When setting up passwords to protect digital records which option is an action you should take

Today we use internet-connected devices in all aspects of our lives. We go online to search for information, shop, bank, do homework, play games, and stay in touch with family and friends through social networking. As a result, our devices contain a wealth of personal information about us. This may include banking and other financial records, and medical information—information that we want to protect. If your devices are not protected, identity thieves and other fraudsters may be able to get access and steal your personal information. Spammers could use your computer as a "zombie drone" to send spam that looks like it came from you. Malicious viruses or spyware could be deposited on your computer, slowing it down or destroying files.

By using safety measures and good practices to protect your devices, you can protect your privacy and your family. The following tips are offered to help you lower your risk while you're online.

Keep your device secure

Make sure to download recommended updates from your device's manufacturer or operating system provider, especially for important software such as your internet browser. Antivirus software, antispyware software, and firewalls are also important tools to thwart attacks on your device.

Keep up-to-date

Update your system, browser, and important apps regularly, taking advantage of automatic updating when it's available. These updates can eliminate software flaws that allow hackers to view your activity or steal information. Windows Update is a service offered by Microsoft. It will download and install software updates to the Microsoft Windows Operating System, Internet Explorer, Outlook Express, and will also deliver security updates to you. Patching can also be run automatically for other systems, such as Macintosh Operating System. For mobile devices, be sure to install Android or iPhone updates that are distributed automatically.

Antivirus software

Antivirus software protects your device from viruses that can destroy your data, slow down or crash your device, or allow spammers to send email through your account. Antivirus protection scans your files and your incoming email for viruses, and then deletes anything malicious. You must keep your antivirus software updated to cope with the latest "bugs" circulating the internet. Most antivirus software includes a feature to download updates automatically when you are online. In addition, make sure that the software is continually running and checking your system for viruses, especially if you are downloading files from the web or checking your email. Set your antivirus software to check for viruses every day. You should also give your system a thorough scan at least twice a month.

Antispyware software

Spyware is software installed without your knowledge or consent that can monitor your online activities and collect personal information while you're online. Some kinds of spyware, called keyloggers, record everything you key in—including your passwords and financial information. Signs that your device may be infected with spyware include a sudden flurry of ads, being taken to websites you don't want to go to, and generally slowed performance.

Spyware protection is included in some antivirus software programs. Check your antivirus software documentation for instructions on how to activate the spyware protection features. You can buy separate antispyware software programs. Keep your antispyware software updated and run it regularly.

To avoid spyware in the first place, download software only from sites you know and trust. Make sure apps you install on a mobile device come from the Apple App Store for iPhones or Google Play for Android devices.

Firewalls

A firewall is a software program or piece of hardware that blocks hackers from entering and using your computer. Hackers search the internet the way some telemarketers automatically dial random phone numbers. They send out pings (calls) to thousands of computers and wait for responses. Firewalls prevent your computer from responding to these random calls. A firewall blocks communications to and from sources you don't permit. This is especially important if you have a high-speed internet connection, like DSL or cable.

Some operating systems have built-in firewalls that may be shipped in the "off" mode. Be sure to turn your firewall on. To be effective, your firewall must be set up properly and updated regularly. Check your online "Help" feature for specific instructions.

Use strong protection

Making use of complex passwords and strong methods of authentication can help keep your personal information secure.

Choose strong passwords

Protect your devices and accounts from intruders by choosing passwords that are hard to guess. Use strong passwords with at least eight characters, a combination of letters, numbers and special characters. Don't use a word that can easily be found in a dictionary or any reference to personal information, such as a birthday. Some hackers use programs that can try every word in the dictionary, and can easily find personal information such as dates of birth. Try using a phrase to help you remember your password, using the first letter of each word in the phrase. For example, HmWc@w2—How much wood could a woodchuck chuck.

Choose unique passwords for each online account you use: financial institution, social media, or email. If you have too many passwords to remember, consider using password manager software, which can help you create strong individual passwords and keep them secure.

Use stronger authentication

Many social media, email, and financial accounts allow the use of stronger authentication methods. These methods can include using a fingerprint, one-time codes sent to a mobile device, or other features that ensure a user is supposed to have access to the account. For more information on strong authentication methods, visit the Lock Down Your Login Campaign.

Protect your private information

While checking email, visiting websites, posting to social media, or shopping, pay attention to where you click and who you give your information to. Unscrupulous websites or data thieves can attempt to trick you into giving them your personal data.

