Table of Contents Introduction Activate Multi-Factor Authentication (MFA) to protect your accounts Use passphrases to secure your accounts Use a password manager to remember your passphrases Improve your Wi-Fi security habits Securely dispose of your devices Protect yourself against malware Turn on ransomware protection Reduce your digital footprint Extend your cyber secure thinking Introduction Before you begin: it is assumed that you have read and completed all steps in the Personal Cyber Security: First Steps guide before starting this guide. If you haven’t yet, we recommend you read that document first. How can this guide help protect me from cyber threats? This guide builds upon the steps you’ve taken and the cyber secure thinking you learned in the First Steps guide, and provides the next level of actionable steps and thinking to increase your cyber security to help protect you from cyber threats. Activate Multi-Factor Authentication (MFA) to protect your accounts Before you begin: you should read the Personal Cyber Security: First Steps guide and activate multi-factor authentication (MFA) on your most important accounts (online banking and email). Why should I activate MFA on all of my accounts? Using MFA on your accounts makes them much harder for cybercriminals to access. Cybercriminals might manage to steal one authentication type (such as your password), but they still need to obtain and use the other MFA method/s to successfully access your account, requiring extra time, effort and resources. How can I activate MFA on all of my accounts? Tip: If you have a lot of accounts to secure, prioritise the following: Accounts that save or use your payment details (e.g. eBay, Amazon, PayPal) All social media accounts (e.g. Facebook, Twitter, WhatsApp) Any other accounts that hold personal information (e.g. myGov, Apple ID, iCloud, Uber) The steps for activating two-factor authentication (2FA), the most common form of MFA, are different depending on the account. For more information on how to turn on 2FA you can read our step-by-step guides. Use passphrases to secure your accounts Before you begin: you should activate MFA on all of your accounts that support it. Why should I secure my accounts with unique and strong passphrases? A passphrase is a more secure form of password. Passphrases use four or more random words as your password, and are most effective when they are long, unpredictable and unique. If your account does not support MFA, use a unique strong passphrase as your password to protect your account. How can I protect my accounts with unique and strong passphrases? Tip: If you have a lot of accounts to secure, prioritise the following: Accounts that save or use your payment details User accounts on your personal devices Social media accounts Any other accounts that hold personal information Accounts who have had their details leaked online (see the following steps) Remember to never reuse a passphrase or password across multiple accounts. How can I check if my account details have been leaked online? To check if any of your account usernames and passwords have been leaked online by cybercriminals, take the following steps: Visit the Have I Been Pwned website to see if account details tied to your email address/es have been leaked online in a data breach for anyone to see. If this search returns any results, immediately change your password or passphrase for those accounts and enable MFA if possible. Make sure you haven’t used the breached password or passphrase on any other accounts, if you have, change these too and enable MFA if possible. Ensuring your accounts have unique passphrases is vital, as reusing a passphrase allows cybercriminals to easily take control of all of your accounts that use the same passphrase if it is leaked online. For more advice on how to build strong passphrases you can read the Creating Strong Passphrases guidance on the website, or read the Personal Cyber Security: First Steps guide. Use a password manager to remember your passphrases How can I remember the unique passphrases I’ve set for my accounts? Having trouble remembering each unique passphrase you use to secure your accounts? Many people use a password manager which can securely store your passphrases. You may choose to keep track of your passphrases in a notebook rather than a password manager. No matter how you keep track of your passphrases, ensure you have a secure storage method. How can I use a password manager to store my passphrases? Ensure that any password manager you use comes from a trusted and reputable source. Activate MFA on your password manager to best protect your stored passphrases. If MFA is not available, ensure that your password manager’s ‘master password’ is your strongest password. Consider using a unique strong passphrase. Keep your ‘master password’ well-protected, and don’t re-use it on any other account. Tip: Every time you login to an account, add your login details (username and passphrase) to your password manager and, if needed, change any old insecure passwords into unique strong passphrases. For more advice on how to build strong passphrases you can read the Creating Strong Passphrases guidance, or read our Personal Cyber Security: First Steps guide. Improve your Wi-Fi security habits How can I improve my Wi-Fi security on mobile devices? Your internet connection is a way for you to interact with the outside world, but it also provides a channel into your device. If your Wi-Fi connection isn’t secure someone may use it to steal your personal or financial information for malicious purposes. Disable Bluetooth and Wi-Fi when not in use, especially if you’re in a public place Use cellular data when not connected to your secure home network How can I protect myself when using public Wi-Fi? Public Wi-Fi ‘hotspots’ like cafes, airports, hotels and libraries are convenient, but they can be risky. It’s easy for information sent using public Wi-Fi to be intercepted, so you need to be careful about what information you send or receive while connected. When using public Wi-Fi follow these suggestions to stay secure: Avoid sending or receiving sensitive information while connected to public Wi-Fi networks. When online banking or shopping, sending confidential emails, or entering passphrases/passwords or credit card details into websites, switch to your cellular data connection or wait until you’re on a secure home or office connection. Always try to confirm the ‘official’ hotspot name from venue staff and manually connect your device to it. Do not let your device automatically connect to public Wi-Fi networks by disabling this option in your device’s Wi-Fi settings. Remember to disconnect from the Wi-Fi network and clear it from your device after you have finished using it. Securely dispose of your devices Why should I take steps to securely dispose of a device? Disposing of a device (by discarding, recycling, selling or giving it away) without taking steps to remove your data may give other people easy access to your personal information and data. How can I securely dispose of a device? Before disposing of your computer, phone, tablet, games console or any other smart device, you should: Create a backup of your data from the device. Make sure you have made a backup of any important files and have transferred these to another secure device. Perform a factory reset of the device and erase all data and information. A factory reset is designed