As our reliance on technology increases, cybersecurity is a concern that affects every individual and is all of our responsibility and not exclusively those in the IT field.  As a comparison, think about being a driver on the public transportation network.  Just as locking your car doors does not prevent its theft, no one technology can protect you from cybercrime. Fundamentally, we are each responsible for the proper, safe, and legal use of our vehicles (both work and personal) to prevent incidents.  If everybody obeyed the rules, the transportation and computer networks would both be safer for all.  However, both networks have users who are careless in the operation and maintenance of their equipment causing potential issues for the rest of us.  Consequently, we have to deal with aggressive and selfish drivers on the roadways and hackers on the computers.  Whether we want to or not, we must therefore always be alert and take precautions when we are driving as well as when using technology.  This is the only way to prevent the bad actors from causing an incident.  For if we don’t, their actions will at least make us late – whether it be to our destination on the road or City services because we have no access to our computer systems and data (it takes at least 1 day to restore a single server and we have dozens of servers).  As a worst case, it could lead to a fatality in life, privacy, data, or your job.

 As cyber threats continue to evolve, it's vital for everyone to take proactive steps in safeguarding their personal information and digital assets.  To assist you in staying secure online, we have compiled a list of cybersecurity tips covering various best practices.

Shared Responsibility

First and foremost, it's crucial to recognize that cybersecurity is a shared responsibility; it's not solely the domain of IT professionals.   Each of us plays a role in being the last line of defense against cyberattacks.

Unique Passphrases

One of the foundational steps is to use unique passphrases for each online account, ensuring they contain at least four words and 15 characters. Including numbers, symbols, and capital letters can further enhance complexity and thwart password-guessing attempts.  A passphrase and a password serve the same purpose in providing access to digital accounts or devices, but they differ in complexity and composition. Passwords are typically shorter, often include a mix of letters, numbers, and symbols, and can be challenging to remember. In contrast, passphrases are longer and composed of multiple words, making them more user-friendly and easier to recall. Passphrases are often considered more secure due to their length, even without the need for complex character combinations, while passwords may require additional complexity criteria to achieve a similar level of security.

Use a password manager

To manage these unique passphrases effectively, consider using a trustworthy password manager.  These tools help you securely store and manage your passwords, sparing you the burden of memorization.  There are both free and paid password manager solutions.  Most paid subscriptions offer a family plan that can allow up to a number of users (usually up to 5 accounts) under the same subscription to save money.  While the City of Haines City cannot endorse one product over the other, we do recommend doing your research to find the most cost-effective option for you and your family. 

Enable MFA (Multi-Factor Authentication)

MFA adds an extra layer of security by requiring both something you know (like a passphrase) and something you have (such as a code sent to your mobile phone or your fingerprint). You may have seen MFA used in financial institutions, such as banking websites, or other information-critical sites, such as retirement management or health insurance websites.  The most popular option is to receive a text message on your cellphone.  Other options include a grid card (numbered rows and columns with paired letters/numbers at each intersection), USB token (a device you plug into your computer), or an authentication app (an app that uses a secure algorithm to generate a 6-8 digit code to use when prompted).

Changing default credentials

Changing default login credentials is another critical step in fortifying your online security.  Most network devices (wireless modems, routers, home security cameras/system, etc.) are installed with a default administrative username and password (such as admin as the username and admin as the password).  Default usernames and passwords are readily available on the internet, making it easy for cybercriminals to gain unauthorized access. It is imperative when setting up these devices, that you change the default password. Please refer to the device's documentation on how to change the default password.

Regularly backup data

Regularly backing up your data to an external source is a best practice that ensures your information is safe in the event of malware infections, device loss, theft, or hardware failures.  Most operating systems, today, include options for backing up your computer.  You can backup your data to external devices such as USB hard drives or optical media (such as CD-R or DVD-R) discs.  Keep in mind that certain backup mediums have limited write capacity (solid-state drives are known for this) or mechanical limitations (spinning hard drives; anything mechanical will eventually fail), so checking your backup media should be done semi-regularly as well.

