WORKING FROM HOME SECURELY:
​TIPS FROM AN FBI CYBER PREPPER

Now more than ever, the ability to work from home securely is essential. Check out these top tips from an FBI Cyber prepper on how to take control of your phone, your most private data, and most importantly, your personal security.

I’m not here to tell you what you already know, like don’t click on suspicious links or attachments in emails from people you don’t know, and don’t send money to someone on the phone saying they are the IRS or Social Security office. (But just to reiterate...don’t do any of those.)

I’m here to provide cyber tips on how to take control of your phone, your most private data, and most importantly, your personal security. These are best practices that should be taken by everyone, whether CEOs and customer service reps, teachers and students, or grandparents and grandchildren.

Many years as an FBI agent have confirmed for me that cyber crime does not discriminate, nor is it victimless. Getting hacked hurts, and picking up the pieces can be an impossible task—especially if it is one you have not prepared for.

1. Turn on two-factor authentication for every account, site, or application that allows it.
If there is one single action that can be taken to stop hackers in their tracks—before they take control of your bank accounts, social media profiles, and smart home devices—it is two-factor authentication. 

Two factor authentication is best recognized as the extra code you get in your email or as a text message to confirm your identity when logging into an account. It’s that second layer of authentication, after you’ve entered your password, to prove you are the proper owner of the account being accessed. All major services—banking, social media, even Amazon—offer two-factor authentication, but most often it is not on by default and has to be turned on manually. This action alone will increase your security profile by ten-fold.

2. Use a Password Manager.
If your current password is shorter than 13 characters, it is considered weak, hackable, and has probably already been hacked from a previous data breach. The human brain can really only handle 7 random characters at a time; therefore, the average human-derived password contains only words we can remember, and when forced to add complexity, it is predictable that the first character is upper case, the second to last character is a number, and the last character is a symbol (with a 40% chance of that symbol being an exclamation point). If the good guys know how to crack your password, the bad guys do too. 

A password manager automatically creates a unique complex password for each and every website that you log into. It will remember all of your passwords, so you don’t have to. Of course you may be wondering, what happens if someone hacks my password manager? Well with two-factor authentication turned on, this is significantly harder to do and, on top of that, your password manager should use a long passphrase that you can remember, such as “eating pasta makes me happy” (note: a space is technically a character).

Now what if you forget your passphrase you ask? Honestly write it down. Write it on a sticky note and put it on page 110 of an old novel. Gone are the days when security experts would say you shouldn’t write down your password. We would much rather you have a complex password written down, than a weak password cracked by someone in Eastern Europe—also the likeliness of someone breaking into your house and ransacking your bookshelf is quite low. 

3. Clean up old mobile apps on your phone.
You definitely have apps on your phone that you no longer use. Whether it is an old food app, health app, or the app you downloaded once for mobile check-in two years ago, the average smartphone has between 50 to 100 apps on it, with many having direct access to your photos, location, contacts, and messages. Some of these apps were developed by teams with security in mind, but many times these apps are developed quickly by newly minted app developers with no security skills, and therefore are riddled with vulnerabilities for hackers to use to get your personal information.

Go through your phone and delete any apps you no longer use. If you use a particular app a couple times a year, delete it now and just reinstall it the next time you need it. For apps that you do decide to keep, update them frequently, as each update is always a bug or vulnerability fix.  

4. Use a VPN.
If your computer or phone is connected to your home or work network, you don’t need an encrypted virtual private network (VPN). But if you are traveling on a plane, in a hotel, or using the free coffee shop WiFi, you should have zero trust that your data and online activity is private and protected. You have no idea who is scanning, listening to, and reading your personal information, and trust me, there are people, good guys and bad guys, doing that all the time.

VPN is an encrypted tunnel that fully encapsulates all of your online and network activity, so anyone scanning, listening to, or trying to read your personal information only gets it as garbled text. Many people make the mistake of installing VPN on their computer but not also installing VPN on their personal phone; however we use our personal phones for everything these days, and they carry and access some of our most precious personal information.

Rule one: if you connect to open WiFi and you don’t know everyone on the network (aka home) or trust everyone on the network (aka work), then you must have VPN turned on before logging into any accounts or sending any emails.

5. Change your home WiFi name.
At the time it may have made sense to call your home WiFi “McCarthy Home” or “Dodgers,” because it was easy for you and your family and friends to remember. But note that also makes it just as easy for bad guys to know which house and which network to target. You want to make it as hard as possible for anyone walking by or driving by to match your wireless network with your house. 

For your home wifi name, it’s okay to use a memorable phrase, a random word, or even a funny one-liner joke. Please don’t continue to use the original WiFi name that came with the router when you turned it on, as it is a sure sign to hackers that where the default WiFi name is used, other default settings and passwords are probably in use as well.

Have more time on your hands? Here are five additional cyber prepper tips you can implement:

6. Encrypt your email.
Would it surprise you to know that your email is not encrypted all the time? This is the reason your bank or mortgage company will send you an email asking you to log into their portal to view messages they send, rather than displaying them directly in email. Download and install any of the free consumer-grade email encryption services to your favorite browser or mail client to protect your sensitive communications and private data.

7. Change default passwords on your home devices.
If you have smart home devices—cameras, thermostats, locks—remember to change the manufacturer default login credentials. Because these devices are produced en masse, they all come with the same default administrator passwords. It only takes a simple Google search to find the company’s online manual or FAQ page to obtain the default administrator credentials and log into the device if I am a bad guy sitting on your home network. 

8. Stop using a single email address for everything.
Ten years ago, having an email address with your full name made communications simple and easy. Today, it has made hacking simple and easy. Knowing or being able to guess the email address attached to the password recovery features for your bank and social media accounts means that bad guys have a good shot of hacking your life if you’re following predictable norms (especially if two-factor authentication is turned off). Consider setting up new “bank only” or “social media only” email addresses that are not connected to your name in any way, and therefore not guessable for password recovery hacks such as RoverComeHome@[email].com or outfielder7034@[email].com. 

9. Increase privacy settings on your phone, social media, and SmartTV.
Wondering how ads manage to know just what you’re looking for or why your apps seem to know more about you than you tell them? It is because your privacy settings are off by default. Yes, there are apps on your phone listening all the time through the microphone, and you can turn them off under Settings > Privacy. Yes, Facebook has mapped out your behavior with labels to target ads and you can see the labels and more under Settings > Security. Yes, your SmartTV is tracking what you watch and you can turn it off under Settings > Data Privacy.

10. Request that your data be deleted from old websites.
We have all stopped using a website or online service at some point, but have you ever asked those sites to delete your old data, transactions, and credit card? With new global data privacy regulations in effect, the consumer has been granted more power over their personal data and the right to be forgotten on the Internet. You don’t want to find out three years from now that a company you stopped using five years ago got hacked and now your data is leaked. Take the time to send in a data deletion request. If you are wondering how to find these old sites, search your email messages for terms like: “welcome”, “new user” or “verify.”

Contact the ShiftState Team.​