October is National CyberSecurity Awareness Month. In honor of that, we are issuing 30 tips in 30 days to help our customers and friends stay safer and more secure online and protect their information. These are daily reminders and actionable tips you can put to use right away. We’ll cover the most practical and important things you can do to minimize your exposure. Share them with family and friends and let’s all stay safe out there!

The Internet is a wonderful place for kids to learn, play, and discover, but it can also be a dangerous place if not used properly and under supervision. As parents, we must teach our kids how to safely use the Internet and how to be good online citizens.

What can you do?

  • Talk to your child about the potential dangers online.

  • Spend time online together to teach your kids appropriate online behavior. Pay attention to the sites they use, and show interest in their online communities and friends.

  • Explain the implications of their online choices. Information that is shared, including pictures, emails, and videos, can be easily be distributed to others and remain permanently online. Things that could damage their reputation, friendships, or future opportunities should not be shared online.

  • Protect your children from cyberbullying by limiting where and what they can post about themselves and family. Teach them how to respond if they witness or are a victim to cyberbullying. Visit for more information.

  • Keep the computer in a common area, not in individual bedrooms, where you can watch and monitor use. This isn’t about trust; it is about protection and open communication.

  • Be aware of all the ways kids connect to the Internet. Phones, tablets, gaming systems, and even TVs have become connected; teach your kids how to use each of these devices safely.

  • Set up a separate account on your computer for your children to use that does not have administrator control if possible. This will prevent software programs, including malicious software/malware, from being downloaded without the administrator password. Do not share this password with your kids.

  • Utilize parental controls on all Internet-enabled devices to filter, monitor, and block inappropriate activity. gives an overview of the different types of parental controls. Most Internet service providers (ISP) have tools to help you manage your children’s online experience, including blocking inappropriate websites and providing enhanced security features (e.g., pop-up blockers). There is also third-party software available that will allow you to more closely monitor and control children’s online activity and notify you when a violation occurs.

  • Review the privacy settings on social networks, cell phones, and other social tools your children use and decide together on which settings provide the appropriate amount of protection.

  • Stay current with the technology your children use. The online world is constantly changing. It is important to understand the technology your children are using and the potential dangers that may be introduced. Be involved!

  • Know who to contact in an emergency.

  • If you know of a child in immediate risk or danger, call law enforcement immediately. Report instances of online child exploitation to the National Center for Missing & Exploited Children’s cyber tip line. Reports may be made 24 hours a day, 7 days a week at or by calling 1.800.843.5678.

To avoid being a target of opportunity for identity theft, of snoopy nation states, and/or of snoopy economic competition, follow some basic rules of thumb to protect you while abroad.1

What can you do?

Whether it’s for ease of travel, keeping your travel on schedule, or keeping sensitive data out of a government or your competition’s hands, the best thing you can do is to limit sensitive corporate information, unpublished research, patient health data, and personally identifiable data on your devices:

  • Do not travel with any data that cannot be recovered, such as your lifetime research endeavors, if your computer is lost or stolen.

  • Install full-disk encryption on laptops and mobile devices.

  • If traveling for business or a conference, travel with only the materials needed for a presentation in an encrypted device; otherwise, use your company’s/university’s remote online storage to retrieve the materials via a VPN once you arrive at your destination. For ease and security, consider keeping your data only on a company/university server and accessing it only through a secure connection.

  • If traveling for business or a conference, consider a company/university-owned “loaner” cell phone, laptop, and/or tablet to limit the loss of both corporate and personal data if the device is lost, stolen, or confiscated by officials or thieves.

  • If traveling for business or a conference, search for or contact your company’s/university’s travel liaison for travel guidelines and tips.

  • Perform a full device backup and secure it with a strong password. Store it in a secure location while you are away.

  • Inform banks and credit card companies of travel plans including dates, locations, and any special instructions. International transactions are typically flagged as fraud, and purchases may be delayed or your card may be cancelled without advance travel notice.

  • Consider using virtual credit card numbers that offer one-time use and are disposable yet will display on your credit card bill.

  • Pack only essential ID, credit, and debit cards. Leave the others in a secure location.

  • Update data protection software such as operating systems, anti-malware, antivirus, security patches, and others prior to departure.

