On Monday, President Joe Biden warned Americans about the possibility of “malicious” cyber activity from Russia in response to economic sanctions the United States imposed on Russia over its war against Ukraine.
Biden said in a statement Monday that his administration “can’t defend against this threat alone” and cited recommendations for private businesses and leaders in critical infrastructure to follow.
But individual Americans can also do their part.
“State-sponsored cyberattacks aren’t usually financially motivated; instead, they aim to be more disruptive to institutions,” said Stephanie Carruthers, a white hat hacker who is chief people hacker at IBM’s X-Force Red. “As we see cyber increasingly become a powerful tool used in warfare, consumers can do their part to avoid getting caught in the digital crossfire or becoming an attacker’s entry point into an organization’s network.”
Here are some of the most important recommendations from real-life hackers and other cybersecurity experts:
1. Use multifactor authentication, if you don’t already.
The Biden administration is urging companies to mandate the use of multifactor authentication on their systems, and the U.S. Cybersecurity and Infrastructure Security Agency includes it among their top four recommendations for individuals right now, too.
This can include turning on two-step verification for your Google accounts and Gmail, social media platforms like Facebook, your Social Security account, and banking and credit card websites.
Multifactor authentication “essentially requires a second form of authentication by the consumer to protect their account in the event a password has been compromised,” Carruthers explained.
Kevin Johnson, CEO of the consultancy Secure Ideas and a hacker hired by companies to test their own security vulnerabilities, said using multifactor authentication everywhere you possibly can is one of the easiest and most important things people can do to protect themselves against cyberattacks.
“[Hackers] find the weakest link, and the weakest link are people,” he said, adding, “Any place that you’re not using MFA, if an attackers gains access to your account there, they can leverage that access against you further. If I get access to your email, I have access to everything.”
If MFA isn’t possible, there may be other fallbacks that essentially do the same thing.
“Biometric authentication forms are also a safer backup option: Using a fingerprint or Face ID is tougher for a cybercriminal to get around,” Carruthers said.
2. Get a secure password manager, and don’t assume that simply changing your password means it won’t get exposed.
Passwords are everywhere, and they are the gateway into your bank account, emails, employer or organizational information, and more. Once a cybercriminal figures out one password, it will open the door to others.
“Consumers need to do a better job of updating their passwords regularly, choosing long and unique passwords for each account, and realizing that using their dog’s name and their birth year for a password combination is a poor and risky choice that can easily be guessed,” Carruthers said.
Johnson warned that even when a system’s password complexity requirements seem strong, they are not that strong against hackers. Just because your credit card website requires your password to have a capital letter, lowercase letters, numbers and symbols, for example, doesn’t mean your choice is actually strong or secure.
CISA recommends that you go above simply using a complex password and get a password manager, which can both generate and safely store legitimately complex passwords while you only have to remember one master password.
3. Turn on automatic updates for software.
One of CISA’s top recommendations for individual-level protection against Russian cyberattacks is to update software and apps and turn on automatic updates so they stay current.
“Bad actors will exploit flaws in the system. Update the operating system on your mobile phones, tablets and laptops,” CISA recommends. “And update your applications –– especially the web browsers — on all your devices, too.”
The fact that your laptop or phone is operating just fine on outdated software does not mean it is operating securely. Johnson said when he encounters people who have the mentality of “‘This is how we’ve always done it,’ ... I know that i’m going to have an easy time [hacking them].”
4. Watch out for phishing schemes.
CISA estimates that more than 90% of successful cyberattacks start with a phishing email, in which “a link or webpage looks legitimate, but it’s a trick designed by bad actors to have you reveal your passwords, Social Security number, credit card numbers or other sensitive information.”
Carruthers said one telltale sign of a phishing scam is receiving odd requests from a work colleague or your company’s upper management. “CFOs and HR departments are very often impersonated by cybercriminals to invoke a certain action from an employee,” she said.
The level of urgency or presence of emotional stressors is also a subtle tip-off. “Is the email, text or voicemail you received evoking a sense of urgency, panic or fear?” Carruthers said. That’s a sign.
When in doubt, don’t click, and directly contact the person or organization to find out if the request is legitimate.
5. Be alert to your surroundings, and don’t fall for confidence scams.
Nick Santora, CEO of the security awareness training platform Curricula, said people fall prey to the mentality of thinking cyberattacks won’t happen to them, but phishing scams “happen every day to countless numbers of victims.”
“Anyone can pretend to be someone they’re not on the other end of the phone or other side of the screen,” Santora said. “Confidence is king, and that’s why hackers are successful in this approach targeting the most vulnerable population, such as the elderly.”
Just because someone says they are a trusted individual hired by a legitimate organization doesn’t mean they are.
Johnson shared an example of when he was hired by a bank to test its physical security. Only one employee called him out and asked why he was present at the bank’s data center. Johnson complimented her for catching him and said that he was hired by the company to run a security test. He told her to keep his presence a secret for the sake of the test, and she did so.
“She didn’t ask for any proof, she got my business card.... That’s the only verification she did,” Johnson said. ”All I did was switch the script on her, and she didn’t stop to think about it.”
His example underscores why you should verify before taking someone’s credentials at face value.
“Scam artists and cybercriminals will do their homework. They will study their targets, their social media profiles and do as much open-source reconnaissance to craft a phishing lure that will avoid suspicions,” Carruthers said. “If a consumer has doubt or isn’t sure, if an email, text they’ve received is legitimate, they shouldn’t engage with it.”