We all live online now, and what happens on the internet has very real consequences in the real world. Just as we've had to learn how to stay safe in the outside world, we all have a responsibility to understand how we keep ourselves and others safe online.
There's now more online threats than you can shake a stick at, ranging from viruses to phishing to identity theft to ransomware, and more often than not, criminals are increasingly turning to the internet to try and make a quick buck. As such, it's important to know just what's possible and how to put some distance between yourself and the hackers.
This guide isn't the be all and end all, but we've tried to cover the essentials of online security. It's predominantly focused on Windows PCs, but a lot of it can apply to Mac too.
Why should I care?
In most cases, the goal of cyber-crime is to make money. In some cases, this is as simple as getting access to your credit card number or bank account, but there's plenty of more opportunities to be aware of.
Here a few common types of online criminal activity:
Identity Theft: If a hacker can find out enough about you, they can sign up for a credit card in your name. This can saddle you with debt you never racked up.
Selling logins: If a hacker is able to get their hands on the username / password combo you use to secure your Netflix account, Steam account, or even World of Warcraft account, they'll try and sell these passwords to someone else. In the worst case scenario, this could lead you to becoming locked out of your game library (in the case of Steam), potentially losing hundreds of dollars of purchases.
Ransomware: Ransomware locks you out of your computer, with hackers typically asking for payment to restore access to your files. Of course, paying the ransom doesn't guarantee the hacker will actually decrypt your machine.
Blackmail: If a hacker is able to find files or snap incriminating photos using your webcam, they may try and blackmail you, with the threat of making that information public.
Don't install files or open attachments from strangers
This is the golden rule. If you get a suspicious sounding email from someone you don't know, don't open it. And definitely don’t open any attachments that came with it. Even if it seems safe, things aren't always what they seem; Word documents can house malicious macros, for example.
Certain viruses can also hijack other people's email accounts, so if you get a weird sounding message from a friend with an unexpected attachment, there's a good chance it's not from them.
Use a strong password
Hackers can crack passwords using software that can create millions of password combinations in short periods of time. You might think that your favorite sports team is obscure enough to make a good password, but hacking software can make short work of this.
A strong password should be at least twelve characters in length; feature uppercase letters, lowercase letters, numbers and symbols; and avoid the use of common words.
A good approach is finding the acronym for a long phrase that can be easily remembered.
For example, if the phrase was your favourite Snoop Dogg lyric - "rolling down the street, smoking endo, sipping on gin and juice" - "rdtssesogaj" would be a good basis for a password.
You could then swap the "a" for a "4", add a few capital letters, and a symbol or two to the end. In this case, "RdtsSeSog4j^*" would be your final password.
Try and have unique passwords for each website too. This can be as simple as taking your regular password and throwing on a differentiator at the end. For example, "RdtsSeSog4j^*Goog" could be used for your Gmail, "RdtsSeSog4j^*Fb" for your Facebook, and "RdtsSeSog4j^*iOS" for your Apple ID. Pick a suffix that you can remember, but don't just use "Facebook" or "Gmail".
Don't tell anyone your password
Don't give out your password. Just don't. If anyone emails you asking you for your password, don't give it to them. Even if they say they're from Microsoft or the tax office. Major companies, banks, and government departments will never ask for personal details over email, so if someone is asking for these, it's almost certainly a scam.
On a related note, if you do get an email from "Apple" or "Netflix" asking you to login to address errors with your account, make sure the email is actually from Apple or Netflix.
These kind of scam emails often use email addresses that look similar enough to the company they're pretending to be, for example, @appple.com as opposed to @apple.com.
Keep your software updated
Installing software updates in a timely manner is one of the most effective ways to ensure your digital security is up to snuff. You might not want the new features in the latest version of iTunes, but many software updates also contain security-related fixes.
As a rule of thumb, it's important to update most applications on your computer, especially if they interact with the internet in any way. Update your operating system, update your web browser, update iTunes, update it all.
If you've got a device that's not a Mac or a Microsoft Surface, your device manufacturer will also likely issue their updates through their own updater software. Be sure to install these too.