  • Use the U.S. State Department website to prepare for your trip and familiarize yourself with the country you are travelling.2

  • Configure automatic wipe settings for passcode entry failures, and use at least an eight-digit, unique, non-dictionary word, complex password (longer if supported).3

  • NEVER let your devices leave your side. This includes NEVER leaving your devices in your hotel room.

  • You have no reasonable expectation of privacy in some countries. Phone calls, electronic communications, and even hotel rooms may be monitored as a standard practice. Sensitive or confidential conversations, transactions, or data transfers should be kept to a minimum until you return home.4

  • Be cautious of unsolicited requests and questions about your business, research, personal life, or other sensitive information. It is advisable to not speak about or comment on the status of research and development being conducted by others at the institution. Defer questions to those individuals directly.

  • Avoid political conversations or offering political opinions while in foreign countries, whether in person, on the phone, or online.

  • Turn off geo-tagging in your camera app and on Facebook, Twitter, and any other social media and public Internet-related sites.

  • Use safe ATMs in public areas during daylight. Cover PIN entry and cash output as much as possible. Even then, check for anything on the ATM that looks obviously out of place or fake; skimmers and readers are easily installed, even in public places.

  • Use trusted VPN connections as much as possible. If you don’t have a VPN available, use HTTPS connections as much as possible. Use Private Internet Access VPN for personal use on PCs, iOS, Android, and Kindle. Use your company’s/university’s VPN for business.

  • Prepaid local phones limit costs by not working after exceeding a maximum number of minutes. They are cheaper for local calls and have better connectivity. Buying local SIMs, especially PAYG, adds a level of anonymity, which may be good for privacy/security.

  • Public kiosk computers should be avoided for anything that can be personally identifiable or otherwise sensitive or private, like logins, date of birth, credit card, social security number, electronic communication, etc.

  • Do not loan your device to anyone or attach unknown devices such as thumb drives. Thumb drives are notorious for computer infections.

  • Report lost or stolen devices as soon as possible to whomever it concerns. This might include your company, mobile provider, hotel, airline, insurance company, and/or local authorities. Local authorities have a better chance of finding stolen property if it is reported stolen as soon as you know it is missing.5

When your journey is done…

  • Update device passwords.

  • Have all devices, media, and thumb drives reviewed for malware, unauthorized access, or other corruption. Do not connect them to a trusted network until you have tested them for malware. If a device is found to be compromised, reformat it and rebuild it from trusted sources/media, then restore data from backups performed before the trip.

  • Inform your bank or credit card companies of your return, and review your transactions.

1At all national borders, including the U.S. border for U.S. citizens, your rights (including the fourth amendment) are subject to “reasonable” searches, including at international airports. Border agents can take your devices, clone them, and take steps to compel you for system passwords and encryption passwords. Identity theft is often a crime of opportunity. Don’t be a vacationer who presents a thief with that opportunity. Your personal information, credit and debit cards, driver’s license, passport, and other personal information are the criminal’s target.

2Export control laws concerning sensitive equipment, software, and technology (including encryption, a/k/a The Wassenaar Arrangement) security testing/hacker tools are also forbidden and illegal in some countries. The Electronic Frontier Foundation published an article on the topic titled “Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices.”

3Using numbers, symbols, and a mix of upper- and lowercase letters in your password makes it harder for someone to guess your password. For example, an eight-character password with numbers, symbols, and mixed-case letters is harder to guess because it has 30,000 times as many possible combinations than an eight-character password with only lowercase letters.

4Be prepared to turn on and off devices, and present all removable media for customs officials. You may be asked to decrypt data for inspection at international borders. In some countries, withholding your password is a criminal offense.

5The primary purpose of reporting, though, is for local crime statistics to drive increased policing in the area making it a safer place for you and anyone visiting in the future.

Wi-Fi and Bluetooth wireless technologies are very useful, and they are often set up to connect seamlessly to other devices or networks with no input from the user. As you move from home to Starbucks, your network connection just works; or from a headset to your car, Bluetooth keeps your phone calls connected. What you may not realize is that these radio protocols are constantly announcing your presence, and they are capturing information about other wireless protocols around you. These protocols work by looking for “beacons” that match your saved connection profiles. All of this activity is happening constantly and is visible and trackable by anyone who is interested.

What can you do?

Turn off your Wi-Fi and Bluetooth if you aren’t actually using them. Disable “automatic” connections to your wireless profiles, and save only wireless profiles that you actually need to save. When you have Wi-Fi profiles saved on your device, your Wi-Fi radio is sending out requests for those profiles and essentially advertising what coffee you prefer, the hotels you’ve stayed at, where you work, airports you’ve visited, and the name of your network at home.

If your mobile device or computer is set for “automatic” connections, anyone interested could say, “I’m that network,” and connect to your device, then wait for your network requests to pass through their hands. And for various smartphone applications, the combination of GPS, Bluetooth, and Wi-Fi offer great data sets for companies like Apple and Google to map out where you have been and what is around.

So turn off the radios you aren’t actively using to ensure you are connecting to the network or device that you expect to. Doing so will decrease risk, increase privacy, and as an added bonus, improve battery life too.

Just like individuals, organizations are creating a strong presence online. Whether it is Facebook, Amazon, eBay, or other online service, businesses are leveraging a lot of the same services that individuals use. If you’re like most people, you probably tie your accounts to your email for notifications, management, and the like. When your company is in need of one of those online services, it’s all too easy to leverage your personal account for business purposes.

Privacy and risk are two very important issues that arise when personal and business accounts are connected. For privacy, the demarcation between your individual privacy versus company rights is blurred when accounts are comingled. From a risk standpoint, the amount of useful information to leverage for a targeted attack (against you or the company) can increase dramatically. The fallout from such an attack against a personal account tied to one at the office can have serious ramifications for your organization.

A third issue tied to the first two is connecting with coworkers socially. Doing so creates added context about you for attackers, and it also gives your colleagues and your company an invited look into your personal online life.

What can you do?

The answer to this problem is simple, but implementation is more difficult. You need to clearly identify those sites, services, and applications that are for personal use versus business use. Where the services cross over, establish two separate accounts (e.g., create a second Facebook account for business purposes). This is an absolute must if you are managing or contributing to any online service on behalf of your organization. Also, think about what would happen if you left your organization or changed positions/duties within it. How would you hand off the account to your successor?

When it comes to socially engaging online with coworkers, think carefully before you invite all of your coworkers to be your friends online. Consider exactly what information you want to share with them versus what you want to keep private.

In the end, when faced with the temptation to combine personal and business accounts for social, managerial, or any other reasons, draw a clear line and keep them separate.

Thousands of applications are downloaded each day for entertainment or to make our lives easier, but along with the fun and convenience offered by mobile devices comes increased risk for malware. Money isn’t just made from popular apps like Angry Birds. It is also lucrative to create malware disguised as legitimate applications to mislead users into allowing additional permissions that give access to accounts, storage, contacts, network communication, system tools, and settings. Some malicious applications are known to mimic banks, deceiving users into entering their financial information.

Looking ahead, it’s only going to get worse as mobile devices become more affordable. Security software companies have already rolled out malware detection applications because of the amount of malicious software already discovered.

What can you do?

  • Download applications from trusted sources such as Google Play Store for Android, Apple’s App Store for iOS, and Amazon App Store for Kindle.

  • For Android users, leave the checkmark unchecked for “allow installation of apps from unknown sources” in the security settings.

  • Read the ratings and reviews. People love voicing their opinions and frustrations, especially when money is involved.

  • Refrain from “rooting” or “jailbreaking” your mobile device, which grants administrative access and allows the installation of anything.


Reality check: Your mobile device, in most cases, is just like your computer. You can access all the same information, store critical data, and conduct a significant portion of your business from it. Just like your computer, your mobile device can be exposed to vulnerabilities in poorly written software and holes in the operating system your device runs on. The same care and consideration that is used to safely run a computer should be used on mobile devices to keep them secure.

What can you do?

Keeping your software up to date on your phone or tablet is pretty straightforward. Your operating system and application providers are constantly identifying enhancements and fixes in their software and publishing updates. Applying these updates in a timely fashion removes the identified vulnerabilities and reduces the risk of someone, or something, taking over your device or accessing information that is private or confidential.