Keeping your operating system and software updated

To stay ahead of cyber threats, it's essential to keep your operating system and software up to date.  Manufacturers continually release updates and patches to fix security vulnerabilities.  Check your computer's operating system update settings to make sure you are automatically downloading the latest updates for the operating system.  These settings can sometimes download the latest drivers for your hardware, as well. 

Microsoft's Windows operating system releases updates on a schedule. Monthly security update releases are sent out on the second Tuesday of each month, typically around 10 a.m. Pacific Standard Time (PST/PDT). Optional nonsecurity preview releases are dispatched on the fourth Tuesday of each month around the same timeframe as security updates.

Apple releases updates and security patches for macOS periodically. The release schedule is not publicly disclosed, and Apple does not discuss or confirm security issues until an investigation has occurred and patches or releases are generally available.

Enable device firewalls

Remember to enable the firewall on your computer and router as a first line of defense against cyberattacks.  Firewalls can be configured to block internet traffic coming to your computer or across your network.  Some antivirus software includes a built-in firewall.  Enabling both OS, software, and device firewall can add extra layers of security, but may cause unwanted traffic to be blocked.  Please refer to the device or operating system's documentation on how to correctly enable and configure the firewall for your network.

Install reputable antivirus and anti-malware software

All computing devices (including phones) should have anti-malware software installed as the second layer of defense.  These applications can alert you if suspicious code is found on your storage device and block it from running.  

When it comes to device security, free is not always best.  Paying for reputable antivirus and anti-malware software ensures your computer receives the latest definitions of what virus or malware threats have been identified.  If the antivirus or antimalware vendor offers monthly, or annual, billing options, use a credit card for secure transactions.

Avoid downloading attachments or clicking on suspicious links

Cybersecurity extends beyond your devices.  Exercise caution when downloading attachments or clicking on suspicious links in emails.  Cybercriminals often use these tactics to deliver malware or ransomware.  Before clicking a link in an email, hover the mouse over the link.  A text tool pop-up should display the actual URL of the link.  If the pop-up text does not match what is blue underlined, it's probably a malicious link.  

When using a search engine, such as Google or Bing, more reputable links will be at the top of the result list.  This doesn't mean all top results are clean, but the majority of the top links have been scanned by Search Engine Optimization (SEO) tools.  Many antivirus/antimalware software have browser extensions that can scan URLs and let you know whether they are malicious.  The Microsoft Edge browser also has this feature built-in.  Microsoft maintains a list of bad-actor URLs and will not let you click on them, or navigate you to a red warning page stating the problem with the link.

Keep personal information private on social media

Maintain privacy on social media platforms, as criminals can exploit personal information for social engineering attacks.  One tactic that criminals can use is to read GPS location data from photos.  

By default, most smartphones enable location settings in their camera apps.  This adds EXIF metadata to the picture.  When you upload these photos with EXIF data, anyone can see where and when the photo was taken.  If you take a picture of your kid in a schoolyard (not necessarily showing the school building) now criminals know where your child attends school and can attempt to check them out under false pretenses from other data gathered from your social media sites.

Also, posting pictures of family vacations, while away from your home gives criminals an easy target for breaking and entering your home and stealing your valuables.  Make a habit of posting your vacation pictures after returning home.

Use online resources to protect yourself

Utilize trusted online resources like Shields Up (https://www.cisa.gov/shields-up) for cybersecurity best practices.  There are many trusted resources on the internet that provide up-to-date information on the latest cybersecurity incidents, known virus and malware files, and other security leaks.  These usually come from Government sources or reputable cybersecurity organizations, such as NIST (National Institute of Standards and Technology).

There will be more online resource links at the bottom of this page that contain more useful tips, discussion topics, and more cybersecurity information.

Do not scan random QR Codes

QR codes are becoming a popular option for directing people to their websites or organizations.  They appear as a group of black squares in a grid with three or four large black squares in the corner of the grid.  Many of these grids are printed on business cards and are used for legitimate purposes.  QR codes, like email links, can be deceptive.   It is possible to direct the QR code to a URL that will automatically download a file to your computer or smart device.  Some QR codes can contain instructions for the smartphone to perform an unwanted action, such as connecting to a fake hotspot.  Always verify the URL's legitimacy before scanning random QR codes.  If you are unsure of where the QR code is leading you, do not scan it.