Don't pirate software
This isn't just some sort of preachy moral stance, pirated software (and websites that distribute it) are often hotbeds for viruses and malware. Sure free is good, but it's not worth the risk.
What you should install
You need antivirus on your computer, but you don't need to pay for it. On Windows 8, Windows 8.1, and Windows 10, Windows Defender is installed out of the box. It works well. On Windows 7, you'll want to install Microsoft Security Essentials. It's available as a free download directly from Microsoft.
Make sure you turn on cloud-based protection. You should find this option under the Settings menu.
Please note that you'll only want to have one antivirus tool running on your computer at a time. If you're having trouble removing uninstalling a previous antivirus product, you can download ESET's AV Remover tool.
While Microsoft's antivirus is more than adequate, paid solutions can offer some benefits. According to AV Test, an independent tester of antivirus software, Microsoft only had 89.9% protection against newly discovered viruses for the month of October. F-Secure Safe, Kaspersky, and Trend Micro all had 100% for the same month.
Windows Defender's score did however rise to 99.6% when it came to the detection of malware discovered in the last four-weeks.
Paid antivirus and internet security solutions do however often include additional features such as parental controls.
While antivirus is an important part of security, it isn't the be all and end all. Antivirus will protect you from "known" attacks, but it won't help against social engineering or phishing, for example. A notification that says your computer is "protected" isn't an excuse to be complacent online, and we'll go into more detail about best practices for online security below.
If you're not already using it, you should swap to Google Chrome. Specifically, the 64-bit version. Chrome uses sandbox technology to help protect the rest of your computer against malware, and Google is pretty prompt when it comes to releasing software and security updates. Chrome's 64-bit version is more resilient to attack and interference from other programs on your machine.
For the most secure Chrome experience, you should download the "Chrome MSI 64-bit" from Google's "browser for businesses" page. This installs Chrome for all users on your machine, rather than in your individual profile. As such, Chrome can't be modified by a malicious program without you providing additional permissions.
Most online advertising is harmless, but as of late, cyber-criminals are co-opting ads and using them to display malicious content. Some "malvertising" can require a user to actually click on a link or install a program, but more sophisticated attackers can create malicious ads that trigger automatically.
Ad-blocking extensions for your browser mitigate much of this risk. We recommend uBlock Origin.
For an extra bit of privacy and security online, you can install an extension called HTTPS Everywhere. The extension can force many websites that don't support HTTPS to use HTTPS - a protocol for secure communications over a network. HTTPS Everywhere will encrypt your connections to many major websites, which in turn prevents others from intercepting communications between your computer and a website.
Malware scanners are a good way to complement antivirus, and can remove junkware and adware that virus scanners don’t always target, such unwanted toolbars and applications that spawn pop-ups.
The free version of MalwareBytes Anti-Malware is a simple way to make sure your computer doesn't have malware installed. The free version doesn't feature active protection (as in, it's not constantly monitoring for new malware), and instead relies on you to manually run scans from time to time. The Premium version adds active real-time protection for those who constantly seem to get infected.
If you're tech savvy, MalwareBytes also has a lightweight Junkware Removal Tool that can be run without installation. This doesn't have a graphical interface, and instead runs itself in a command line prompt.
It's also worth running Google's Chrome Cleanup Tool. This is designed to scan and remove software that can cause problems with Chrome, inject ads into webpages, or alter browser settings.
Lastly, Should I Remove It is a simple tool that dispenses advice on whether you should remove any of the programs you've got installed on your Windows PC. In addition to pointing out potentially annoying toolbars or applications, Should I Remove It can also help deal with preinstalled bloatware PC manufacturers tend to bundle with new machines.
Use a VPN when accessing sensitive material on public networks
A virtual private networks, or VPNs for short, are typically associated with hiding your online activity or accessing geo-blocked content, but they're also an invaluable tool that provides an extra layer of security when you're using an unsecured or public Wi-Fi.
A VPN allows you to access the internet through another computer's connection. Without a VPN, you're probably reading WhistleOut from the US. With a VPN, your connection to the website could be coming via the Netherlands, but relayed back to your computer locally.
By using a VPN when on a public Wi-Fi, your traffic is encrypted, which makes it incredibly difficult for anyone else to intercept. This is especially useful if you need to do online shopping or online banking while on the go or overseas.
