Can you remember a day in recent memory when you didn’t use the internet? Us neither.
We spend so much time online that it’s easy to take a lot of things about it for granted — and one of those things is web security.
In simple terms, web security (also known as internet security) is the process of securing the activities we do and the transactions we make online. It sits under the broader umbrella of cyber security and focuses on protecting data from being stolen or used without permission.
The landscape of web threats has grown significantly in recent years. Modern technologies like smartphones and high-speed mobile networks make it much easier for malware, fraud, and other cyber complications to travel further and faster than ever before.
Plus, we’re adopting the internet into our daily lives at a pace that often leaves our security awareness skills and knowledge in the dust. It’s enough to make anyone feel a bit overwhelmed, but don’t worry — we’ve got some tips for staying safer online coming right up.
First though, let’s get our heads around what we’re up against.
In the fast-developing digital space, e-commerce sites, cloud-based services, and web applications all come with cyber security risks. When one website is breached, hackers can get access to the data of millions of users, with the potential to use that data for years to come. That's why it’s so important to protect this data from web threats.
What is a web threat?
A web threat is something that can cause bad things to happen to a website or web application. The threat could be the problematic event itself, like accidentally downloading a file that contains malware; or the person that causes that event, like a scammer sending a phishing email. These threats could allow hackers to take control of systems, access sensitive data, and steal resources.
Attackers take advantage of web threats to access private and personal computers or networks, which then allows them to expose private and sensitive information — like personal information and account credentials — without permission.
Sadly not the relaxing type with an “f” and a meditative mindset.
This type of phishing refers to email scams that come from an unreliable source, but try (often very convincingly) to convince you they’re from a trustworthy source. These emails encourage you to take an action, like clicking on a link.
If you do this, the next step will likely involve being asked for some personal or sensitive information. Phishers set out to collect all sorts of sensitive data, including credit card information, internet banking details, personal information, and usernames and passwords to online accounts.
One of the most important things to remember about phishing scams is that anyone can be taken in by them, and there’s no shame in it if it happens to you.
There’s more than one cyber security professional who’s publicly shared a story of clicking on a link in a phishing email. One of our team has even written about her similar experience on this blog. If you think you’ve been phished, the best thing to do is tell the people who can help you resolve the problem.
Many phishing emails are sent to large groups of addresses to increase the chances of reaching people who are most likely to click the links. These phishing messages are often carefully tailored to the person who receives them — for example, by including information about the recipient, like their name. Attackers also use guesswork based on online research, contact details from public sources, and contact lists shared and sold online to build their campaigns.
Another common tactic is making the emails appear to come from banks, social media platforms, government organisations, online games, and online services that process credit card payments. We all rely on services like these, so we’re more likely to take action when it's them doing the asking. Scammers know this and they use it to their advantage.
As you might guess, malware is short for "malicious software", and like the name suggests, it can be very damaging indeed. From locking your files so you can’t access them, to stealing sensitive data, to holding your device hostage, malware can reach its sneaky tentacles far and wide.
Malware is software that's specifically designed to perform malicious actions, like stealing passwords and data, sending spam ads, trying to redirect web users to dangerous or fake websites, or taking actions that can destroy systems.
Because malware affects many organisations around the world, we’re probably more familiar with it than we’d like to be. You may recognise the names of at least a few of the common types of malware, like viruses, trojans, spyware, worms, ransomware, and adware.
Ransomware has been all over the news lately, so let’s dive a bit deeper into this one. It’s a type of malware that claims to lock your files, only unlocking them if you pay the attacker a fee — which is where the “ransom” in “ransomware” comes in.
Ransomware can get into a device in several ways. One of the more common ways is through phishing emails, where the recipient is tricked into opening an attachment. When the attachment is downloaded and opened, it takes control of the user's device.
More aggressive forms of ransomware can also infect other computers on the same network you’re connected to, causing all the computers on the network to get locked out of it. Yeesh.
The most common type of data breach involves passwords, where an attacker gets a copy of the usernames and passwords used to access an online system. This then comes in handy for other attackers, who might take a copy of the passwords in these data breaches, and use them to try and guess their way into other online systems.
If a web user has the same password for multiple accounts (relatively likely, but something you can start fixing today if it’s true for you!), this can quickly take a turn for the worse. Once an attacker has that one password, they’re in a strong position to use it to access a lot of accounts, and a lot of sensitive information.
Hackers also know many passwords are weak and easy to guess, and they have a number of techniques to crack them. They’ve even come up with cracking dictionaries, which collect the most commonly used passwords. It’s pretty good motivation to sort out our password habits, right?
Protecting yourself from online threats
Once we’re familiar with what’s out there, we get to the key question: what can we do about it?
