Staying safe online this Christmas

December 23, 2021

The Christmas period is almost upon us – one thing is for sure, with the current status of COVID-19 and increasing restrictions, this may well be another Christmas spent at home for many. Now we understand as a Cyber Security company, there isn’t much we can do to change that, however, one thing we can do is help ensure that you keep yourselves safe this holiday period from any nasty, unwanted surprises.


With many organisations opting to allow staff to work remotely, we are also seeing a huge increase in customers doing the same with their Christmas shop. Not only can it be a more convenient process for customers to shop online, but access to an entire galaxy of online shops, services or platforms can be confusing to navigate – not to mention the different types of threat-actors out there waiting for you to make a mistake! To help with the transition, here are some important (but relatively simple) tips to ensure your data remains your own this holiday season..

HTTPS > HTTP

Hypertext transfer protocol secure (HTTPS) is a protocol used to send data between a web browser and a website. Compared to websites that only use HTTP, HTTPS encrypts transmitted data, increasing the security of data transfer while also protecting the users. This is particularly important when sensitive data is often transmitted, such as by logging into a bank account, email service, or entering your card details into an online checkout service.


All websites should be using HTTPS - especially those that require login credentials. Currently, web browsers such as Google Chrome flag websites that aren’t using HTTPS as non-secure and should be avoided.


Achieving HTTPS on a website is not particularly a difficult task, so, if a service provider is not willing to take the necessary steps to implement the protocol, you as a consumer should think twice about trusting them with your personal data

What is encryption?

Encryption is a process where inputted data is scrambled (hidden) so that any unauthorised users (threat-actors) cannot access your data. Readable text is altered into incomprehensible text which can only be unscrambled by authorised users who have access to the necessary key. This way, only trusted sources can access the data required and the confidentiality, integrity and availability of data is ensured.

Use a VPN

Speaking of encryption, VPNs (Virtual private networks) are an online service used for securing and privatising your internet browsing activities by connecting device(s) to an encrypted, private network. When using a VPN, anything performed online will first be sent to the VPNs server, where identifiable details such as your IP address and location will be modified, and your connection will be encrypted. Ultimately, anyone who tries accessing this data will not be able to identify you or any of your personal data.


Typically, VPNs are used by those who want to increase their online privacy by restricting the amount of data that would usually be accessible by your ISPs (Internet Service Provider) and by anyone trying to gain access on public Wi-Fi.


If you would like to know more about VPNs, the different types, and their advantages, then please read our dedicated VPN blog.

Don’t use public Wi-Fi

We’ve all been there, out and about, no access to the internet or poor data connection and an increasing urge to look at our emails, check our bank balance or make an online order. Typically, you’d connect to the publicly available Wi-Fi at your convenience, grab your smartphone/laptop and problem solved, right?


The truth is, anything you do on a public network is, well, public! Public Wi-Fi is described as the virtual playground for hackers as they can easily access your data. if you were to do anything such as logging into online banking or emailing customers with personal details, you can be certain that whoever has access to the network also now knows these details too – it is scary to think that something so simple can create so many vulnerabilities.


If you ever find yourself in a similar situation and must connect to public Wi-Fi, then we recommend:


  • Ensure the public network is from a trusted source – threat actors can and will create real-sounding public networks to entice people into connect to them
  • As mentioned above, only visit websites that are secure – sites with https are using the latest encryption protocols whereas sites using http are not
  • Make sure that your device is using an optimal firewall
  • Do not communicate sensitive data - If you don’t have access to any tools to keep your data safe, it’s best to stick to low-risk websites and avoid performing any sensitive actions until you can ensure you are safe to do so
  • Do not log into online banking – only use websites that are secure low-risk such as listening to music
  • Use a VPN – connect to an encrypted network and disguise your activity

Be careful about the emails/offers you click on

I’m sure you’ve already noticed the increasing number of emails and SMS messages you receive daily regarding special offers and account troubleshooting. Since COVID-19 we have seen a major increase in the amount of Phishing and Smishing campaigns people are experiencing. In situations like this, threat-actors are preying on vulnerable users and taking advantage of anyone who doesn’t realise they aren’t who they say they are. It’s not always easy to recognise phishing messages, particularly if you are a client of the company from which the message has supposedly been sent.

Identifying social engineering attacks:

  • Even though the ‘From:’ field of the message shows the address of the company, it is not difficult for a criminal to alter the source address of the email in any mail client.
  • The email may have the logos and trademarks of the organization, yet these can easily be lifted from the company’s website
  • The link in the email seems to point to the company’s website, though really it takes you to a fake page which will ask you for your username, password, etc
  • Very often these messages contain spelling or grammatical errors that you would not normally expect in official communications from the genuine company


Another thing to be aware of is that although we normally talk about phishing in the context of banks, cyber criminals often use any popular website or platform (eBay, Facebook, PayPal, etc) as bait for stealing personal data.


