Cybersecurity 101: The top 3 1/2 things you must do for personal cybersecurity

I recently gave a presentation to some Henssler Financial clients on the three (and a half) simple things that everyone should do to protect themselves online.

The following is a synopsis of these items. You can also download a handout from that presentation here, which contains all of the salient points.

#1: Use a password manager

Each and every website for which you have an account must have a unique and 'real' password. A 'real' password isn't one that the average human can easily remember. Since the password manager is going to create, save and automatically fill in your username and password for all of your sites, you might as well use the longest and most complex password they will support. Every site is different - all limit the number of total characters and some only allow alpha-numeric. Regardless, by simply having long, randomly generated and unique passwords for each and every site - you have just greatly increased your online security.

User ID: Ideally, it is NOT your email address or any part of your name. If the website gives you the option to use something other than your email address - do!

One of the main reasons to have unique passwords (and if possible user IDs) for each site is because the most common way accounts are compromised is when a website you use is hacked and their user data is stolen. The thieves use software to plow through this list, going to thousands of banking and ecommerce sites trying the information they stole, knowing that a significant number of people use the same user ID and password at multiple sites.

There are several password managers on the market that do a good job. If you are already using one, good for you - continue to do so. If not, I recommend LastPass. I've used it for years and you can use the basic version for FREE on one device (PC, mobile).  They also have several great tutorials to get you started as well as an enterprise version for businesses of all sizes.

ProTip:
Enable multi-factor authentication on your password manager.

#2 Protect your email account

Your single most valuable online account? Your EMAIL. Why - because it is the golden ticket, the keys to your kingdom.
Many websites still do two very insecure things:

1. They require you to use your email as the username for your account
2. They send password resets to that email address without any form of authentication

So, if a criminal has access to your email they will go through all of your saved and deleted emails, see what sites you use, then go to those sites and click on the ubiquitous 'Lost Password' link, which sends a password reset to...you guessed it, your email account that they now own. They can then change your contact info, shipping address - etc and if you have a credit card saved with that site, they may just make a few orders as well.

You should only use an email provider that supports multi-factor authentication (MFA) (see the handout for details on what this is).  If your provider does not support MFA, change providers. Gmail is my recommended provider.

ProTip
Create multiple email accounts:
I have one main/primary account that I use for personal correspondence, another I use for sites on which I do not buy stuff, one for my sensitive sites (banking etc) and one for spam (the one I give when you go to a site to get some info etc). Email addresses are FREE and Google makes managing these simple. You can forward all of the email from your 'other' accounts to your main and then have a rule that moves those emails into their own folder (or into your inbox if you prefer).

I appreciate this may be a bit more hassle than many want to endure - just something to consider in the future.

#3 Monitor Your Accounts

This means all of your financial accounts (bank, credit card, 401k, broker, whatever) as well as your credit. With the recent Equifax debacle, monitoring your credit reports is something all of us should do on a regular basis. The easiest way is to create a FREE Credit Karma account which will give you access to your Equifax and TransUnion information. Unfortunately, Experian (the 3rd of the big 3 credit reporting agencies) is not available through Credit Karma, but you can also create a free account on the Experian site and monitor it separately. I log onto these sites at least once a month to check my information (and credit score) - unless I get an email notification of a hard inquiry.

What you want to look / watch for is 'hard' credit inquiries. This is what is generated if you apply for credit. You can set up an email alert with both Credit Karma and Experian to notify you anytime a 'hard' inquiry is generated and if you have not recently applied for credit with the vendor making the inquiry, contact that vendor and the credit agency immediately. You will want to file a 'fraud alert' with that agency and they are required to notify the other two.

All credit card vendors and most financial services now offer some form of notification service (email and text) when certain events occur (deposits, withdrawals, charges over a certain limit, etc). I suggest you enable all of these at first and give them a try - you can change them later if they are too annoying. With American Express, anytime I use that card I get an immediate notification on my phone. It's a great way to keep up in real time what is happening with your account.

#3.5 Auto-update your devices (computers, tablets, phones etc)

Microsoft, Apple, Google - all tech vendors are constantly patching for security problems. There is no way any average person can keep up with it all. The simplest thing is to turn on auto-update and forget it. Yes, some hard core techies will claim that sometimes a patch may break something, but it is rare and the risk/reward is in favor of auto-updates.

Unfortunately, the vast majority of the Internet of Things (IoT) devices as well as your router, probably don't have an auto-update feature (for a number of reasons). While this normally would not be a huge deal, there have been some recent exploits discovered and many of these devices could be at risk. Some of these (older) devices may not even have an update capability or the process requires a degree from MIT. In these cases, you can either start with a Google search 'How do I update my Linksys [model #] router', or ask a geek you trust to stop by for a cup of coffee!

CES 2018 had some new product announcements that address this issue, see this article for details.

So, there you have it - all but the last one are relatively easy and straight forward and by doing all of three of them, you will have greatly increased you security awareness and DECREASED the likelihood of falling prey to the online predators. Should someone find a chink in your armor, your diligence in monitoring your accounts should tip you off shortly after it occurs and allow you to minimize any potential problems.