Personal cybersecurity has become more important than ever. Yet, for many ordinary people, the concept of cybersecurity can be overwhelming. To make this crucial topic more approachable, I often recommend three essential rules for personal cybersecurity. They are simple, understandable, and most importantly, a great start in offering a level of protection against most untargeted cyberattacks.
The Mum and Dad Test: The Power of Simplicity
The beauty of these three rules lies in their simplicity. They pass the ‘Mum and Dad Test’. If your parent or your grandparent asks about these rules, you can explain them very quickly, and they understand. This is crucial because cybersecurity, when presented as a complex topic, overwhelms most people. They hear an array of confusing and contradictory advice, which is often well-meaning but ill-founded.
The Three Rules explained
Rule 1: Protect your most important accounts
The first rule is to safeguard your most important accounts. This includes your email account (which could reset all of your other accounts), banking or financial accounts, online storage accounts, and password safe accounts. Protecting these accounts involves using complex passwords, and enabling two-factor authentication (preferably something that includes a biometric like Face ID or a fingerprint). By securing these accounts, you significantly reduce your chances of falling victim to a cyberattack.
On the other side, also think about how your loved ones could access these accounts (if they needed to) if something happened to you. 1
Example: On a case we examined, a personal account was breached. It did not have two-factor authentication. Many personal documents were stolen by criminals. The criminals learned that the person was undergoing a divorce, and that the parties had agreed on an amount to settle the relationship. They then used that information to trick the victim into transferring over $70K to criminal elements.
The lesson: Protect your email account because people can impersonate you, reset passwords, or see a lot of sensitive activities.
Rule 2: Use only trusted devices
The second rule is to use only trusted devices. A trusted device is one you know the history of, and has only software you trust running on it. Be selective about the software you install, particularly browser extensions or software of dubious origin, can go a long way to protecting you from malware. That means also keeping software up to date, and recycling devices for devices that no longer receive security updates.
Now, sometimes, we want to relax the rules about the trust of a device a bit. For example, if there are budding tech enthusiasts in your household who wish to experiment, it’s advisable to separate the machines used for this purpose from those used for sensitive tasks (like email, banking, and your password safe). Not everyone is fortunate enough to have spare machines for this, so you could also research virtualisation as a way to allow safe experimentation.
Special Note: In my experience, virus scanners are helpful, but they don’t detect everything. Much easier and safer to stop bad software getting onto your device.
Example: A CEO had a personal machine which was not managed by the company’s IT security policy. He purchased a Mac because he heard they didn’t get viruses. He was wrong. He had installed untrusted extensions into his web browser which stole his credentials to his (two-factor protected) work email account. Criminals used this information for corporate espionage purposes which was ultimately very damaging.
The lesson: Use only a trusted machine for your work, because criminals can monetise your business’s information.
Rule Three: Maintain the trustworthiness of your devices
The final rule is to do everything possible to maintain the trustworthiness of your devices. This means being vigilant about what you install and visit online. It also involves regularly checking your device settings to review what permissions have been granted to different apps.
For example, when I run a class for cyber security professionals, many of them find it eye-opening to see which apps have been allowed access to your camera or location on their phones. As an exercise, I often ask my workshop participants to check their phone’s settings to see what apps have what permissions. Why not try it yourself now? Here is a link for Apple’s procedure. For Android devices, Google does not maintain a standard procedure as of June 2023, so you may need to play around with your device to find the settings for location, microphone and contacts sharing (among others).
Setting a baseline for personal cybersecurity
The above-mentioned three rules may not provide a foolproof safeguard against every conceivable cyberthreat. However, they lay the groundwork for personal cybersecurity, catering especially to individuals who aren’t under direct or specific threat. These rules establish a minimum cybersecurity standard that, regrettably, many still fail to meet.
It’s worth noting that these rules aren’t derived from scientific studies. Rather, they are the product of our observational insights and practical experience, gathered from our work in cyber breach investigations. They represent the principles that seem to get the most ‘bang for buck’.
Note for special risk people
Does your business need cyber defence? You need more than these three rules
These rules, though, are primarily intended for individual users who don’t have ‘special risks’. For businesses and corporations, a more tailored approach to cybersecurity is needed. At Notion, we specialise in assisting companies to define and implement a cyber defence strategy that is appropriately scaled to their specific needs. If you wish to benefit from Notion’s extensive experience in investigating cyber breaches, feel free to get in touch with us.
At Notion Digital Forensics, we proudly offer an expansive library of over 60 hours of curated content tailored specifically for business and government leaders. Our bespoke learning resources can be flexibly adapted to your conference, company training, or university requirements, ranging from compact 1-hour sessions to comprehensive 32-hour courses.
Over the years, we have received numerous positive testimonials and our interactive sessions consistently receive high ratings. We would be delighted to discuss how our offerings could enhance your event or training agenda. Please don’t hesitate to reach out to explore this opportunity further.
Important note on case studies
The cases mentioned earlier are based on real investigations we’ve conducted, with some details altered or obscured to protect the identity of clients and to maintain their confidentality.