Don't use public Wi-Fi for sensitive transactions

Speaking of fake hotspots, it is very easy nowadays to fake a Wi-Fi network name.  Bad actors create real looking Wi-Fi names, such as 'Free Coffeeshop WiFi' that might be near popular coffee places. Once connected to these false networks, cybercriminals can begin stealing your sensitive information.  

This is why you should never do your online banking, or other sensitive internet work on public Wi-Fi networks.  Even reputable businesses that offer legitimate free Wi-Fi could have digital 'prowlers' scanning all Wi-Fi packets on the network for the reason of stealing important data.  These networks lack proper security measures, making your data vulnerable to interception.  

If you absolutely have no other options and need to use public Wi-Fi to do sensitive online work, use a reputable VPN software that masks your traffic making it infinitely more difficult for criminals to steal your data.

Avoid using unknown USB drives on your computer

Plugging a USB device into your computer can automatically run software (including malware) located on the USB device. Therefore, you should never plug a USB device received from an untrusted source into your computer.  If you find a random USB drive on the floor at an office building, turn it in to your IT department. If one is found out in the public, throw it in the trash.

Regularly review and adjust privacy settings on online accounts

Cloud systems can add, delete, and change security features at any time.  It is best practice to review your security settings on all social media and other online accounts.

Keep a clean desk

Do not keep papers with private or sensitive information (including sticky notes with passwords) on your desk that anyone walking by can see or easily access.  This method of stealing passwords and usernames is called "shoulder surfing".  Some criminals use their 'photographic memory' to memorize user credentials as they walk through office buildings or other locations that have people working within their view.

Lock your phone and computer when not in use

You should always configure your devices to automatically lock after a certain timeframe to prevent unauthorized people from walking by and using your device under your credentials and thus accessing all your data.

You can also get into the habit of manually locking your computer when leaving an area.  If you use a Microsoft Windows computer, the keyboard shortcut is Windows key+L. On an Apple macOS computer, the keyboard shortcut is Command+Control+Q.

Both iOS and Android smartphones have built-in security features allowing you to set a lock code (iOS/Android) or a lock pattern (Android) when your phone is locked (Unlock patterns have been known to be "cracked" just by looking at the device and seeing finger drag marks).  Make the code or pattern difficult enough to not be guessed, but simple enough that you will remember it.  For lock codes (or PINs), use more than 4 digits and not something that can be identified to you, such as your birthday.  Use, for example, a couple of digits of different addresses you may know or a couple of memorable dates, or years, that are significant to you.  Avoid using unlock patterns at all.

Don't share passwords or sensitive information via email or text

E-mail and text messages are not encrypted by default and thus are not good ways to send passwords.  If a password must be provided to someone, it is best to do it verbally over the phone after validating the requestor’s identity.

Use a brick and avoid plugging directly into unknown USB ports

Plugging a device into a USB port is like plugging it into a computer.  Airports, coffee shops, hotels, and some fast-food chains have installed public-use USB charge ports.  You don't know if these ports only provide power, or connect to a computer behind the paneling. Therefore, you should never charge a device by plugging it directly into an unknown USB port.  Instead, use a brick to charge your device from an electrical outlet.

Even when using a charge brick on a device, be sure it is one that you bring from home.  There are some malicious power bricks that have built-in wifi that can transmit data from the charger to a remote location.

Secure physical access to your devices and data

Preventing physical access to your devices and data is a key component of cybersecurity.  Keeping your devices safe in the real world is just as important as protecting them online. This means locking them up, not leaving them lying around, and making sure no one can tamper with them. It's like locking your front door to keep your home safe from intruders – in the digital world, we need to do the same with our devices and information.

Create a separate, limited-privilege user account on your computer

You should never use an account with administrative access for normal use.  Instead, create a second account for everyday use and reserve the administrator account for those rare times you need to make changes to the device.  Be sure the administrative account is configured with a stronger-than-normal password as this account has full permission on your computer to make any changes.