It’s also important to know that vulnerability in an application can expose your whole device, not just the data stored in that application. Look for updates wherever you purchase apps on your devices. Most smartphones and tablets have an automatic update feature for apps. Make sure it’s turned on. If you are doing a major update to your operating system, it’s a good idea to do a backup first.

Of course, if your employer manages your mobile device, you will have to consult with them on their policy for updating your device’s OS and applications.

Criminals and hackers are always looking to exploit holes within software to gain access to your computing devices. One method they use is to look for vulnerabilities within software code to target their attacks. Once these vulnerabilities are discovered, software providers rewrite or update their software code to “patch” the holes so they cannot be exploited. In fact, in 2015 Microsoft released 135 security bulletins about patch vulnerabilities discovered in its software. So far in 2016, Microsoft has already published 103 security bulletins.

Microsoft isn’t alone in the battle of finding and patching these holes. All software providers are in this cat-and-mouse game of staying ahead of the criminals. That is why it is important to update your operating system and installed software regularly.

What can you do?

  • Know what software you have installed. Take care to keep your Web browsers up to date. These days, many auto-update. Make sure Java is set to automatically update as well, and follow through with update notifications from it (since it usually requires user interaction to update).

  • Check to see that you have the latest version; software and operating systems are dropped from support, so be sure you use a version that is being actively supported.

  • Check for new security patches and updates on a regular basis; the more frequent, the better.

Whenever possible, use automatic update features, and make sure you turn them on!

All of the information we send and receive across the Internet is valuable. This is true for any website you use, not just those connected to financial services, and it’s especially true if the site requires authentication. Even the data on your computer, tablet, or smartphone is valuable, and you should take steps to protect it.

Cloud storage services like DropboxTM, Box, and OneDrive® are holding your files for you, but they do sometimes leak out. Consider what would happen if everyone in the world had access to your cloud storage folder. Would they be able to get into your bank account? Would they know when your house is empty? Encrypting this information before storing it in the cloud will help prevent this information in the event of a breach.

What can you do?

Any time a site offers HTTPS for connections, use it. Whether it is Google Search, Gmail, Facebook, Twitter, or eBay, opt for and set your bookmarks to the HTTPS version of the site. This will ensure that not only your password but your entire interaction with the site is encrypted.

For your computer, tablet, and smartphone, it is important to enable encryption on your storage. Below we mention one option for encrypting your computer hard drive and creating encrypted containers. For your tablet and smartphone, enable encryption on the device. For iOS, using a password on your device enables encryption by default. Android is a little more complicated but well worth the effort.

Don’t underestimate the loss if your tablet, phone, or computer is stolen. It’s easy to believe that it will never happen to you or think there is nothing that important on it, until you stop and really consider all the details of your life that are on the device. So take care to encrypt your data in transit and at rest; opt for it every time. Services such as BitLocker (which comes with some versions of Microsoft Windows 7, 8, 8.1, and 10) can encrypt the entire contents of your hard drive. Check with your support provider to see if this is available for your laptop. Some antivirus companies also provide additional programs that encrypt your drive.

If you need to use a cloud storage service, create a secure container within your cloud storage that only you can access. Wipfli recommends 7-Zip. It’s a free, open-source disk encryption software program.

Follow these steps to create a secure container inside your cloud storage that only you will have access to.
> See detailed instructions with examples

  1. Download, install, and launch 7-Zip.

  2. On your computer, create a folder that you would like to store encrypted files in.

  3. Right-click this folder and select 7-zip, then Add to Archive.

  4. This will bring up a new window. Make the following changes in this window:

    1. Change Archive format: to “zip”

    2. Enter a password.
      Please note: This password is critical to securing your data and should be at least 20 characters long, with letters, numbers, and symbols.

    3. Under Encryption method, choose “AES-256”

  5. Click “OK” once you are satisfied with your password.

Once you have created this encrypted container, you can add files to it by dragging them to the file and dropping them in. If you are using a service like DropboxTM or OneDrive®, the changes will be copied to your cloud backup.

