Paul Ducklin of Sophos on easy ways to protect yourself from cybercrime

6 Oct 2017

Paul Ducklin, senior security adviser at Sophos. Image: Sophos

Cybercrime is on the increase, so what are some fuss-free steps you can take to protect your information?

October is European Cybersecurity month, and this year’s campaign focuses on cybersecurity in the workplace, governance, cybersecurity at home and the development of cybersecurity skills.

In an increasingly digital world, taking responsibility for our own safety and privacy online has never been more important.

‘It doesn’t matter how young you are, how unimportant you think you are, how much money you have, what sort of company you work for, whether it’s an internet company or a little three-man band that just goes around doing repairs – cyber-crooks are very interested in you’
– PAUL DUCKLIN

Paul Ducklin – a cybersecurity proselytiser

Siliconrepublic.com asked Paul Ducklin, senior security adviser at leading cybersecurity outfit Sophos, about simple steps individuals can take to ensure their devices are secure in an era when cybercrime is becoming more sophisticated by the day.

Cyber-criminals don’t discriminate when it comes to potential targets, as Ducklin explained: “It doesn’t matter how young you are, how unimportant you think you are, how much money you have, what sort of company you work for, whether it’s an internet company or a little three-man band that just goes around doing repairs – cyber-crooks are very interested in you.”

Ducklin is passionate about making cybersecurity accessible to everyone and, for him, it all comes down to forming good habits.

Set up two-factor authentication

Two-factor authentication (or 2FA) is, according to Ducklin, “a fantastic starting point” for securing online accounts like Facebook, Twitter and various email clients. Simply using a single password or PIN can leave your devices and accounts vulnerable, allowing your personal data to be accessed by criminals working alone or in large groups, scattered all over the world.

2FA itself isn’t a new concept, but is relatively recent in terms of global digital development. Google only announced 2FA in 2011, with Microsoft and others following suit soon after. By adding this step of receiving a one-off code or token by text or email or other means, it creates an additional layer of security for your sensitive information.

Physical tokens can also be used in 2FA, as many of us notice with our banks providing us with card readers to authenticate large online transactions, on top of a password or PIN.

Ducklin said 2FA gives users an idea of the effort involved in securing their information: “It gives you an idea of how much work is involved – it’s not free. You do have to change your practices a little bit but there’s not a lot of effort”.

It’s by no means the ideal solution as “the crooks could still get the token, the token could still get breached”, but it’s one of the best safeguards out there at present. “It’s a good idea of what a big reward you can get for a small step,” Ducklin explained.

Think about it this way: if attackers get your Facebook password information, they could potentially have it without your knowledge until you change the password, probably months down the line. With 2FA, as Ducklin put it, “if they steal today’s code, it’s not valid tomorrow”. It’s simple risk reduction.

When you’re not using an app, log out

This is another one of those habits that will feel irritating and time-consuming at first, but Ducklin explains there’s no point in having security steps like 2FA enabled if you’re not periodically signing out of apps like Twitter, Facebook and Gmail.

Ducklin said that people are often reluctant to do this in case they miss out, particularly with social media apps: “Most people don’t do this because it’s a pain to do and every app is different. When you’re not using apps like Facebook – particularly when you’re on your mobile phone – actually log out.

“You’ll have to put in your password and it will be a little bit annoying and occasionally you’ll miss out but it might cost you 30 seconds.”

It seems like a bit of an ordeal, as many of the apps we so often reach for have the log-out feature buried within the interface (or, as Ducklin put it, “about a million layers down”). Consider though, that 2FA is essentially useless in the event of your phone being lost or stolen if you’re still logged in on Facebook or Twitter.

Remember: “if in doubt, log out”.

Those four-digit PIN codes? Longer is better

First of all, if your devices don’t have a PIN or password on the lock screen, set this up immediately.

Ducklin is also a big proponent of PINs that are 10 digits long.

Again, this boils down to taking the time to value your own personal data. He compares it to getting in the car and putting on your seatbelt, or wearing a bike helmet.

Sometimes, an added security step takes some extra time to implement, but ultimately worth it when something goes awry.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com