F-Secure's Freedome is a solid option. A year-long subscription will set you back USD$50, it's simple to use, built by a reputable manufacturer, and server speeds are more than reasonable.
Max out User Account Control
User Account Control is that annoying prompt Windows displays whenever you try to install software. It might be frustrating, but User Account Control is actually an invaluable tool that can help keep malware at bay.
At its most stringent, User Account Control will alert you whenever an application tries to install software or make changes to your computer. By maxing out User Account Control, you'll get the prompt a little more often than normal, but you'll know everything that's going on with your computer.
On Windows 10, you can find User Account Control settings by opening Settings, and searching for "UAC". Click on "change user account control settings" and set it to "always notify".
The Java runtime and Java browser plugin are two pieces of software that let you run applications written in Java.
The good news is, there's no reason for most of us to be running Java anymore. Outside of specialist applications, almost nothing requires either the Java runtime environment or the Java browser plugin these days. As such, your best bet is removing it.
You can check to see if your Windows computer is still running Java by opening Control Panel, selecting "programs", then "uninstall a program". On older versions of Windows, you may need to select "programs" then "programs and features".
Check this list for Java (potentially displayed as Java 7 or Java 8). Older versions of Java might be listed as J2SE, Java 2, Java SE or Java Runtime Environment. If you see Java, select Uninstall to start removing it.
In Chrome, you check for the Java browser plugin by typing chrome://plugins into the address bar. If you see Java, press disable.
When possible, pay with a third party payment solution like PayPal. When you pay through PayPal, it means you're not sharing your credit card number with whoever you're buying from.
This is especially important in the age of database hacks. While you might trust who you're buying from, you don't know what their security practices are like or how they're storing your credit card details. In recent years, we've seen companies as large as Sony and Adobe hacked, which have resulted in large numbers of credit cards being made public.
There are other online payment solutions that act as an intermediary between the merchant and you, including Apple Pay, Android Pay, and MasterPass. PayPal is however accepted in more places - including some real world stores.
Make Flash click-to-play
Adobe's Flash Player is a vulnerability ridden piece of rubbish. Even Adobe is encouraging developers to stop building with it. Google is planning to start blocking Flash content from playing in Chrome, but in the meantime, it's worth setting it to clock-to-play, or ideally, uninstalling it entirely.
In Chrome, you can do this by opening the Settings menu, selecting "Show Advance Settings", clicking on "Content Settings", then scrolling down to "Plugins". Select "Let me choose when to run plugin content", and make sure there's nothing set up under "manage exceptions".
If you want to uninstall Flash entirely, you can get Adobe's Windows Flash uninstaller here.
Close all browsers and programs before running it.
Take regular backups
If you're regularly backing up your computer - at least important or irreplaceable files - you'll always have a recent version of your information on hand. While this is obviously useful from a security perspective, it's always useful in the case of hardware failure; having an up-to-date backup can save you thousands in data recovery costs.
If possible, the best approach to backups is to have two external drives for the sake of redundancy. While this might sound like overkill, it also means you can keep one offsite (like at your office, for example).
If your internet is fast enough, you can also look into online backup services like Backblaze.
Tape your webcam, disable your microphone
Most laptops and some all-in-one desktop PCs now feature built-in webcams and microphones. While these are pretty useful when you want to video chat on Skype, they also represent another possible attack opportunity for hackers.
You don't actually need to tape over your webcam and microphone, but it's worth being aware of the potential privacy risks they pose. If a malicious actor manages to hack your webcam or microphone, they can potentially see and hear whatever you're doing. Getting changed in the same room as your laptop? Someone could be recording that. Talking business plans? Someone could be listening.
Hackers would typically gain this kind of access by seeding out a virus or malware that infects the software that controls your webcam. In most cases, antivirus software should be able to detect these kind of viruses. Once again, the golden rule can be applied here: don't install files when you don't know the source, and don't open attachments from strangers.
It's worth noting that isn't the kind of attack this is easily automated, and in some cases, your camera's light is hard to disable. If your laptop's camera's light is on for no discernible reason (for example, you're not running a video call on Skype), you should be concerned.