What would you lose if hackers got access to your mobile phone, email or online shopping details?
We store an enormous amount of data with online services, and even just one breach can lead to further compromises, maybe even giving an attacker remote access to your computer or smartphone.
As cloud storage and online accounts become more vital to our day to day lives it’s important that we all take some precautions to secure our services and devices, and prepare for the worst in case our information is ever exposed.
Practice basic computer security
As well as damaging files, viruses can be used to record keypresses and other information and transmit it back to hackers.
Antivirus (AV) will help prevent such attacks, and you don’t need to pay for the software. There are numerous free AV packages which provide sufficient protection for most of us. Some good free AV tools include Avast!, Windows Defender (which is free for all Windows users), Avira and AVG. These freebies perform just as well as premium packages like Norton and McAfee. If you want to pay, upgrade one of the free tools or try the excellent ESET NOD32.
It’s also a good idea not to just go clicking on any file attachments that come through email, even if they appear to be coming from someone you trust. Run an anti-virus scan on all downloaded files, otherwise you could come down with a nasty case of the trojans. The super-paranoid can make use of Sandboxie, a smart application which isolates programs to prevent them affecting the rest of the system, allowing you to safely check a file before letting it loose.
As well as an anti-virus package you should also use some kind of anti-malware protection. While any virus is technically malware there is a difference between anti-virus and anti-malware applications (and both can safely be run together, while having two AV packages will lead to issues). Anti-malware is designed to pick up different kinds of threats which aren't always detected by AV tools, and they're also very good at clearing out existing infections. Our top choice is the excellent Malwarebytes Anti-Spyware, though most AV tools also include some kind of anti-malware capability too.
Use strong, secure passwords
If your password is too simple, or easy to guess from information that someone could easily obtain (pets, football teams and so on), then you’re just doing a hacker’s job for them.
A mix of numbers, letters and characters is much better but as this StackExchange post explains - and XKCD famously illustrated - they’re still not perfect and could be cracked in a reasonable amount of time.
Longer is always better when it comes to passwords. Link together several memorable words into a nonsense phrase and it will be effectively impossible to guess or crack. A great way to do this is use Diceware, which constructs random phrases from a wordlist and dice rolls.
It’s also incredibly important that you don’t use the same password across every site, because then a single hack or security leak could open up all your accounts.
To save having to remember all your individual passwords for every site we highly recommend LastPass or another password management tool. These will store all your logins within a securely encrypted container, then you don't need to make the passwords memorable as the software will fill in login forms for you. They can all be unique and extremely complex then you only ever need to remember the one master password to open the container.
For more help with creating strong passwords read our in-depth password security feature.
Backup, backup, backup
Having an up to date copy of your most vital data is an essential safeguard against disaster.
At the very least you should keep copies of vital files in at least one other location, preferably several (follow the 3-2-1 rule).
Be extremely cautious when using any kind of cloud storage system such as Dropbox or iCloud. Not only could this be wiped by an attacker, but you cannot fully trust them for important data. Anything stored here can be accessed from any location with the right permissions, so you might not realise you've been compromised until it's too late. And as we found out from Edward Snowden's NSA leaks, there's no telling who can see your files. At the very least, governments probably have access, but employees might be able to get in there too. If you do use cloud storage you should encrypt data before uploading so it's useless without the password.
Multi factor authentication
Anti-virus, decent passwords and backups are basic stuff, they’re things we should all be doing anyway as a general rule. But they won’t protect against smart and/or lucky hackers, for that we need to look at more advanced security features.
Normally to login to email or another service you just enter a username and password, but MFA means there’s a secondary layer of protection which must be passed before you’re allowed entry. Often it's some kind of hardware device so attackers would need physical access in addition to knowing your password.
This is really common for online banking where you’ll have to slot your credit or debit card into a reader, which spits out an ID code that must be entered in addition to your online banking password.
Google also offers MFA, and all you need is a phone to receive texts.
Go to the Security section of your Google Account and follow the instructions to enable multifactor. It won’t take long and it means that to login to your account someone would need both your password and your mobile phone. You can also download the Google Authenticator app to an Android phone so it can be used on a much wider range of services.
Multifactor is showing up on a lot more often so if it’s available, use it. For instance, LastPass supports it (and you absolutely should use it here, if nowhere else) and the digital download service Steam has a feature called SteamGuard which requires verification every time you connect from a new computer.
Be vigilant for data leaks
Having personal information leaked in a hack is a fairly common occurrence. Sometimes these leaks are just lists of email addresses but they can also contain passwords, addresses and other more personal information.
Spammers use these leaks to find new email addresses for their junk emails, and hackers will use email and password combos to try and access other accounts (which is why you should never use a password more than once).
Get into the habit of checking for data leaks, and change the passwords for affected services as quickly as possible. Have I Been Pwned? is a free online service which allows you to quickly check email addresses against leaks. It can also set up alerts to notify you when new leaks are discovered which include your email address.
In some cases it can take time for leaks to become public so keep an eye out for signs that your data may have been exposed. If you notice attempts to access other accounts - especially if it happens across several services in a short period of time - this may be an indication that your information has fallen into the wrong hands.
How can I report a data protection breach?
If you're concerned that personal data has been mishandled you should report it to the Information Commissioner's Office (ICO) by phone or using the online advice service.
You have the right to find out what information the government or an organisation has about you. Requests should be sent in writing, but remember that there may be a charge. If the organisation does not have a dedicated contact for data protection requests, address your query to the company secretary. But remember that organisations may levy a "reasonable" charge for the cost of retrieving this information, and some do not have to divulge
If the data they hold is incorrect you can request it be changed. And if you do not believe they have a valid reason to have the data, you may request it is deleted. They are not obligated to comply but must at least respond and tell you why.
Pack a digital emergency recovery kit
If the worst happens you want to be like the Scouts and always be prepared, so put together a digital disaster kit.
Recovery disk/flash drive
It’s not been updated in a while but the Ultimate Boot CD is a free download which offers a huge range of useful tools to recover a downed PC, including data recovery, secure file deletion and anti-virus.
Also it can be helpful to have a copy of free Linux OS Ubuntu on a USB memory stick. Provided your PC is setup to boot from USB it can provide a fully-functional modern operating system in minutes, no installation required.
Your antivirus tool should also have the option to create a recovery disc which you can use when booting up to scan and eliminate virus infections.
Secondary email address
To recover a forgotten password it’s typical to have a password reset emailed to a secondary address, but this is often an avenue used by hackers as they’ll simply break into the email and from there gain access to all your secrets.
For this reason you should create and maintain an email address that is entirely separate from any other account and only used for password recovery. Make sure it has a long, secure password and that the username and/or address is unlike any of your other emails or nicknames.
One last thing - if you go for a free service it may expire if not used regularly, so remember to login occasionally and check it’s still working. This is particularly important when a deleted address can be registered by someone else.
Portable app toolkit
USB sticks are endlessly useful, not only can they be used to store files or boot operating systems you can also stuff them with portable apps which will allow you to carry on working on any computer.
Head over to portableapps.com to download portable editions of a huge number of common tools such as Firefox and Dropbox. Grab whatever you need, load it on a USB stick and you can run the software without installation.
Hugely useful for quick and easy access to familiar applications when using other people’s systems and avoids downtime if your PC is busted. If you want extra security pick up a neat biometric USB stick with fingerprint scanner.