Your Wi-Fi password is broadcast over the air every time you turn on your computer. Hackers can trick your computer into resending the password any time it’s connected, and they can do it from across the street. When they see the password has been sent, they can go home and let their computer break it. The time it takes to crack your password could be five minutes or five months, depending on its complexity. When they come back, will the same password still work? Once on your network, they’ll be able to watch everything you do online.

What can you do?

Review your router’s manual for information on connecting to the router’s management interface. While on wireless, you usually just need to type into your Web browser. Navigate to the wireless or wireless security screen and update the password, making sure it is at least 16 characters long, with letters, numbers, and symbols. While there, make sure you’re using a version of WPA2 wireless security protocol. It should be a radio button on the same interface. When you’re done, you will need to update the password on all of the devices that connect to your home network. You should repeat this process at least four times a year.

It’s easy to lie about who you are on social virtual networks. Whether it’s a small omission on a profile or something more nefarious, there is no question that people are generally free to create whatever identity they want online. That freedom occasionally leads to extreme cases of complete identity manipulation.

There are many serial predators online with fake identities waiting to victimize you. It’s up to you to do the digging to know who is on the other end of the screen. Are they the real thing or something else? How can you trust that they are who they say they are? Do you take the same precautions on the Web that you tell your children to take?

Protecting your personal information also extends to requesting information using email and social media as tools to gain trust. Requests for information, no matter the source, should be scrutinized. Several scams over the past couple of years have come from someone compromising an email account or spoofing information in order to gain trust. While digital communication provides convenience, it does not prove to be more reliable than its predecessor. Like messages that were intercepted by opposing forces during wartime, messages can be intercepted or faked in digital communications.

What can you do?

  • Always think twice!

  • Remember that online friends are not the same as real-life friends.

  • Never agree to meet someone by yourself if you do not know them.

  • Do not give your personal information online. Keep your last name, address, and phone number private.

  • Profiles can be fake; don’t trust simply what is posted online.

  • Understand the potentially dangerous situations that could occur online and in real life, and be certain not to expose yourself to them.

Contact through email and social media gains trust because it appears to be coming from a source you know. The most important way to prevent scams of this type is to adopt a habit of “trust but verify” with requests. This could be as simple as “out of band” communication. Out of band should consist of contacting the person directly using information you have rather than what is provided in the message provided. This will allow you to determine whether the request is legitimate. If this is a person who frequently communicates with you, developing a method of authentication such as a call or code word sent though a separate communication method will allow for more secure communication.

Technology advances have allowed mobile devices to work wonders in the palm of your hand. Mobile devices such as smartphones have made it easier to surf the Internet, check emails, VPN into work, and even shop online from almost anywhere. When you add all the stored data on a mobile device with all of its features and abilities, you get an incredibly valuable piece of technology, which is why so many people say they cannot live without them.

Many people wouldn’t trust their best friend, let alone a stranger, to use their smartphone. This is why mobile device manufactures have implemented security controls such as passwords and timeouts. When a smartphone is stolen or left behind—which is becoming more and more common—the odds of getting it back are pretty slim. That, combined with the access capabilities and data stored on the device, explains why most companies consider a stolen or misplaced mobile device a security breach and implement controls and policies to remotely wipe the device of the wealth of sensitive information it contains.

What can you do?

There are five things you should do to secure your mobile device:

  1. Use strong passphrases. Refrain from using pattern passwords because they are easy to guess. Most mobile device screens contain skin oils, making the password pattern visible.

  2. Set a timeout of no longer than five minutes, requiring a password to unlock the device. This keeps your device safe from not only thieves, but also nosy friends and family members.

  3. Encrypt the SD card. This keeps your data safe even when your device is lost or stolen.

  4. Run backups. How many phone numbers can you actually memorize if you needed to re-create your contact list? Backups are especially important in the event your device is ever lost, stolen, or wiped.

  5. Install anti-malware software to protect your mobile device from viruses, key loggers, phishing websites, and other malicious activity. Many anti-malware applications also give you the ability to track your device through GPS and, if necessary, wipe the device remotely. Most anti-malware software vendors include many other features as well. Check out to compare offerings from various vendors to find what works best for you.