Be careful what you click

Phishing attacks—where hackers send seemingly genuine messages to trick you to hand over personal information—are becoming more sophisticated. For instance, you may receive an urgent message stating that your bank account has been locked and requiring you to enter your password and Social Security number to unlock it. Think twice before clicking on links in messages such as this. Most genuine messages from financial institutions will not ask for personal information directly, but will instead instruct you to call or visit a website directly. You can also verify the email address that sent the message to ensure it came from the expected sender.

Shop safely

When shopping online, check out the website before entering your credit card number or other personal information. Read the privacy policy and look for opportunities to opt out of information sharing. (If there is no privacy policy posted, beware! Shop elsewhere.) Learn how to tell when a website is secure. Look for "https" in the address bar or an unbroken padlock icon at the bottom of the browser window. These are signs that your information will be encrypted or scrambled, protecting it from hackers as it moves across the internet.

Be careful what you share

Social media allows sharing of all aspects of life, but it's important to control who has access to the information you share. Information thieves can use social media postings to gather information and then use the information to hack into other accounts or for identity theft. To protect yourself, make use of privacy settings to limit the visibility of personal posts to your personal networks, and restrict the amount of information you share with the general public.

Responding to data breaches

Even if you make all the right moves, your data may be stolen from a company you trusted to keep it safe. If you find that your personal information has been accessed without your authorization, take steps to protect yourself. Place a fraud alert on your credit file. Review your annual credit reports. And if you suspect your information has been breached, put a freeze on your credit file to prevent fraudsters from opening new accounts in your name. For more information, see the Attorney General's information sheets on identity theft.

Parents, take control

Don't let your children risk your family's privacy. Make sure they know how to use the internet safely. For younger children, install parental control software on devices that limits the websites kids can visit. To protect your children's future credit, consider setting up a credit freeze for your child. But remember: no software can substitute for parental supervision.

Additional Information

Consumer information from the California Department of Justice, available at www.oag.ca.gov/privacy.

OnGuard Online

Practical tips from the federal government and the technology industry to help you be on guard against internet fraud, secure your computer, and protect your personal information.

Online Guide to Practical Privacy Tools

Computer security resources from the non-profit Electronic Privacy Information Center.

Table of Contents

Introduction

What is personal cyber security?

In an increasingly tech-driven world we use devices and accounts every day that are vulnerable to cyber threats.

• Your devices may include computers, mobile phones, tablets and other internet connected devices.
• You also may use online accounts for email, banking, shopping, social media, gaming and more.

Personal cyber security is the continuing steps you can take to protect your accounts and devices from cyber threats.

What are cyber threats?

The main cyber threats affecting everyday Australians are scams and malware.

• Malware is a blanket term used to describe malicious software designed to cause harm, including viruses, worms, spyware, trojans and ransomware. Cybercriminals use malware to steal your information and money, and control your devices and accounts.
• Scams are messages sent by cybercriminals designed to manipulate you into giving up sensitive information or to activate malware on your device.

These attacks can have significant personal and financial impact on victims and are growing in sophistication and frequency.

Read more about the different types of threats affecting Australians.

How can this guide help protect me from cyber threats?

The Personal Cyber Security: First Steps guide is the first in a series of three guides designed to help everyday Australians understand the basics of cyber security and how you can take action to protect yourself from common cyber threats.

If you are learning about cyber security for the first time, or are keeping yourself up to date, this guide is an excellent place to start.

Turn On Automatic Updates

What are updates?

An update is an improved version of software (programs, apps and operating systems) you have installed on your computer and mobile devices.

• Software updates help protect your devices by fixing software ‘bugs’ (coding errors or vulnerabilities) that cybercriminals and malware can use to access your device and steal your personal data, accounts, financial information and identity.
• New software ‘bugs’ are constantly being found and exploited by cybercriminals, so updating the software on your devices helps protect you from cyber-attacks.

How do I set up automatic updates?

Automatic updates are a default or ‘set and forget’ setting that installs new updates as soon as they are available.

• Turn on and confirm automatic updates on all software and devices.
• How you turn on automatic updates can differ depending on the software and the device.
• Set a convenient time for automatic updates if possible, such as when you’re asleep or not typically using your device.

Your device must be powered on, plugged into power and have unused storage space.

Tip: If you receive a prompt to update your device’s software you should do so as soon as possible.

More detailed information on how to turn on automatic updates can be found in our step-by-step guides.

What if the automatic update setting is unavailable?

If the automatic update setting is unavailable, you should regularly check for and install new updates through your software or device's settings menu. 

