Whilst the Internet is an invaluable source of information and has become indispensable for communicating in our social and work lives, it harbours a large number of threats and pitfalls for the unwary. These threats are only increasing in number with the proliferation of online services, social media and other internet-based communications and productivity tools.
This article will address specific issues and explain how you can practice safe data habits and minimise the risks, to you or your firm, from malicious agents and outright attacks.
Information Sharing
Share as little information as you can. If an organisation’s server has been compromised, all the information you have given is vulnerable. Although GDPR addresses the harvesting of unnecessary collection of personal data that does not necessarily mean firms will limit the collection of corporate data.
The news is full of stories of leaks and hacks from reputable websites, so you cannot assume that just because a site is genuine, the information you supply to it is always going to be safe.
As a rule of thumb, enter the bare minimum of information required to achieve your task. The less information you provide, the less at risk you are.
Advertisements
The web is largely funded by advertising. However, pop-ups, banners and other adverts that appear on almost every website are controlled, not by the site itself, but by third-party advertising networks.
As with any online business, some advertising networks are corrupt or have become corrupted and can direct you to websites loaded with malware. For this reason, if in doubt, adverts are better left unclicked.
Secure Websites
Web standards these days hold that any site that handles your private information should use Secure Sockets Layer (SSL) encryption and you should expect that to be the case. SSL Encryption sends your data through a secure “tunnel” to the recipient website which ensure hackers cannot get at it during transfer.
It is important that you do not submit any personal or financial information to any site that does not have an SSL certificate. The question that arises is how you can be certain if SSL is being used by a website. This can be checked by examining whether the web address, or URL, of a website contains https, then it is encrypted and using SSL. If it reads http, then it is not encrypted, and your data is at risk during transfer.
For more information on a site’s SSL encryption, look for a padlock or similar graphic in your browser to the left of the web address, which can be clicked for certificate details. The certificate shows you who owns the site and you can be confident your data is going to the right place safely. Certificates are very difficult to forge, but your browser will alert you if the certificate does not check out fully.
However, as with all things, SSL is not a cast-iron guarantee; if anything on the site looks suspicious, then no personal data or sensitive information should be shared.
Additionally, it is good to be aware that recently SSL has been renamed Transport Layer Security (TLS). This is not yet widely used outside IT contexts, but you may see it with reference to encrypted email services.
Emails: Be suspicious of unexpected emails
Phishing emails are currently one of the most prevalent risks to the average user. The goal of a phishing email is to gain information about you, steal money from you, or install malware on your device. What are common indicators of phishing attempts?
- Suspicious sender’s address: The sender’s address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters.
- Generic greetings and signature: Both a generic greeting—such as “Dear Valued Customer” or “Sir/Ma’am”—and a lack of contact information in the signature block are strong indicators of a phishing email. A trusted organization will normally address you by name and provide their contact information.
- Spoofed hyperlinks and websites: If you hover your cursor over any links in the body of the email, and the links do not match the text that appears when hovering over them, the link may be spoofed. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Additionally, cybercriminals may use a URL shortening service to hide the true destination of the link.
- Spelling and layout: Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt. Reputable institutions have dedicated personnel that produce, verify, and proofread customer correspondence.
- Suspicious attachments: An unsolicited email requesting a user to download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency or importance to help persuade a user to download or open an attachment without examining it first.
Software Updates
Software is regularly updated by suppliers in order to remove known or newly discovered security flaws and add features or improve user experience. You need to be suspicious of any outside communications that urge you to update your software; phishing scams distribute malware in this way. The IT Department must confirm before any software updates that raise any sort of suspicion are installed.
Plug-ins and Extensions
As websites become more sophisticated in the content they can deliver, so browsers may need extra functionality to display this content. This extra functionality can be provided by Extensions or Plug-ins. Extensions add direct functionality to browsers, like a search engine toolbar. Plug-ins enable your browser to display more sophisticated content such as JavaScript or media players.
Though Browser plug-ins and extensions are useful, but they can make you vulnerable. Many of these enhancements can go for long periods of time between security updates and this can lead to new security holes that can be exploited by attackers. Other plug-ins or extensions can sneakily install unwanted “bloatware” which can slow down your PC, alter its settings or can install malware which may do damage.
Reporting anything suspicious
If you have suspicions about any of the items described in this section, you should report it to your IT department or service provider immediately. Reporting any threat to your organisation allows the appropriate people to investigate and take action before any damage is done. By reporting online threats, you help take them off the web and keep internet a safer place.
Lastly, a list of very simple rules of thumb that can be employed to avoid real harm is offered below:
- Avoid peer-to-peer file-sharing sites and sites hosting illegal or adult content. These sites are often infected either deliberately or accidently with malicious code.
- Do not try to visit unknown web addresses or redirects from unknown sources. This is especially true of links from amusing or suspicious emails.
- Avoid use of social media at work; especially avoid games, quizzes and other tests offered to you through social media and email links.
- Never visit a suspicious website or webpage. Think before you click.
- Over the past few years, ransomware has become one of the fastest growing cyber threats with 151.9 million ransomware attacks in the first three quarters of 2019.
- According to one specialist security firm, 90% of financial institutions reported being targeted by a ransomware attack during the past year.
Following the above advice will, undoubtedly, allow you to use the internet without becoming exposed to cyber threats that can cause damage to both individuals and companies.