple as a biometric login to a device, a BitLocker key to unlock your computer, a password and then an authentication code to a gaming account and so on. | MFA should be roled out to all users accessing a system. This ensures extra credibility in authentication and also combats many breaches. |
| Schedule and or perform backups | Scheduling and performing backups is extremely good practice, and in most cases mandatory for compliance. A backup is used as a last defence method against data loss and provides a way of restoring data should anything happen. | Backups can be done in the form of online storage (Google Drive, Dropbox etc.), USB sticks, external hard drives, CD’s etc. I would highly advise you to choose a storage destination away from your local computer to ensure it is a separate copy. | Utilize a company file server and personal storage (such as OneDrive), ensure scheduled backups are present and active, use online storage where approved, utilize USB drives and external hard drives providing they are kept secure; locked in a drawer for example. Company file servers are typically well managed and secure, and sometimes outsourced to add that extra housekeeping, plus they have big storage capacity so it could come in handy! |
| Limit and secure IoT devices | IoT devices, Internet of Things, are becomming more prominent in every day use. They are devices that have a connection to the Internet. The most common one you may know is the Amazon Alexa device or Google Home. These are devices connected to the Internet and fall under the IoT threshold. | If you have any personal devices that are connected to the Internet, make sure they are secured from the offset. The last thing you want is someone else controlling it! Just because it has the capability doesn’t always mean it has to be connected so bear that in mind. | Companies are starting to employ these types of devices to use for music purposes, and these are very useful and handy, but they need to be locked down as much as possible. As mentioned before, just because it has the capability doesn’t mean it should be used! Operate a least privilege approach but apply it to what it requires rather than what it has. |
| Clear communication channels | Communication is key. Simple as that. Having clear communication channels is essential to running smooth and being operationally successful. | Speak with people about problems, even if it is something you deem to be “stupid”. These kinds of things can actually be useful to someone. See something say something. | Should you receive anything suspicious, report it. If you see something not right, report it. This is a given but many times it is overlooked. I am a firm believer that you should have an open door approach, especially to security and it should be a talking topic. The more awareness and promotion around the subject the better. I always have an open door because I would rather someone ask than not. |
The above tables are by no means in order of priority because they all carry their own weighting.
These are a last 5 that I feel are equally as important but more of an advisory.
1. Do not share passwords or accounts
2. Create individual accounts and apply relevant permissions. Give what is required.
3. Have a breakglass account that can be used in emergencies only. This typically has highest permissions. The account should be locked down.
4. Use browser plugins that will check URL’s for you.
5. Use a VPN when out of the office or home. Especially for public WiFi.
I hope this provided some insight into the importance of staying safe online as well as providing some context and value to both personal and professional environments.
All feedback is welcomed and I hope to hear from you. If you have any questions or concerns, please do reach out to me.
Dan
Steel Cyber Security 
One thought on “Stay Safe Online.. Personal and Professional”