This publication provides guidance on simple yet effective strategies that individuals can implement to secure the use of their personal devices against common cyber threats.
There are a lot of things to think about when it comes to the use of personal devices (e.g. smartphones, tablets, computers and laptops). For example, compromises of personal devices and the information they store can have significant productivity, financial and emotional impacts.
This document has been written to provide security tips to secure personal devices and protect your information.
Use legitimate software and keep it up to date
It is important that personal devices are configured to automatically apply updates as updates for applications and operating systems are regularly released by vendors to resolve security problems. Further, new versions of applications and operating systems regularly include additional security features to make it more difficult for personal devices to be compromised.
When operating systems on personal devices are not supported by vendors you will no longer be able to receive updates, and consideration should be made to change to a device which is currently supported. For example, many Android-based smartphones are not supported and will never receive updates.
When purchasing new personal devices, consideration should be made to select a device that is currently supported by a vendor that has a proven track record of providing timely updates. For example, while all new Apple iPhones will be supported with updates, only premium Android-based smartphones will be supported with updates, albeit to varying degrees depending on the particular vendor.
Finally, you should always use legitimate applications that you have purchased from a physical store, a trusted app store or downloaded from a reputable vendor’s website. If you use pirated applications, or untrusted app stores, personal devices may become compromised or won’t be supported by the vendor with updates. Additionally, care should be taken to avoid applications that ask for excessive or suspicious permissions.
Back up your important files
Save all your important files to a storage device such as a USB stick, memory card, external hard drive or online storage service. Ensure storage devices are not left connected to personal devices after important files have been backed up.
If you have a problem with personal devices and they need to be reset or replaced, you will still have access to your important files if you have completed recent backups. Likewise, if personal devices are compromised by malicious software that prevents you accessing your important files until you pay a ransom, having recent backups can assist you in recovering your files.
Prepare for lost or stolen personal devices
One of the biggest risks to your information is from lost or stolen personal devices. Know where personal devices are at all times, avoid leaving them unattended when away from your home and, if leaving them at home, store them in a secure location. If personal devices support a ‘find my device’ function or the ability to encrypt your device, these measures can provide additional security in the event of it being lost or stolen.
Be suspicious of unsolicited communications
Unsolicited communications in the form of phone calls, SMS, instant messages and emails are often trying to get you to do something that will benefit someone else. It might just be spam trying to get you to buy things or it might be trying to get you to access a file that will compromise your personal device; access your information (such as your online banking details); or to produce revenue for someone else via the use of premium phone numbers, advertisements or app downloads.
Do not follow instructions from someone who rings to tell you your personal device has technical problems. Further, if someone has sent you an SMS, instant message or email that you think is strange (including requests to click on a link, open attachments or to provide a password), delete it.
Use antivirus software
Use antivirus software from a reputable vendor for personal devices and keep it up-to-date. Some operating systems even come with free antivirus software built-in.
Antivirus vendors ensure their software helps prevent personal devices from being compromised. If you have a current and up-to-date version, you can be assured that the software is looking out for problems and stopping them where possible.
Use a screen lock
A screen lock with a strong password that contains a combination of uppercase letters, lowercase letters, numbers and symbols (where possible) should be used for personal devices. Swipe or gesture-based passwords can be easy to guess and should not be used.
If personal devices support biometric identification (such as a fingerprint scan) this can provide a convenient way to unlock a device after a password has initially been used to unlock the device.
Use different passwords for websites and apps
Use different passwords for websites and apps, especially for those that store your credit card details or any personal information. If you use the same username (such as an email address) and password for a number of websites and apps, and one website or app is compromised, someone accessing that information is more likely to be able to access other websites and apps which you commonly use.
Some websites and apps offer the ability to use multiple steps to logon, such as a number sent via SMS to your mobile phone in addition to you using your username and password. The use of such mechanisms, even though they may be slightly inconvenient to use, offer far greater security and protection for your information.
It is also important that the email address you use for websites and apps has a unique password that has not been used elsewhere before. Someone that knows, or can easily guess, the password for your email address could use the ‘password reset’ functionality on websites and apps your email address is associated with to gain unauthorised access.
Finally, don’t use ‘remember my password’ functionality within your web browser. This can place your passwords at an unnecessary risk of being compromised. If you struggle to remember passwords, consider using a trusted password manager application or writing them down and storing them securely and separately to your personal devices.
Avoid free wireless networks
While the use of free wireless access may be alluring, their use with personal devices can often put your information at risk. Free wireless by its very nature is insecure; this can expose your web browsing sessions to someone looking to monitor your activities. Where possible use internet access from your telecommunications provider, or if the use of free wireless is unavoidable, avoid undertaking any sensitive activities.
Monitor your online presence
Check your privacy settings on social media platforms to make sure you know who can see your information. Privacy settings sometimes change after functionality is added to social media platforms so it is important to check them regularly.
It is best not to put personal details online. Also, consider checking the information that others put online about you. While some information might not seem important, many pieces of information can be put together to form a picture about you. Never assume that anything you do or post online will remain secret.
Many high profile websites have been compromised resulting in the release of highly sensitive information about their users. If your personal information is accessible online it can be used against you. This could range from something as simple as sending you spam emails to something as serious as accessing your accounts and stealing or deleting all your information, or even identity theft.
For more information on the secure use of social media, see Security Tips for Social Media.
For more information on detecting socially-engineered messages sent via social media, see Detecting Socially-Engineered Messages.
For information on common types of scams, and reporting if you have seen or are a victim of a scam, see scamwatch.gov.au.
For information on types of cybercrime, and reporting if you are a victim of cybercrime, see acorn.gov.au (Australian Cybercrime Online Reporting Network).
Organisations or individuals with questions regarding this advice can contact the ACSC by emailing email@example.com or calling 1300 CYBER1 (1300 292 371).