to erase data kept in local storage and reset usernames, passwords and settings back to default. Erasing your personal information ensures that no-one gains access to it after you have disposed of the device. Check the device’s user manual or the manufacturer’s website for information on how to perform a factory reset. Remove any removable media (e.g. SIM cards, SD cards, USB flash drives) attached to the device. Removable media may contain personal data that is not deleted in a factory reset and should be physically removed, physically destroyed and disposed of separately from the device. Remember that disposing of a device without taking steps to remove your data may give other people easy access to your personal information and data. Protect yourself against malware What is malware? Malware is a blanket term for malicious software designed to cause harm, such as ransomware, viruses, spyware and trojans. Malware can: Steal your bank or credit card numbers Steal your usernames and passwords Take control of or spy on your computer The steps you can take to protect your devices from malware include: Enable automatic updates for your devices. Be vigilant online: be wary of opening links, emails or files from unknown sources. Activate real time protection on your Windows 10 devices. How do I turn on real time protection to stop malware? Real time protection is a security feature that helps stop malware from being installed on your device. This feature is built into Microsoft Defender, a comprehensive antimalware and threat detection program that is part of the Windows 10 security system. Why do I need real time protection? Prevention is better than a cure. Unlike an antimalware scan, which searches for malicious files or programs that are already on your device, real time protection will detect and stop malware before it gets to your device. How do I activate real time protection? Real time protection should automatically turn itself on. However, it can be temporarily switched off, so it is important to check that the feature is up and running and is actively protecting your device. If you are using Windows 10 and are unsure how to enable real time protection, refer to the ACSC’s Step-by-Step Guide: Turn on Real Time Protection in Microsoft Windows 10. If you are using a different anti-malware software, ensure that it is actively protecting you against malware. Turn on ransomware protection What is ransomware? Ransomware is a type of malware that locks down your computer or files until a ransom is paid. It works by locking up or encrypting your files so that you can no longer use or access them. Sometimes it can even stop your devices from working. Ransoms are typically paid using an online digital currency or cryptocurrency such as Bitcoin, which is very difficult to trace. The ACSC recommends you do not pay the ransom as there is no guarantee you will regain access to your information. You may also be targeted by another attack. Ransomware can infect your devices in the same way as other malware, including: Visiting unsafe or suspicious websites Opening links, emails or files from unknown sources Having poor security on your network or devices How can I protect myself from ransomware? Ransomware protection has the ability to prevent many types of ransomware attacks from happening. In the unfortunate event of an attack, ransomware protection can also interrupt the ransomware from encrypting all your data, which minimises the extent of the damage. Backups can also assist in recovering your data as part of the recovery process following a ransomware attack. How can I activate ransomware protection? If you are using Windows 10, you can enable built-in ransomware protection to protect your files. Follow the steps in the ACSC’s Step-by-Step Guide: Turning on Ransomware Protection in Microsoft Windows 10. If you are using another operating system, you may need to source and install ransomware protection for your devices. How can I backup my devices? In addition to installing ransomware protection, you should also back-up your information. You can read more about how to do this in the Personal Cyber Security: First Steps guide. That way, even if an attack is successful, you will at least have your important information accessible elsewhere. For more information on ransomware prevention and recovery, you can read our Ransomware Prevention and Protection and Ransomware Emergency Response guides. Reduce your digital footprint What is my digital footprint? As soon as you go online, you start creating a trail of information about you. This is known as your digital footprint. Cybercriminals can use this information against you, by using it to create convincing scams that specifically target you or someone you know. With a simple Google search, cybercriminals could find your: Identifying information (date of birth, middle or maiden name, birthplace) Workplace Relationships Hobbies and interests Sporting clubs Educational background Answers to account recovery questions Such data could also be used to identify personal details that you have included in your passwords, PINs, or in the answers to your account recovery questions. This information could be used by cybercriminals to access your accounts and devices. How can I reduce my digital footprint? Protecting your identity online can go a long way in reducing the chances of being targeted by cybercriminals. To reduce your digital footprint: Increase your privacy settings on social media sites. Do not post your personal contact details (such as email address and phone number) online. Remove this information if already posted online. Avoid sharing information online that may identify you, or could be answers to your account recovery questions (e.g. your birthplace, or where you went to school). Remove this information if already posted online. Delete or deactivate any online accounts that you no longer use. For more information about how to manage your information online, you can visit the Office of the Australian Information Commissioner website. Extend your cyber secure thinking Secure Your Apps And Browser Extensions When using apps and browser extensions on your devices, use the following cyber secure behaviours and thinking: Turn on automatic app updates, and always update your apps and browser extensions as soon as possible for the latest security protection. Check that your apps and browser extensions are made by reputable publishers and ask for permissions that are appropriate for their intended use. Uninstall apps and browser extensions you don’t need or use anymore. Always download apps and browser extensions from an official store such as Apple’s App Store or Google Play for Android. If you think you’re a victim of cybercrime you can report it through ReportCyber or call our Cyber Security Hotline on 1300 CYBER1 (1300 292 371). You can also keep up to date on the latest threats by signing up to ACSC’s free alert service. We will send you an alert when we identify a new cyber threat. If you would like to understand some of the terms used within this personal security guide better you can view our glossary. Next guide in the Personal Cyber Security Series Now that you have completed the ACSC’s Personal Cyber Security: Next Steps you should begin the Personal Cyber Security: Advanced Steps guide. The Personal Cyber Security: Advanced Steps outlines the actions you can take now to further increase your cyber security.