Social media sites are a great way to interact with other users over the Internet. Unfortunately, a large number of social media users don’t understand the importance of limiting what’s posted on these sites. Attackers regularly use social media sites as reconnaissance tools. It’s no longer surprising to hear about people falling victim to identity theft or networks being infiltrated because of information gathered from social media sites.

Many social media sites allow users to create profiles that can include name, DOB, companies worked for, duration of employment, duties performed, experience, schools attended, and much more. Sites such as LinkedIn allow users to create connections with coworkers, but this also makes it simple to determine a company’s organizational chart in a matter of minutes. All that readily available information means that it wouldn’t be hard to impersonate someone online. It is similar information that makes guessing someone’s security questions easier too. The more information obtained, the easier it is to craft credible attacks, whether it’s gaining access to a system or influencing the target to take a certain action.

What can you do?

  • Assume that anything you post online is public and permanent.

  • Don’t post information that may damage you or your company’s reputation.

  • Be cautious about what you post because any information can be used to carry out additional attacks.

  • Go through all your privacy settings and restrict who is able to view your profiles.

  • Connect with people you know.

Like diamonds, your actions online are forever. The idea that you can completely “delete” or “remove” something is a fallacy. When you post, update, or engage online, there are numerous ways that your content gets backed up, repeated, linked, indexed, and otherwise spread across the Internet.

Today’s speed of information sharing means that other users can rebroadcast your statements to any number of profiles and services within seconds, effectively creating thousands and thousands of copies.

Beyond rebroadcasting, search engines actively gather content across the Internet and store it on their databases, even storing the pages themselves. Organizations like and the Library of Congress make it their mission to preserve the Internet by copying billions of pages. So one way or another, whatever you post, comment, tweet, or share is immediately captured by something you don’t control—and can’t delete!

Employ what you learned during communications about the responsibility of the sender and the perspective of the receiver. Quick phrases without context, mixed with emotion, and combined with a lack of nonverbal cues are easily misread. Always think about how you want to be viewed, and don’t believe that it doesn’t reflect on you away from the keyboard. If it’s posted online, it does!

Online gaffes are played out online all the time, whether by a politician or a celebrity or even among your friends. Odds are you know someone whose relationship has been affected by something said online. So always take a moment before pressing “enter” and exercise a strict rule about how and when you will engage online. Remember this is ink for the entire world to see, not only immediately, but likely until the end of time.


Phishing is one of the most commonly used attacks against users. By way of email, those with malicious intent will contact unsuspecting persons, asking them to click a link or download a file. Generally, the end goal is to infect the user’s computer with malware or get them to submit important personal information.

What can you do?

Understand that “spam” and “junk” filters do not catch all malicious email. Second, know what signs to look for in a phishing email. The vast majority of phishing attempts are fairly easy to recognize and avoid. Here are a few aspects of phishing emails that can help you recognize their true nature:

  • Look at the “from” address. Be sure you recognize it. Then take a second look at the domain name (that’s the name after the “@” symbol). Make sure it’s spelled correctly. At the office, an internal email from your coworker would display only his or her name. If it also shows the full email address, it came from the outside.

  • Look for a “reply” address that matches the “from” address.

  • Check that the message is well composed with the grammar and spelling you would expect from the sender, whether it’s your boss, your brother, or your bank.

  • If there is a link in the email, does it match the destination? By hovering your mouse over the link (without clicking on it), your email application will show its actual destination. Again, take a second look at the domain. Be sure it is a domain you would expect. Misspelling a domain is a very common tactic ( vs. At a glance, they look the same, but one will take you to Microsoft, and the other will take you somewhere you don’t want to go.

  • Does the email ask you for personal information? Most organizations would never ask for personal information in an email or ask you to “reconfirm” your password and account information.

  • Trust your gut! If something doesn’t seem right, it probably isn’t. If you are not sure and are worried there is something urgent that needs your attention, then contact that company/organization as you normally would. Never use the email links or any information from a suspected phishing email (including the phone number!).

Understand that email phishing works on unsuspecting people every day. Even emails that seem farfetched (“Send me $100,000 so I can give you my inheritance”) work all the time, but those aren’t the only emails that get sent. There are often crafty and well-constructed emails that require a close look to notice they are malicious. So take that second look and check before you click, download, or enter your information.


