Top 10 tips to stay cyber safe
Cyber criminals are increasingly targeting people rather than hardware, software or system vulnerabilities. Follow these simple tips to protect yourself online.
1. Use strong, unique passphrases and store them in a password manager
A passphrase is a combination of two or more words – the more the better. Ensure the phrase is a minimum of 10 characters. You can use capital letters, numbers, and special characters or symbols as needed to increase the complexity of your passphrase.
With so many unique passwords/passphrases to remember, you may choose to use a password manager. It is an encrypted digital vault protected by a single master password/passphrase, that can be used to secure credentials, identity, and sensitive data.
2. Use multi-factor authentication (MFA)
Multi-factor authentication (MFA) (also known as two-factor authentication or 2FA) provides an extra layer of protection requiring you to verify your identity with:
- something you know (e.g. password, PIN, secret question)
- something you have (e.g. phone, token), and/or
- something you are (e.g. fingerprint or other biometric), to gain access to accounts, applications, etc.
Enable MFA on your personal accounts where it is supported. Did you know you can add third-party services to your Duo MFA app?
3. Secure devices and keep software up-to-date
Always secure your device with a password, biometric feature (e.g. fingerprint or face recognition) or a PIN/passcode (not your date of birth or bank PINs). Ensure you lock your device when you are not using it or set it to automatically lock after a period of inactivity.
Only install software from trusted sources. Allow automatic updates on your devices and systems – often software updates are released to fix bugs and address security issues. Ensure you install them as soon as you are notified and remember to reboot your device as needed to ensure the update is applied.
4. Connect securely
To ensure your personal information remains safe, use secure wifi when accessing the internet.
Avoid using public or untrusted wifi networks, especially when accessing or providing sensitive information, such as bank accounts, online shopping, etc. If you have one, use a VPN service to protect against potential eavesdropping.
5. Ensure your valuable data is stored in an appropriate location and backed up regularly
Sometimes hackers may encrypt your data so they can extort money from you (known as ransomware). If you do become a victim of this, it is often impossible to decrypt the data, so you will have to rely on backups.
Ensure valuable data is stored on approved secure storage services (not shared widely and encrypted) and backed up in the event of loss or damage.
6. Use antivirus software
Antivirus software helps protect your devices from malicious software which could steal, or encrypt your data, or be used to access your passwords or credit card details. Use antivirus software from a reputable vendor and ensure it is kept up-to-date.
All UQ computers have antivirus software installed.
7. Use secure websites
Ensure any websites you provide sensitive information to (e.g. banking, personal information) are secure:
- Make sure the domain name is correct – often phishing websites will create fake websites with a URL similar to the website it is trying to scam.
- Check the URL starts with HTTPS – the ‘s’ stands for secure and indicates that it is an encrypted channel.
- Look for the lock icon – you can click on this icon to obtain further information about the security of the website, such as the security certificate.
- Don’t click through warning messages – pay attention to certificate warnings issued by your web browser and only proceed carefully if you understand the risks.
8. Avoid using untrusted or unknown portable storage devices, such as USBs
Portable storage devices, such as USBs, can easily be misplaced and they can be used to transfer malware on to your device and into UQ systems. Trusted portable storage devices should be password protected to prevent the loss of any valuable data.
9. Be alert to scams such as social engineering and phishing
Social engineering is when scammers pretend to be from a legitimate business and try and manipulate you into giving them confidential information, such as passwords, bank information, etc.
Phishing is a form of social engineering, which is typically via email and often conveys a sense of urgency.
Spear phishing is a more dangerous form of phishing where the email message is customised according to information the criminal has already obtained about you to make it more credible.
Some warning signs to help identify an email scam:
- Email is unexpected or not personalised.
- Conveys a sense of urgency.
- Poor spelling and grammar.
- Unusual URLs when you hover over them.
- Unusual address or ‘Reply-To’ address.
- You’re asked to enter personal information, open an attachment, click on a link, or download a file.
10. Don't overshare on social media
Scammers often use social media to gather information about people, such as:
- names of family members, friends, pets
- dates of birth
- habits, likes and dislikes, and other details you share.
They may use this information to guess your passwords, use it in a social engineering scam, or impersonate you when applying for credit cards, bank loans, or even commit crimes.
If you would not share the information with strangers in real life, do not share it on social media. Also regularly review your social media access settings to understand who can see information you share and ensure it is restricted appropriately.
What to do if your device/account is compromised
Work devices/accounts
- Visit the Cyber Security webpage and click on ‘Report a cyber concern’. Complete the short form, this is sent directly to the UQ Cyber Security Operations Centre (CSOC). Do not worry if your concern turns out to be false, CSOC would prefer hundreds of false concerns, rather than missing a real attack.
- To report a suspicious email from your work account, use the Phish Alert Button in Outlook. If you use another email client, follow the instructions on how to report a suspicious email.
Personal devices/accounts
- Report the incident with the Australian Cyber Security Centre.
- Run a scan using your antivirus software and follow any instructions if issues are detected.
- For financial accounts, contact your financial institution immediately and follow their advice.
- Change your passwords. If you have used the same password across multiple accounts, ensure you change your password for each account - once scammers obtain one of your passwords, they may use it to try and gain access to your other accounts.
- Notify your networks on social media to be wary of any messages from you with strange links and/or attachments.
And remember to spread the word – inform family and friends about good cyber security practises!