What if my older device and software do not receive any updates?

If your device, operating system or software is too old, it may no longer be supported by the manufacturer or developer.

When products reach this ‘end of support’ stage they will no longer receive updates, leaving you vulnerable to cyber-attacks due to known software ‘bugs’. Examples of products that are end of support include Windows 7 operating system and the iPhone 6.

If your device, operating system or software has reached end of support, we recommend upgrading as soon as possible to stay secure.

For more information you can read our Quick Wins for End of Support guide.

Activate Multi-Factor Authentication (MFA)

What is MFA?

You can use multi-factor authentication (MFA) to improve the security of your most important accounts. MFA requires you to produce a combination of two or more of the following authentication types before granting access to an account.

• Something you know (e.g. a PIN, password or passphrase)
• Something you have (e.g. a smartcard, physical token, authenticator app, SMS or email)
• Something you are (e.g. a fingerprint, facial recognition or iris scan)

MFA makes it harder for cybercriminals to gain initial access to your account by adding more authentication layers, requiring extra time, effort and resources to break.

Two-factor authentication (2FA) is the most common type of MFA, requiring two different authentication types.

How can I activate 2FA to protect my most important accounts?

You should activate 2FA now, starting with your important accounts:

• All online banking and financial accounts (e.g. your bank, PayPal)
• All email accounts (e.g. Gmail, Outlook, Hotmail, Yahoo!)

If you have a lot of email accounts, prioritise those that are linked to your online banking or other important services.

The steps for activating 2FA are different depending on the account, device or software application.

For more information on how to turn on 2FA read our step-by-step guides.

Regularly Backup Your Devices

What is a backup?

A backup is a digital copy of your most important information (e.g. photos, financial information or records) that you have saved to an external storage device or to the cloud.

Backing up is a precautionary measure so that your information can be recovered in case it is ever lost, stolen or damaged. 

How do I backup my devices and files?

You should regularly back up your files and devices. What that looks like, whether it is daily, weekly or monthly, is ultimately up to you. Backup frequency could depend on the number of:

• New files you load onto your device
• Changes you make to files

Tip: Check your backups regularly so that you are familiar with the recovery process, and ensure your backups are working properly.

For more detailed information on backing up to both external storage devices and the cloud you can read our step-by-step guides. These cover back-up guides for PC, Mac and iOS.

Use Passphrases To Secure Your Important Accounts

Multi-factor authentication (MFA) is one of the most effective ways to protect your accounts from cybercriminals. If MFA is not available, a unique strong passphrase can better protect your account compared to a simple password.

What is a passphrase?

A passphrase uses four or more random words as your password. For example: ‘crystal onion clay pretzel’.

• Passphrases are more secure than simple passwords
• Passphrases are hard for cybercriminals to crack, but easy for you to remember

How can I create a passphrase?

Create passphrases that are:

• Long: at least 14 characters long, using four or more random words. The longer your passphrase the more secure it is.
• Unpredictable: use a random mix of four or more unrelated words. No famous phrases, quotes or lyrics.
• Unique: not re-used across multiple accounts.

If a website or service requires a complex password including symbols, capital letters, or numbers, you can include these in your passphrase. Your passphrase should still be long, unpredictable and unique for the best security.

Which accounts should I secure with a passphrase?

If your most important accounts are not protected with MFA, change your passwords to unique strong passphrases, starting with your:

• Online banking and financial accounts
• Email accounts

If you have a lot of email accounts, prioritise those that are linked to your online banking or other important services. You can typically change your password to a unique strong passphrase through your account settings menu.

Tip: Always remember to never reuse a passphrase across multiple accounts.

For more advice on how to build strong passphrases you can read the Creating Strong Passphrases guidance on the website.

Secure Your Mobile Device

Today smartphones and tablets are used to connect, shop, work, bank, research, track our fitness and complete hundreds of other tasks at any time and from any location.

What can happen if my mobile device is compromised, lost or stolen?

• It may be used by cybercriminals to steal your money or identity, using information stored on your device including social media and email accounts.
• You may lose irreplaceable data like photos, notes or messages (if it is not backed up).
• A cybercriminal may use your phone number to scam other people.

How do I secure my mobile device?  

Device Security

• Lock your device with a passphrase, password, PIN or passcode. Make it difficult to guess – your date of birth and pattern locks are easy for cybercriminals to deduce. Use a passphrase for optimal security. You might also consider using facial recognition or a fingerprint to unlock your device.
• Ensure your device is set to automatically lock after a short time of inactivity.
• Don’t charge your device at a public charging station and avoid chargers from third parties.

