Who are you? Passwords – the key to your identity. Passwords are commonly used to prove your identity to your computer and to a host of other applications. That means that getting them right – both memorable and secure – is important. This is the forth in the Year of Cyber articles to help you use cyberspace safely at work and at home. Simple points to remember: 1. Use strong passwords (using 3 random words). 2. Protect passwords - never share them or leave them where they can be found. 3. Frequently changed passwords often lead to weaker, reused passwords, compromising security. What is a password? Okay – I know you already know the answer - passwords are those strings of letters and numbers that we must use to log on to our computers, and on to a host of other applications at work, and banking and social media at home. But what are passwords? Passwords are the most usual way to provide your identity on a computer system – the technical term is authentication. As humans, we recognise our friends – so effectively seeing their face or hearing their voice is often enough for us to know who someone is. But if you don’t know who someone is, you might ask for proof – possibly their passport or their security pass, depending on the circumstances. Basically, your username is your means of saying “it’s me” to the computer, and the password is your proof that “this really is me” (like your passport). If you think about a password this way you can see why they are important, even though they might sometimes seem a nuisance. Why so many passwords? Think for a moment about your house, your car or bicycle, the locker you use at the gym, possibly even a desk or cupboard at work. They all have keys - different keys. Some, like your house, have complex locks and keys that are hard to break, others don’t – it depends on the impact of someone else getting the key. Passwords are the same – some need to be secure, others less so. It depends on what the password is protecting and the impact of someone “breaking in”. You wouldn’t have the same key for your house, car, and desk, as anyone who got one of your keys could then open all of them. It’s the same with having different passwords for different applications. That said, it is frustrating to have to log on separately to different services at work and at home, so a single sign-on solution to support Identity and Access Management (IdAM), should be used. What is the Risk? If you use weak passwords, or the same passwords for different applications, it makes it easy for people to impersonate you. Depending on the system and application, they might be able to access sensitive information (emails or staff reports, perhaps), send emails in your name or access your bank account. Good passwords, that you keep secure, can help to protect you against fraud and identity theft. Passwords also need to be something that can’t be easily guessed. So, anything about you, as well as ordinary dictionary words, are out, unless you can combine them in more secure ways. Criminals can easily run searches of dictionary words, and of common phrases (including celebrity names, films, and TV programmes) and even foreign words. Anything that might be easily known about you (including from your social media profiles) is also easy for them to find. So, you might love your dog, or be a committed football fan, but “Rover”, “GoldenLabrador” and “ManchesterUtd” would not be very good passwords. But there’s a balance – good passwords don’t have to be impossible to remember. Misuse really does happen. In one example, an employee received a warning after leaving their user login and password details in an unlocked desk while they went away, and the login had then been used by another person to access inappropriate websites. Only evidence that the employee had not been in the country at the time of the breach prevented further action being taken against them. So, what can I do? System Administrators enforce good passwords by offering consonant-vowel-consonant triplets with numbers. If you need to write them down in full then remember that they must be marked at the highest classification level allowed on the relevant system and kept in an appropriate secure cupboard. A better idea, if you need a written record, is to write them in a private ‘code’ others would be unable to guess and protect this suitably. Alternatively, think of ways to remember them by making the triplets into words to tell a story – e.g “yog” could suggest yoghurt, or a youthful old granny! (This is the same technique of creating a story used by those performing memory feats.) Make Them Hard to Guess. New guidance from the National Cyber Security Centre (NCSC) is to use three random words, although you can use numbers and special characters if you wish. Avoid words or anything that might be associated with you. So, a proud dog owner might want to consider something more complex, perhaps an image of a Rover chasing a ginger cat down Oxford Street, and take the first 3 letters of "chasing", "ginger" and "oxford" to give "chaginoxf" Never share passwords – if someone has a legitimate reason to do something, they should have an account set up to allow them to do it. Giving them your password is like giving them the keys to your house when you aren’t there. If you need to give a colleague access to an email account, then do it through proper mailbox delegation. Also, helpdesk staff never need access to your password, so be very suspicious of anyone who requests it. Take care that you are not being watched as you type your password in – the normal rules about avoiding being overlooked apply. Reconsidering frequent password changes is advised, as it may lead to weaker security practices. Emphasis is now on strong, unique passwords and multifactor authentication (MFA) to counteract sophisticated cyber security threats, moving away from routine password resets unless a compromise is detected. And don’t leave them where they can be found – so not on sticky notes under the keyboard, or in your notebook. Get Safe Online has good advice on protecting your passwords at home – including making sure you don’t use administrator accounts on your home PC for routine access, which will help to protect you from the effects of malicious software. Sanctions We are all responsible for maintaining the security of our working environment, including an organisation’s networks and systems. Action is taken against people who put this at risk, including through password misuse. Reporting The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats.

