Personal Cybersecurity Involves More than Passwords

October 2021

laptop trying to update on screen

Image: Getty Images

I just learned the hard way that personal cybersecurity involves more than password management. Here’s my story in the hope you learn a lesson more easily.

This weekend I went online to check on my favorite websites. Only I couldn’t get access to many of them—including the one for Twirling Tiger Media. No matter which browser I used, I kept getting told the sites were insecure. I contacted our web developer, and our SSL certification was active. When a website lets that critical component of web dev lapse, you’ll get an ominous window alerting you it’s unsafe to go further.

That’s important, especially if you are calling up such a site from an email or post or text message. This is among the most common and successful ways to extract sensitive data from a user, and to do so voluntarily. It’s called phishing, and we’ve detailed how it reeled in one freelancer.

Phishing beget ransomware

Phishing continues to evolve, now with a preference for spears rather than wide nets to lure victims. We’ve made it easy to receive targeted malicious messaging that appears to be from people or organizations we know because we’ve placed so much of ourselves on social media. It takes very little effort to discover where someone works, lives and plays thanks to social networks, online public records and data from thousands of breaches flowing through the dark web.

(If you live in California, as I do, the CCPA provides some recourse to limit involuntary public exposure and data sharing. And if you market to Californians, here’s a guide to make sure your practices remain lawful.)

People sometimes wonder why a cybercriminal would want more than stolen credit card data and care about your email address or throwaway login credentials for a book review site. It’s to impersonate you or figure out how to get you to click on a suspicious link. Plus, we tend to reuse passwords.

Increasingly, those malicious links aren’t just recording your keystrokes; they are locking down your machines until you pay for the key. We hear about the ransomware that disrupts our supply chain or manages to bring down hospitals, schools and other enterprises. But individuals are struck by ransomware just as often. They must decide whether to pay or toss the laptop or phone or tablet (because it’s difficult to get around those locks unless someone is a pro at this). And if they do pay, they often deal directly with the data kidnappers, who work like organized crime families and offer customer service to show you how to obtain and send cryptocurrencies.

Password management boosters

Password management got a boost when we all were sent home to work last year. Most password-protected sites and apps now require what’s called multi-factor authentication (MFA) before you gain access. This is a pain for those who don’t like to wait for anything, even for a few seconds.

But MFA is one of the few ways companies can help you stay secure. So don’t turn it off if that becomes an option. And don’t use the same password to access everything—even though it’s tempting because who can remember everything, even when written down? There are password managers like LastPass that take on the complexity, but they too have unintended consequences. If we don’t routinely enter passwords manually on sites most used, we forget them. Especially when they are now required to be at least eight characters and include both numbers and symbols to stymy automated password crackers.

Don’t ignore those software updates

I suffered none of these issues over the weekend. My problem ended up being a failure to keep my operating system—and all the apps associated with it—updated regularly. I could ignore the notifications because I turned notifications off (like those productivity experts recommend). And I stopped having updates automatically done after one for a minor program caused major problems for other software used daily.

As a result of failing to regularly update my desktop, I accrued major technical debt. Whenever you receive an update alert on your phone, tablet, laptop or desktop, install it. In addition to tweaking bugs in the software, those updates also close security holes cybercriminals can exploit. This is especially true for many of us who use iPhones or MacBooks since Apple remains reticent to publicly acknowledge flaws in iOS but will apply a fix once it is discovered.

In my case, our website blocked me because it knew my browser was vulnerable. It forced me to do what I needed to, so I spent part of my weekend upgrading my operating system and installing a slew of updates. That it did so on the first day of October, which is also Cybersecurity Awareness Month, was a bonus.

This is the time to evaluate your own personal web usage, not just the amount of screen time but the chance of being infected with malicious code from faulty passwords or failing to regularly patch vulnerabilities. If you find other legitimate sites suddenly blocked, it may be time to pay closer attention to your own cyber hygiene, so you don’t spend the better half of a beautiful-weather weekend saying, “This stinks.”

Thank you for reading this,

Anne