Treat your phone like your wallet. Keep it safe and with you at all times.

Software and App Security

• Use your device’s automatic update feature to install new application and operating system updates as soon as they are available.
• Set the device to require a passphrase/ password before applications are installed. Parental controls can also be used for this purpose.
• Check the privacy permissions carefully when installing new apps on your device, particularly for free apps. Only install apps from reputable vendors.

Data Security

• Enable the remote locking and wiping functions, if your device supports them.
• Ensure you thoroughly remove personal data from your device before selling or disposing of it.

Connectivity Security

• Turn off Bluetooth and Wi-Fi when you are not using them.
• Ensure your device does not automatically connect to new Wi-Fi networks.

Read more on how to protect your devices.

Develop Your Cyber Secure Thinking

Personal cyber security is not just about changing settings, it’s also about changing your thinking and behaviours.

Watch Out For Cyber Scams

Cybercriminals are known to use email, messages, social media or phone calls to try and scam Australians. They might pretend to be an individual or organisation you think you know, or think you should trust.

Their messages and calls attempt to trick you into performing specific actions, such as:

• Revealing bank account details, passwords, and credit card numbers
• Giving remote access to your computer
• Opening an attachment, which may contain malware
• Sending money or gift cards

Scam messages can be sent to thousands of people, or target one specific person.

How do I recognise scam messages?

It can be difficult to recognise scam messages. Cybercriminals often use certain techniques to trick you. Their messages might include:

• Authority: is the message claiming to be from someone official, such as your bank?
• Urgency: are you told there is a problem, or that you have a limited time to respond or pay?
• Emotion: does the message make you panic, hopeful or curious?
• Scarcity: is the message offering something in short supply, or promising a good deal?
• Current events: is the message about a current news story or big event?

To learn more about how to spot phishing or scam messages you can take our quiz.

What should I do if I get a scam message?

If you receive a scam message or phone call, you should ignore, delete or report it to ACCC’s Scamwatch.

You can also contact the ACSC’s Cyber Security Hotline on 1300 CYBER1 (1300 292 371) if you are concerned about your cyber security.

If you’ve engaged with a scam and think your bank accounts, credit or debit cards may be at risk, contact your financial institution immediately. They may be able to close your account or stop a transaction.

What if I’m unsure if a message is a scam?

If you think a message or call might truly be from an organisation you trust (such as your bank) find a contact method you can trust. Search for the official website, phone their advertised phone number, or visit a physical store or branch.

Do not use the links or contact details in the message you have been sent or given over the phone as these could be fraudulent.

Tip: Think Before You Click

• Think before you click on links on emails, websites and SMS.
• Always be sceptical of attachments you receive.
• If your browser tells you a website is unsafe, close it immediately.

Remember: No IT person, government department or business will contact you and ask for your login details.

If you think you’re a victim of cybercrime you can report it through ReportCyber or call our Cyber Security Hotline on 1300 CYBER1 (1300 292 371).

You can also keep up to date on the latest threats by signing up to ACSC’s free alert service. We will send you an alert when we identify a new cyber threat.

Stop And Think Before You Share On Social Media

Cybercriminals can use information you have publicly posted on your social media account/s in their scams and cyber-attacks.

Remember the internet is permanent and you can never fully remove what has been posted.

How can I stop and think before posting?

• Think: How could a cybercriminal use this information to target me or my accounts?
• Think: Would I be comfortable showing this information or image to a complete stranger offline?

What information should I avoid sharing?

Avoid sharing information (including photos) online that cybercriminals can use to identify you, manipulate you through a scam or deduce your account recovery questions. This may include your:

• Birthplace and date of birth
• Address and phone number
• Employer and work history
• Where you went to school
• Any other personal information that can be used to target you

If you think you’re a victim of cybercrime you can report it through ReportCyber or call our Cyber Security Hotline on 1300 CYBER1 (1300 292 371).

You can also keep up to date on the latest threats by signing up to ACSC’s free alert service. We will send you an alert when we identify a new cyber threat.

If you would like to understand some of the terms used within this personal security guide better you can view our glossary on the website.

Next guide in the Personal Cyber Security Series

Now that you have completed the ACSC’s Personal Cyber Security: First Steps guide you should begin the Personal Cyber Security: Next Steps guide.

The Personal Cyber Security: Next Steps guide outlines the actions you can take now to further increase your cyber security.