Location Services – What are you telling them? Mobile devices and social media are great for finding restaurants and other facilities near you, and there are apps which help record your fitness activities, as well as the value of sharing photos with family and friends online. But are you sharing more than you intend to? This is the third in the Year of Cyber articles to help you use cyberspace safely at work and at home. Simple points to remember: 1. Think about what you are posting online and review your privacy and security settings regularly. 2. Follow the rules for wherever you are – such as not using mobile devices. 3. We are all responsible for protecting all work and home assets, including information. Report any concerns about information you find online immediately. What are location services? In short, anything with location data attached to it – so obviously apps which show directions from where you are, but also digital photographs, fitness and online dating apps, some aspects of social media and even mobile games. And the list goes on… Mobile devices “know” where they are by using Global Positioning Services (GPS) – that’s great for apps which help you find your way around, but there can be a downside if you don’t think about what you are posting and where you are checking in. Photographs from mobile devices like smart phones, for example, include metadata which describes where and when a photograph was taken and even what device it was taken with. It’s the digital equivalent of the captions we used to put in photograph albums or write on the back of the print (e.g “London Bridge, 17 August 2023”) – except that it’s automatic, so you don’t need to do anything, and more precise, so it records exactly where you were when you took the picture. Fitness apps like Strava and MapMyRun will track your progress in training, identifying where and when you have cycled or run, and how you have performed against previous rides or runs – and how you have performed against others. And of course, there is the option of “checking in” at wherever you are to help your friends know where to find you. All these are examples of what is called “geotagging” – attaching location data to what you are doing. What is the Risk? Publicly announcing where you are presents obvious risks to personal security. While you may be happy for your friends to know, unless your social media profiles are protected then anyone can see it, and you could be cyberstalked. And when you check in to that restaurant in Leeds or post the photos you took on the beach in Blackpool earlier today (and the metadata will give the date), then you might be unintentionally telling a thief that you aren’t at home (and are unlikely to be tonight). Pattern of life information can also be gleaned from checking in and fitness apps if you visit the same bar every Thursday evening or run the same route every Tuesday lunchtime – and if your run starts and ends at a work location then anyone (including those with ill intent) would probably be right in guessing you have a connection with the company. There have been recent occasions when information on Strava.com not only showed routes starting and ending at companies, but also linked to personnel profiles and even to a running club which listed its members (with photographs). This presents a clear risk to personal security. So, what can I do? Think about what you are posting, including what you might be giving away inadvertently. Review your privacy and security settings for all sites and online apps and don’t link everything back to a single social media profile (e.g your Facebook page). Don’t assume that others want their details made public – this might be colleagues, club members or even family – and don’t check them in or post their details without permission. Turn off the GPS facility on your device when you don’t need it. Consider where you might be giving away pattern of life information that could put you or your colleagues at risk. Keep to any rules about not using mobiles devices or cameras at specific locations – the rules are there for a reason. Remember that you are personally responsible for securely handling any assets, including information, entrusted to you. So, think about the potential impact of information about work and home assets, including images and location data. Get Safe Online has good advice to help you protect yourself against cyberstalking and an informative blog about keeping safe on social networking and with location services. Reporting The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats.

WiFi – who are you connecting with? This is the second in the Year of Cyber articles to help you use cyberspace safely at work and at home. This month we look at WiFi – wireless networks that let you stay connected wherever you are. A few simple points to remember: 1. Take care when using WiFi hotspots. Make sure that you are connecting to the hotspot you expect. 2. Avoid entering sensitive information on public WiFi, and only do so if you’re on a secure website. 3. Make sure that your personal WiFi network has password protection enabled. What is WiFi? WiFi (also spelt as Wi-Fi or Wifi) allows computers, smartphones, and other devices to connect to the Internet or communicate with one another wirelessly. It is increasingly common in homes and public places (wireless hotspots). All of this is good to help you stay connected, and to be free to keep in touch, access services or work in different locations – this will become increasingly important as we embrace new ways of working. But WiFi does have some specific risks you should be aware of. What is the Risk? The biggest issue with WiFi is confidentiality – if the WiFi network isn’t encrypted then others using the network can see whatever you are doing online – this includes the capture and copying of your passwords and sensitive information. Public WiFi hotspots are often not encrypted, and it is not always easy to tell who they belong to hacking into them can be child’s play, as recently demonstrated by a 7-year-old. In public places WiFi hotspots can be spoofed, so that you may inadvertently connect to a bogus network (an “evil twin”) which masquerades as a legitimate one. Such networks are used to capture your data or direct you to fraudulent websites and may have a very slight difference in name to the access point you are expecting. If you suspect you may have connected to a spoof network, you should remove this from your saved networks to reduce the chance of connecting to it again. Remember, it is good practice to avoid entering personal or other sensitive information into websites unless they are secure (address shows “https:” rather than “http:”). Always be careful that you are not overlooked. Organisational information should not be accessed or processed in a public place using a WiFi hotspot. However, you can work on information in your home or hotel room. Any breach of confidentiality could provide adversaries with enough information to launch an attack on organisational networks. In a worst case this could have serious consequences resulting in loss of capability. At home, it’s also important to keep your WiFi connection secure, to prevent unauthorised access to your network. If you don’t, unauthorised users may be able to access your information, take up your bandwidth and download allowance, or use your system to hide criminal activities. So, make sure you enable password protection and if possible, change the password. Get Safe Online and the Information Commissioner’s Office (ICO) have more in-depth information. Check that your smartphone or tablet isn’t set to connect automatically to available open WiFi networks – this will help prevent you connecting to unsafe networks, and you’ll save battery life as well! Sanctions Appropriate action is taken on any security breaches, and we are all responsible for maintaining the security of our working environment, including an organisation’s networks and systems. But there may also be serious consequences for you if you don’t secure your home WiFi. There have been instances of paedophiles using neighbours’ unsecured WiFi to cover their tracks – which have resulted in innocent people being investigated by the police. Reporting The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats.