Implement security measures for smart devices at home

Home automation and smart home devices (i.e. Alexa, Roomba) have small computers running software and are thus targets for cyber attacks.  You must ensure these devices are protected like all other computing devices with non-default, unique passphrases and enable all security settings.  If your Wi-Fi router supports it, create a "guest" network where your smart devices live.  This creates a separation, so the smart devices do not touch your network that may contain private information (such as a home PC or laptop).  Also, use the device's secure companion app. Each manufacturer of the smart device (Amazon Alex, Google Nest, etc.) has a genuine app that is used with their hardware. Never allow a third-party app to read or control your smart home device.

Don’t throw away documents with sensitive data on them

Consider using a cross-cut shredder or burning documents that are no longer needed (check with your local fire department for burn permits).  Typical document shredders only shred paper in vertical strips.  Criminals going "dumpster diving" can tape these vertical strips back together with ease to read the information on them. Cross-cut shredders destroy the document by cutting the paper two or more times by creating tiny particles of paper making it next to impossible to reconstruct.  

If you do not have access to a cross-cut shredder, redact (using a permanent marker to shade over text) the document on both sides of the paper so it cannot be read.

Monitor your credit report

Regularly check your credit report for any unauthorized or suspicious activity that could indicate identity theft.  All consumers are entitled to at least 1 free credit report every year from each of the 3 big credit bureaus: Equifax, Experian, and TransUnion. See the links at the bottom of the page for the credit agencies.

Practice safe online shopping

Shop from reputable websites with secure payment options and look for HTTPS and a padlock symbol in the browser's address bar when making online purchases.  Avoid clicking on suspicious links or sharing sensitive information over unsecured networks. Additionally, regularly monitor your credit card statements for any unauthorized charges, and consider using a credit card with fraud protection for online purchases.

Use secure messaging apps for sensitive communication

When sending sensitive information or discussing confidential matters, use end to end encrypted messaging apps that offer end-to-end encryption (E2EE).  Look for E2EE apps that do not store messages on a cloud server.  This is another possible point of failure in securing the information you are sending across the app.

Be cautious about security while sending text messages via a secure E2EE platform as it does not guarantee absolute privacy. Even when you communicate through an encrypted app, there's the possibility that the recipient may capture a screenshot, forward the message to others, or share it with someone nearby. The human factor inherent in communication can introduce vulnerabilities to privacy.

Be cautious with social media quizzes and surveys

Avoid participating in social media quizzes or surveys that request personal information or seemingly harmless details, as they may be used for social engineering attacks.  For example, these quizzes can trick you into divulging answers to security questions, such as "What is the name of your favorite book".  This question is a common question when setting up security questions for websites.  Security questions allow you to authenticate your account when you need to reset a password.  Bad actors with the answers to your security questions can now reset and gain access to your various online accounts.

Another infamous trick used on social media is ads that you authorize to read all important details of your account.  For example, have you scrolled through social media and seen a post that reads: "What famous celebrity is your twin?" These seemingly harmless 'quizzes' usually ask you to allow the app to read profile information (such as photos, political stances, names, etc.) that "may" match you with a celebrity.  The problem is that you have 'allowed-all' on your personal data.  Most people do not read the fine print on what details they are giving away.  Stay away from these types of ads and quizzes that ask you to allow permission.

Secure NFC-enabled credit cards or wireless devices in a secure wallet

There are wallets and purses with built-in protection against wireless attacks. The lining of these specially designed purses and wallets creates a miniature Faraday cage that blocks wireless signals from entering or leaving the apparel.  Hackers and criminals can use long-range wireless scanners to read NFC (near-field communication) chips from cards and cell phones.  They can sit in food courts and gather all kinds of useful data which they steal and then use to do their own shopping using your money or credit.

Read the license agreement and privacy policy carefully

You should carefully read all cookie agreements, license agreements, and privacy policies before installing or accessing software or websites.  These agreements specify what you can legally do with the software and what the company will do with your data, including selling it to third parties or using it for sending you marketing material.

Safeguard your Wi-Fi network

Protect your Wi-Fi network with a passphrase and change it periodically.  You should also enable WPA2 encryption to protect your data.  If supported by your wireless router, use a separate SSID (wireless network name) for guests to access the Internet without having access to your personal devices.  Network names should also not identify you by name or surname.  Also, some older WiFi routers came configured with SSIDs that were also the password to the network.  This is another good reason to change the network password.