At the office, you are probably familiar with the notion of a firewall. At home, your router likely provides firewall protection, acting as the “security guard,” allowing only the good in and out. If you’re like many people, though, you don’t access just your home and work networks. Laptops enable us to use networks at coffee shops, airports, libraries, hotels, and other places were you don’t know what protections are being used or who is on those networks and what they can see and access on your laptop.

What can you do?

You don’t need to lug around a special device. Instead you can use what is known as a “personal firewall.” Often this functionality is included with your antivirus software or your operating system. Make sure it is on and active!

There are clear advantages to using a firewall that is bundled with your antivirus software. When the two work together, they can detect more behaviors and better know what to block and what to trust. Personal firewalls should be installed on personal computers at home.

What about your Internet of Things?

While a personal firewall on your computer is excellent at protecting the computer it is installed on, it doesn’t offer protection for all other devices on your network. If you have Wi-Fi on your home network, you likely have a firewall built in, which will protect your other “smart” or otherwise network-enabled devices to be covered by at least one layer of protection from the Internet. This hardware firewall acts as a physical barrier that will shield your home network from unwanted and possibly malicious traffic.

What can you do?

Make sure your router at home has a firewall built into it. Most do, but if your router was provided by your ISP, ultimate control of your home network still rests with them. A router can be purchased at most retail stores for under $50, and it will allow you to take ownership of your security.

It’s never been easier to shop, a­­­pply for loans, transfer money, or set doctor appointments. We transmit all sorts of financial and personal information across the Internet, and it all needs to be protected (encrypted) as it zigzags across cyberspace.

What can you do?

Check your browser for a “padlock” icon and the protocol “https” preceding the URL. Most modern browsers provide a “green” indicator wh­­­en there is a valid certificate and an encrypted protocol is being used. Before you enter personal information, even a password when logging in, look for the confirmation that encryption is in use.

You can take some additional steps if you are less familiar with a site or have never used a site before. You can click on the “padlock” icon and view information about the certificate. It will tell you what third party was used to issue the certificate and validate the website’s ownership and existence. Sometimes you will even see the organization name as a “green bar” instead of just a padlock. This indicates that the organization asked a third party to do “extended validation” whereby the certificate issuer validated the existence and address of the actual organization in addition to the website.

By default, the most popular browsers trust certain third parties (certificate authorities, or CA) to issue certificates. If a certificate is not issued by one of the trusted CAs, the browser will warn you, prior to connecting to the site, that the issuer of the certificate is not trusted. For that matter, any time there is a problem with the certificate or even the absence of a certificate, your browser will show a warning. If you navigate to a site where the browser has warned you, NEVER enter personal information or passwords; the site cannot be trusted.

In addition to the actions above, you may want to take steps to ensure your security while browsing the Web. The Electronic Frontier Foundation has released a couple of great add-ons for popular Web browsers. HTTPS-Everywhere is an extension that will encrypt your communication with most websites by forcing your browser to automatically use HTTPS when navigating to sites. Another tool called Privacy Badger disables tracking from your browser through the use of cookies. Advertisers will no longer see what content you are browsing and will be unable to target you with ads. With Privacy Badger, however, you may need to disable its use on some websites that require you to log in.

Your password is the “key” to your account, your information, and your digital life. In the wrong hands, these “keys” can cause heartache and headache, and they might even cost you money.

What can you do?

NEVER write down your password, and NEVER store it in your browser. If you have many usernames and passwords (as we all do), it’s impossible to remember them all. Some form of storage is needed. Utilize a password manager application. A password manager automates the random generation of all passwords for each of your accounts, allowing you to remember only one strong passphrase. Password managers have strong encryption and can pseudo-randomly generate strong passwords for each unique account you log into.

Here is a non-extensive list of password managers, as of August 26, 2016, from Wikipedia

Software downloads are a great way to disguise malware. Numerous sites serve as repositories for independent developers and/or open-source software, which makes validating the source of the software and the download difficult. Without knowing where the software or the download originated, you could expose yourself to some very harmful software.

What can you do?

Major software vendors that we are all familiar with operate their own websites to distribute or sell their own software. Use a major vendor’s site to download its software. (e.g., Microsoft, Apple, Google).