Understand your situation
To be able to protect yourself, you need to understand what specific risks your organisation faces. It’s time for everyone’s favourite task: a risk assessment!
In all seriousness, doing a risk assessment will get you off on the right foot when it comes to protecting your organisation. Here are a couple of prompts to get you started.
The first step is understanding your organisation's environment. For example, if you’re using outdated technology that’s no longer supported by people who created it, the overall system becomes more vulnerable. This is definitely something you want to be aware of.
The nature of your organisation and how it works may give attackers clues about what types of attacks are likely to be most effective. If an attacker’s main motivation is financial, then a website that collects credit card details so people can make online payments would be a prime target. Take some time to think about how your organisation could be targeted, and then assess how informed and equipped your staff are for dealing with those types of scams and attacks.
For more on doing a cyber security risk assessment, check out this handy guide from our friends at CERT NZ.
Manage your risks
Risk is a part of life, and just like with other risks, it’s not possible to reduce all cyber security risks to zero. Instead, we aim to minimise the risks with the most significant impacts as much as possible. So let's move on to risk management.
This typically includes some practices like:
- Making a leader or manager in the organisation responsible for the risk
- Reducing risks through technical or operational changes
- Avoiding risk altogether.
There’s also another option, which is to accept the risk and keep an eye on it. If you’ve already done everything you can to take the risk down to a comfortable level, this will be where you land.
Managing risk can be tricky, especially when you’re trying to achieve an acceptable level of risk while still working within your organisation's limited time and resources. Some risks will always take priority over others, and going through a process of risk assessment and management will help you identify what’s what.
Protect your devices
The internet is used by people with all levels of technical knowledge, so it tracks that web security should also be easy for people of all ages, stages, and backgrounds to understand.
Building good security habits both on a personal and organisational level is the first step we can all take towards reducing web threats and managing risks.
Here are a few things you can do to protect your devices.
- Keep your operating systems, apps, and software updated to the latest versions. This includes all your devices, like your laptop, desktop, phone, and tablets.
- Keep your anti-malware programmes up to date across all your devices. Modern operating systems have these security programmes baked right in, so all you have to do is turn them on.
- Use long and unique passwords and PINs. Using biometrics (like facial recognition and fingerprint scanning) is okay too, but you often need to have a password or PIN as your backup.
- Set up your devices so they’re protected if you lose them. That may include turning on a setting called hard-drive encryption, which will keep the data on your device safe when it’s turned off. For mobile devices, it's best to use remote location tracking so you can find your device if it goes walkabout. Find out more about this in our team member Rachel’s post on lessons learned in device security.
- If you work remotely, secure your home Wi-Fi network with a strong password and avoid using public and unsecured networks (ones that don’t need a password) as much as possible. They might seem convenient, but they can be bad news, especially if you’re handling sensitive information or using your credit card information online.
- Protect your computers from viruses by setting up a firewall. This helps block external access to your network systems and is well worth having in place. Head over to CERT NZ for more about this as well as other good pointers on securing your network.
- Pay attention to any firewall or security pop-up messages and take some time to understand what you’re agreeing to.
- If you’re selling or giving away your device, make sure to reset it to factory default settings first.
- Back up your data, including your website and your devices. This can take a bit of setting up, but it’s worth the peace of mind of knowing you’ll always be able to get your important files back.
Improve your web security with these small steps
If you know your online security could do with some work, why not start chipping away at it bit by bit? You might not get it all done at once, but at least you’ll be a bit safer than you were yesterday.
Here are some simple steps you can take.
- Set up two-factor authentication on your accounts, especially the really important ones like online banking and email. This requires you to have access to more than one of your devices to log in to your accounts — for example, by entering a code into your laptop that gets sent by text to your phone. Sure, it might take a bit longer to log in, but it's worth it.
- Build your daily practice of paying closer attention to emails with attached files and links. Hover over links and sender addresses to see more detail, and avoid clicking on links or opening files from unknown senders both via email and social media.
- Avoid responding to unsolicited emails, texts, or phone messages directing you to a website or asking for confidential information like login or bank account details. Instead, contact your bank, social media site, or organisation using contact details you know are credible (for example, the details listed on their website) and check whether they really asked for it.
- Only download software and media files from reliable and official sources. Online content may contain malware which you definitely don't want on your machine.
- Avoid sharing identifying details like your full name, passport details, address, and financial information with strangers online.
Ultimately, the main objective of web security is to keep your online identity and private information safe.
Creating security awareness and supportive security culture within organisations is the first important step to making sure you and your organisation are safe online. With that in mind, we've created our online Security Awareness programme to help your team build and grow their cyber security superpowers with our short, engaging, and action-oriented courses.
Grab a free trial for 14 days and see for yourself what makes our training different.