Here are some simple, practical tips from CERT NZ to help keep your personal information safe and secure online. There’s a visual version available to download in PDF format at the bottom of the page.
1. Back up your data
Backing up the data on your devices — by copying it to another, separate location — is one of the most important things you can do. If you’re targeted by a cyber attack you may not be able to access or use your computer, phone, or any of your other devices. But, if you’ve backed your data up you won’t lose any of it, regardless of what ends up happening to your device.
What to do
- You can either:
- get an external hard drive and do an 'offline or 'cold' backup, or
- sign up to a cloud-based service like Dropbox and do a cloud backup.
- Back up your data regularly — for example, every week.
2. Keep your devices and your apps up-to-date
When you’re alerted to an update for your device or one of your apps, don’t ignore it — install it as soon as possible. Updates aren’t just about adding new features. They’re also about fixing vulnerabilities in a device or an app that attackers could find and use to gain access to your system. If your device can’t receive updates anymore, we recommend planning to upgrade to a newer model.
What to do
- Keep the software for your devices and apps up-to-date.
- Better still, set your system preferences to update them automatically — then you don’t have to think about it.
- Remove any apps you don’t use anymore from your devices.
3. Choose unique passwords
We all have so many online accounts now that it’s become hard to keep track of all of the passwords we need for them. To combat this, many of us use the same password for all of our accounts or stick to two or three different ones that we use over and over. The problem with this is that if an attacker gets access to one of your account passwords, it often gives them access to many of your other accounts as well.
What to do
- Use a different password for every online account you create.
- Try using a password manager, which will store and manage your passwords for you. The password manager will be the only account you need to remember login details for.
- Think about using a short phrase or add a few random words together to create a passphrase, rather than a password. Passphrases are usually stronger and easier to remember than passwords.
- You can add a mix of letters, numbers and symbols to make your passphrase more complex, for example, 'Wint3r here 1s warmer than Summ3r'.
- Review the passwords for some of the accounts you’ve had for a while, they probably have weaker or reused passwords.
4. Turn on two-factor authentication
Two-factor authentication (2FA) is another way that you can help to protect your online accounts from being hacked. You can choose to have a code sent or generated on your device, like your phone, that you can use to authenticate who you are every time you log in. That way, even if someone gets access to the account password, if they don’t have your phone to receive the code they can’t get into your accounts.
What to do
- Turn on two-factor authentication for your important accounts, such as your email and social media accounts.
- If several types are available, choose the option that isn’t SMS, as SMS is less secure. Using SMS as your second factor is still much safer than not using 2FA.
5. Be creative with the answers to your account recovery questions
When you set up a new account online, you’re often asked to set an answer to an ‘account recovery question’. These are generally used as a way to identify you if you forget your password and need a prompt. They’re often based on easy to remember things about you — like your mother’s maiden name, the name of your first pet or where you went to school. Unfortunately, these are also easy things for an attacker to find out and could be used to gain access to your accounts without your knowledge.
What to do
- Consider being a bit creative when you’re asked to set the answer to an account recovery question. Instead of being honest about what school you went to, for example, you could say 'Hogwarts' instead. As long as it’s something that you can remember, you can set any answer you like.
6. Avoid sensitive transactions on free wifi
It’s good to be careful about what you do online when you’re using a hotspot or free wifi — if you’re logging on at a cafe, for example — as these networks are often unsecured. When a network’s unsecure, anyone can access it and get hold of your data. You’re also at risk of people ‘shoulder surfing’ — looking over your shoulder to try and see the login details for your online accounts. So while it’s ok to check the news or the weather, try to keep more sensitive transaction use to a minimum.
What to do
- Avoid doing online shopping or internet banking on free wifi or an unsecured network.
- If you need to check your email, make sure you have two-factor authentication set up first.
- Use your own device where possible, not someone else’s.
7. Install an antivirus and scan for viruses regularly
Antivirus software can help you detect and remove malware — viruses — from your computer system. If you don’t have an antivirus installed already, consider investing in it. If you’re using Microsoft Windows 7 or newer, it comes with a free antivirus called Windows Defender. Otherwise, get a legitimate antivirus from a well-known, trusted company — your local computer services company can give you advice on what would work best for you. Don’t just download any free antivirus software online, as many of the ones you see advertised for free are fake. They could download malware or adware onto your computer instead of helping you detect and remove it.
What to do
- Install an antivirus program on your computer. If you’re not confident doing this yourself, a computer services company can do it for you.
- Run it regularly, for example, every week, and clean up any viruses it identifies.
- Tell your IT person about any viruses you’ve found the next time you see them.
8. Be smart about social media
Did you know that the information you post to your Facebook profile, your Twitter feed or your Instagram account could be used to steal your identity or hack into your online accounts? We’re so used to sharing things online that we don’t really think about it anymore. Everyone knows your pet's name, where you went to school, where you work, and even when you’re away on holiday.
Unfortunately, this window into your life not only lets your friends and family know what you’re up to but also gives cybercriminals information that they can use to access your data or steal your identity.
What to do
- Check the privacy controls on your social media accounts. Set them so only your friends and family can see your full details.
- Don’t put too much personal information on your social media accounts.
- Remember our tip about passwords. If you share pictures of your dog on Facebook, make sure you’re not also using your dog’s name as your password.
9. Limit the personal information you give out online
Scams, fraud and phishing emails all attempt to trick you into giving away your personal information or your financial details — often by pretending to be a legitimate business, like a bank. It’s good to be aware of this so you can work out what’s a genuine request and what isn’t. Don’t give out personal information online unless you know who’s asking for it and why.
What to do
- Stop and check before you give out any personal information. Make sure you know how the companies you deal with will contact you, and know what kind of information they’ll ask you for. For example, a bank will never email you with links to online banking and ask you to login.
- If you’re not sure why you’re being asked for information, call the company directly to check what they want it for. Businesses are legally obliged to only ask for the information they need.
- If you get any online requests for personal or financial details that you're unsure about, do some checks before giving your information away. For example, if your insurance company asks you for information online, phone them or, if you can, visit your local branch to query their request first.
10. Check your bank statements
Keep an eye on your bank statements for suspicious activity, such as purchases or transfers between accounts that you aren’t expecting. If you see any unusual activity, contact your bank immediately. Seeing someone else transfer funds in your bank account or making unexpected charges to your credit card could be the first tip-off you get that someone has access to your accounts or credit card information.
What to do
- Keep an eye on your bank accounts and credit cards — always check your statements.
- Ring the bank and query any suspicious payments or withdrawals as soon as you see them.
11. Get a credit check
Keeping an eye on your bank accounts will let you see if anyone else gets access to them. Getting a credit check done will let you see if anyone’s using your personal details to get loans or credit for big purchases, like a car. Often, the first you’ll hear of this kind of activity is when you’re refused credit for something or when a debt collector turns up at your door. Keeping tabs on your credit record could alert you to unauthorised activity sooner.
- Get a credit check done annually.
- If you see anything suspicious, follow it up straight away. Ring the bank or the finance company to let them know what’s going on and ask what they can do to help. You can also ask the credit report company to suppress your credit information while you get it sorted out.