How can I safely get software from open-source or independent developers?

Even open-source projects typically have their own websites where you can safely download the software. First, search for favorable references to the project or developers from sources like industry news and review sites or software publishers you’ve worked with in the past. There are trustworthy software repository sites for lots of independent developers and open-source software. Even with trusted repository sites, it’s important that you still consider the publisher of the application.

One of the top methods of computer attacks comes from malicious software (malware), to the extent that there are tens of millions of new pieces of malware each year. Malware can be transmitted to a computer from file downloads, email attachments, USB thumb drives, and other removable media. To make matters worse, malware is often disguised as something safe or even helpful like antivirus software.

What can you do?

Install antivirus software. Use a product that is going to address all types of malware. A lack of anti-malware software leaves the system vulnerable to a very common and prevalent attack vector. Attackers often use malware to gain access to a system, capture key strokes, or utilize the system as part of a botnet. Choose a reputable antivirus manufacturer (e.g., McAfee, Kaspersky, Sophos, Symantec). With this product, you get what you pay for. With each year’s new batch of malware, you need a team of dedicated professionals to keep the software effective. A paid subscription is well worth it. Next, use that subscription and keep the software and the virus definitions/signatures up to date. Use auto-update options within the software to check at least daily for updates to both. Some days, vendors release thousands of new definitions/signatures throughout a given day. Timing is everything if a new piece of malware is on the rampage! Any time you use USB thumb drives (or other removable media), run a full scan on it. Often you will have such an option if you right-click on the drive letter in your explorer window. Be sure this is the first thing you do after connecting it to your system. Keep in mind that portable media like USB devices can carry all sorts of malware, so make sure, even before plugging it in, that you know where it came from.

This also holds true for email. All email attachments should be scanned before they are opened. Even though antivirus software may filter your email before it gets delivered to you, take the extra step to scan again. You may have this option by right-clicking on the attachment, or some antivirus programs will scan as soon as you attempt to open them. Know how your version works. Either way, give it another scan.

“Which antivirus software should I use?” Want to know who the best is? Visit or They run many different types of tests against various AV vendors’ software and on different types of platforms. Check it out and see what could work for you!

Passwords are naturally subject to many different attacks. Shared password conventions can increase the likelihood of passwords being guessed. Shorter passwords of dictionary words with few or predictable numbers (e.g., the year) and not using all types of complexity are easily cracked with freely available tools and inexpensive graphics cards.

What can you do?

Avoid your username, the same password with just a different digit, seasons, and other easily guessable aspects to your password. Instead, use a passphrase. A passphrase is a sentence that you can easily remember. The longer your passphrase, the stronger it is.

Making your passphrase strong can limit the success of humans and/or computers in guessing your passphrase. Using only simple sentences is becoming less effective with the decreasing cost of consumer graphics cards, which allow approximately 10 trillion NTLMv2-encrypted password hashes (how domain users’ passwords are stored in Active Directory) to be attempted each second.

How to make a strong passphrase
Start with a normal phrase that means something to only you so you can remember it. Do not use common quotes from books or other cultural artifacts. Write it down, including spaces.

Super best phrase of pass that only I can remember

Add capitalization in odd places.

SupEr best pHrase of paSs that Only I caN remember

Add numbers.

SupEr7best90 pH32rase of paSs th00at Only I c4aN rem9ember

Add special characters ( !#$)(*&%<>?”:{}|][,./;’@ ).

SupE$r7best90 pH32&rase” of paSs: th00at O,nly I c4aN re;m9ember

That looks too hard for me to remember so I’ll simplify.

SupE$r best90 paSs:

I’ll type it into a window that will not save my work but will allow me to read what I have typed a few times to engage muscle memory.

SupE$r best90 paSs:
SupE$r best90 paSs:
SupE$r best90 paSs:
SupE$r best90 paSs:
SupE$r best90 paSs:
SupE$r best90 paSs:
SupE$r best90 paSs:

Now that I’ve typed it a few times, I have an idea of how I usually mess up typing the passphrase, which I use as part of my memory of how to type out the passphrase. Destroy the written copy of this password-generation process that we started with. Now you have a strong passphrase that you can remember.