Anti-virus – how well are you protected? This is the first of our articles to help you use cyberspace safely at work and at home. This month’s theme is Anti-Virus, but it includes other tools that can help you at home, like Firewalls, and advice for smartphone and tablet users. Simple points to remember: 1. Make sure you have anti-virus software and a personal firewall to protect all your personal devices (including tablets and smartphones) – and that they are always enabled. 2. Keep your anti-virus software, operating system, and other key software (e.g, word processing) up to date. 3. Remember that however well protected you are, nothing can guard against every threat – so be vigilant. What tools can I use to protect me online? We are used to protecting ourselves, our loved ones, and our property – vaccinating our children, fitting good locks to doors and windows, and using them, watching out for suspicious activity. Tools like anti-virus software and firewalls are similar – they work to stop viruses and other cyber threats by strengthening our defences (like a vaccination or a lock) or by looking out for suspicious activity – a bit like a Neighbourhood Watch for your computer system! Anti-virus software looks for viruses and other malware by scanning incoming emails, monitoring files you open or download and websites you visit to ensure there is no embedded malware and scanning your device periodically for malware or spyware (spyware, as the name suggests, snoops on us to steal our online secrets like passwords or credit card details). There are several anti-virus packages, some free, some paid for, but they will all require regular updates to make sure they recognise the latest malware – usually this happens automatically. But anti-virus software can’t protect you against spam or any criminal or hacking activity not connected with a known virus, and it can only defend against what it knows about – so anything new or different may not be identified. A firewall acts as a barrier between your computer and the Internet, only letting connections in or out of your computer if they seem legitimate - like a good lock on the front door that stops a thief breaking into your house, or from removing your property through the front door if they managed to get in through a window. A firewall is intended to be the first line of defence, but it won’t guard against viruses or spam, or if it’s been turned off or the settings are wrong. For home users, a personal (or software) firewall is usually adequate, such as the Windows Firewall included with Windows operating systems, or one included with some anti-virus packages. You should have a firewall and anti-virus on every device that connects to the Internet. That includes smartphones and tablets, as well as computers and laptops, irrespective of their operating systems. Get Safe Online has good advice on choosing and using anti-virus software and firewalls. But they won’t protect me against everything? Nothing can. Just as a determined thief will always find a way, and a new strain of flu may not be prevented by a flu vaccination, nothing can ever be guaranteed to keep you safe. So, you still need to be vigilant for suspicious activity – as we’ve covered throughout the year in these articles. What about my smartphone and tablet? Smartphones and tablets are increasingly being targeted by malware – criminals go where they get the most return for their efforts, so as the number of people using these devices has increased, so the malware threat has increased. As well as getting malware from websites (especially from links sent in text messages) and email, they also come with infected apps – especially those not coming from the official app stores. As well as the usual malware threats, smartphones can be targeted to force premium rates calls and texts to be made without your knowledge. Although infected apps have on occasions got on to official app stores, be careful only to purchase and download apps from recognised sources. Take particular care if you find a free or cheap version of an app you would normally have to pay for – it is probably not legitimate and may come with additional malware “features” that you really don’t want. And check what access the app is asking for on your device – they can ask for access to contact lists and call lists, as well as the camera, microphone, location information, photos and even permission to send texts and make calls. Get Safe Online especially warns users of Android or Windows devices to install a reputable anti-virus and anti-spyware app. Is there anything else I can do? Generally, keep your operating system and software up to date. That means downloading updates from the suppliers – usually this can be done automatically as updates become available – and not running old versions of software after support has been withdrawn. Malware writers know that not everyone will update their software so they will still have success with malware targeting older operating systems, browsers, and other software. Don’t be one of their successes. In particular, keep your browser software up to date – install the latest version of your browser from the supplier’s site to protect yourself and to enjoy the new features to help with speed and compatibility. But, as with all updates, ensure you are downloading from the official sites. Also make sure the settings are appropriate – you can help on this from your browser’s help files and from sites such as Get Safe Online. Backup your important data regularly to an external hard drive or to the Cloud. That way you won’t lose all your important documents and photographs if your device fails, is damaged or stolen. And finally, when disposing of your device, make sure you do so safely and securely so that your data cannot be accessed by others. Get Safe Online has good advice on these points and on other ways to protect yourself online. Reporting The advice in this article underscores the necessity of consulting cyber security experts, such as Cybercentry, for addressing any cyber security incidents in both personal and professional contexts. Reporting concerns promptly to the relevant authorities is crucial for a swift response and safeguarding against potential threats.