Once upon a time — say, seven or eight years ago— setting up your home computer with antivirus software, and then maybe adding a firewall, was all you would need to do to protect yourself from malware and hackers. Or at least, that was the perception.
Back then, the biggest threat to the personal computer was someone clicking on a link embedded in a phishing email and getting his or her PC infected by a virus. But that's what the antivirus software was for, right?
Times have changed, and cybersecurity threats are a lot more sophisticated than they used to be. Cybercriminals use techniques pioneered by government intelligence agencies. Malicious websites infect anyone who lands on them. Smartphones broadcast your sensitive personal information over public airwaves.
The cybersecurity landscape has changed dramatically in recent years, but many people's thinking about security is stuck in 2007. If you're one of those people, it's time to revamp your security practices to better meet the current threats.
MORE: Best Antivirus Software
At the annual World Economic Forum in Davos, Switzerland, this past January, Eugene Kaspersky, CEO of the Russian computer-security company Kaspersky Lab, likened the evolution of cyberattacks to rapid changes in transportation.
"Twenty-five years ago, they were just simple bicycles," Kaspersky told a reporter. "Ten to fifteen years ago, they were cars. Now, they are space shuttles."
Yet the average computer user hasn't jumped aboard the space shuttle. Instead, he or she still thinks like a bicycle owner and uses the equivalent of a $5 chain to protect a $1,000 machine — not to mention something as precious as his or her identity.
Protecting more than just the PC
Not only are antivirus products and firewalls still the primary — and sometimes the only — security tools that many people deploy, but too many users neglect essential security practices that don't directly involve their desktop or laptop computers.
"The explosion in mobile-device use and mobile networking has exponentially increased the number of security threats [that] individuals face on a daily basis," said Joe Ferrara, president and CEO of Wombat Security Technologies, a security-training firm based in Pittsburgh.
"It can be very difficult for people to understand the immense risks associated with their mobile devices, because they've developed a false sense of comfort and security," he added.
Smartphones are full-fledged computers with an even larger "attack surface" — ways for a bad guy to get in — than regular PCs. Smartphones are always on, almost always connected to the Internet and can "talk" to other devices via cellular data, Wi-Fj, Bluetooth or NFC. Yet most people think of their smartphones as simply cellphones with Instagram.
The overall attack surface is getting even larger with the addition of a massive number of networked devices that make up the so-called Internet of Things. We now have to worry that appliances, motor vehicles and other everyday machines can be hacked. We may soon have to think about securing almost anything that can be plugged in or that uses a battery.
Just one link on the exploit chain
The rapid growth of connected devices isn't the only thing that has dramatically changed in cybersecurity. Businesses and governments were once the primary targets of cybercrime, but today, the average user is just as much at risk.
"It's a commonly held misconception that cybercriminals only go after servers and databases containing and processing sensitive data, like credit card transactions and health insurance information," said Jonathan Trull, chief information security officer for Redwood Shores, California-based business security provider Qualys.
"Although these servers and data might be the ultimate goal, the hackers more commonly target and attack the average computer and mobile device user first," he said.
If end-user devices such as your smartphone or PC are compromised, Trull said, attackers can leverage them to collect usernames and passwords and then attack the companies you work for and bank with.
For example, experts think the massive data breach at JPMorgan Chase last summer began with a phishing email sent to a Chase employee's personal laptop. When the employee logged on to the secure corporate network, the malware that hackers had installed on the laptop captured his or her access credentials and used them to enter the network.
"Today's cybercriminals are well organized, utilize established and globally dispersed command-and-control networks, and are persistent in their pursuit," Trull said.
How to up your security game
The first step in protecting yourself from a cybersecurity threat is to change your attitude. Recognize that you can become a target, and be vigilant about securing all your online behavior.
"Everyone needs to configure their operating systems and software to auto-update for security vulnerabilities, and to always surf the Internet and read email with a non-privileged account" that can't install or modify software, Trull said. "These two things will go a long way in preventing today's commonly used attack methodologies."
The second step is to focus on protecting your data. Many security experts advocate this approach in the workplace, but there's no reason it can't be used for personal devices and online accounts.
Two easy ways to protect the data are to set up two-factor authentication (i.e., a strong password and a code sent via text) to access email and social-networking services, and to encrypt sensitive data on phones, tablets and PCs. Don't forget to lock your phone's screen with a passcode.
One stumbling block many users encounter is a lack of understanding of how computer security works. It can be too complicated for the average person to comprehend, said Glenn Thomsen, senior consultant with Toronto-based Circumference Technology Services.
Thomsen said many devices — especially those that are part of the Internet of Things — aren't designed with security in mind. Yet many people would fail to see any problem with a smart thermostat that sends secure Wi-Fi login credentials through insecure networks, or a smart lock that can be opened with a special knock.
In order to keep up with all of the potential cybersecurity threats, users will have to be willing to become better educated about security practices and methods — or be willing to listen to a friend who already is.
"If you are not sure of how to use the security tools available to you, consult with someone who does," Thomsen said.
Make yourself a hard target
One thing that hasn't changed in cybersecurity is that online criminals, like burglars, will always look for the easiest way in. If they find a hole, they will exploit it. If they don't, they may look for another computer or network to attack.
The task of the user is to learn how to close the holes and create barriers around the information you don't want stolen. Make the bad guys move on to the next target.
You still need your AV software and your firewall, but we've come a long way from the days when those were enough. Your devices might be state-of-the-art, but it's time to make sure your security practices also keep up with the times.
- 10 Things You Didn't Know Could Be Hacked
- How Smart Homes Have Dumb Security
- How the Internet of Things Could Kill You