No company will ever ask you to send them your personal details over email or text. If they do, be very suspicious!

Use Password Management Software

This may seem like a simple tip, but it may be one of the most important ones so far. The frustrating part about the amount of choice you’ll have online this Christmas is the fact that you will have to sign up for each website which requires a password. Yes, it may be convenient to use the same password as it only requires you to remember that one password. However, if one website were to become compromised, then that threat-actor would have the necessary tools to every single account that uses the same password.


We always believe something like this wouldn’t ever happen to us, but the fact is, it so easily can. Even if a threat-actor does not act, they could easily sell it to another person that happily will.


A very simple fix is to obtain a password management software package - password management tools (such as 1Password or LastPass) ensure that users are not storing their passwords on physical devices (can be accessed by other people) or through their memory (will not be a secure password). The passwords for every account you hold can then be managed on the software rather than in your head, on an old spreadsheet or piece of paper. All that is required is you to remember one core master password and the software does the rest.

Password management tools will alert you about repeated passwords while also having tools that can quickly generate and store long, hard to replicate, and secure passwords so you don’t have to constantly create new and secure passwords yourself. These tools are also easily accessible and can be downloaded on devices such as your smartphone if necessary.

Multi Factor Authentication
MFA (Multi-Factor Authentication) is an authorisation method that requires two or more successful prompts to verify a user’s identity. These prompts could be a fingerprint scan, entering a pin, or even accessing another account such as their email to repeat a specifically generated code. After verifying their identity, staff will only then be given access to their account.

Accounts that require identity authentication reduce the risk of a successful brute force password attack. So, if an attacker successfully guesses the correct password, they still cannot access your account.

Follow Us

Be the first to know

You might also like

DAST in DevOps: Why It Matters

October 14, 2024
DevOps is a popular practice, especially among large organizations. However, while it comes with numerous benefits, it presents numerous risks as well. One notable challenge is the increased velocity of deployment, which often complicates how developers implement and ensure application security throughout the development and deployment process. DevOps is a popular practice, especially among large organizations. However, while it comes with numerous benefits, it presents numerous risks as well. One notable challenge is the increased velocity of deployment, which often complicates how developers implement and ensure application security throughout the development and deployment process. According to a recent survey, almost 80% of CIOs expressed concerns about the difficulty of discerning trusted elements from untrusted ones within DevOps environments. In particular, the pressure to deliver services at a faster pace sometimes prompts DevOps teams to take security shortcuts, resulting in potentially costly repercussions. These include data breaches, application downtime, and compliance violations.  So, how can you strike a balance between the demand for agile DevOps practices and the need to maintain robust security measures?

Why DAST Testing is Important

October 4, 2024
Testing applications for security flaws during production is a vital process of the development lifecycle, and this is where Dynamic Application Security Testing (DAST) comes in. DAST is a security testing approach in application security (AppSec), in which testers assess an application in real-time, while it’s actively running. This process can be conducted even without testers knowing the application’s internal interactions or system-level designs. Applications fuel the engine of the world’s economy, but enterprises can encounter substantial hurdles when striving to retain a competitive advantage in a rapidly changing digital landscape. Businesses must continuously pursue inventive solutions, even as they contend with sophisticated adversaries looking to exploit opportunities to disrupt operations, compromise vital information, and inflict harm. According to recent research, approximately 17% of cyberattacks aim to exploit vulnerable web applications. Yet, 98% of web applications are susceptible to attacks that can lead to malware infection or redirect users to malicious websites. All the while, 72% of these vulnerabilities result from coding errors. Testing applications for security flaws during production is a vital process of the development lifecycle, and this is where Dynamic Application Security Testing (DAST) comes in. DAST is a security testing approach in application security (AppSec), in which testers assess an application in real-time, while it’s actively running. This process can be conducted even without testers knowing the application’s internal interactions or system-level designs.  This is because DAST tools operate without access to the application’s source code. Instead, they emulate genuine attacks, akin to those carried out by real hackers, to identify security weaknesses. This “black box” testing method examines the application from an external perspective, scrutinises its runtime behaviour, and observes how it reacts to simulated attacks. These simulations help evaluate whether the application exhibits vulnerabilities and if it is potentially susceptible to malicious attacks.

The Evolution of Hacking

September 25, 2024
In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today. Hacking is attacking and breaking into computer systems illegally… isn’t it? The meaning of the term “hacking” has in fact changed substantially over time, morphing from describing essentially benign (or at worst mildly disruptive) activities into its modern attribution to largely criminal and illegal activities. What’s more, in its original usage, “hacking” doesn’t necessarily even need to involve computer systems at all.  In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today.
More Posts
Share by: