Introduction

What is personal cyber security?

In an increasingly tech-driven world we use devices and accounts every day that are vulnerable to cyber threats.

• Your devices may include computers, mobile phones, tablets and other internet connected devices.
• You also may use online accounts for email, banking, shopping, social media, gaming and more.

Personal cyber security is the continuing steps you can take to protect your accounts and devices from cyber threats.

What are cyber threats?

The main cyber threats affecting everyday Zambians are scams and malware.

• Malware is a blanket term used to describe malicious software designed to cause harm, including viruses, worms, spyware, trojans and ransomware. Cybercriminals use malware to steal your information and money, and control your devices and accounts.
• Scams are messages sent by cybercriminals designed to manipulate you into giving up sensitive information or to activate malware on your device.

These attacks can have significant personal and financial impact on victims and are growing in sophistication and frequency.

Read more about the different types of threats affecting Zambians.

How can this guide help protect me from cyber threats?

The Personal Cyber Security: First Steps guide is the first in a series of three guides designed to help everyday Zambians understand the basics of cyber security and how you can take action to protect yourself from common cyber threats.

If you are learning about cyber security for the first time, or are keeping yourself up to date, this guide is an excellent place to start.

Turn On Automatic Updates

What are updates?

An update is an improved version of software (programs, apps and operating systems) you have installed on your computer and mobile devices.

• Software updates help protect your devices by fixing software ‘bugs’ (coding errors or vulnerabilities) that cybercriminals and malware can use to access your device and steal your personal data, accounts, financial information and identity.
• New software ‘bugs’ are constantly being found and exploited by cybercriminals, so updating the software on your devices helps protect you from cyber-attacks.

How do I set up automatic updates?

Automatic updates are a default or ‘set and forget’ setting that installs new updates as soon as they are available.

• Turn on and confirm automatic updates on all software and devices.
• How you turn on automatic updates can differ depending on the software and the device.
• Set a convenient time for automatic updates if possible, such as when you’re asleep or not typically using your device.

Your device must be powered on, plugged into power and have unused storage space.

Tip: If you receive a prompt to update your device’s software you should do so as soon as possible.

More detailed information on how to turn on automatic updates can be found in our step-by-step guides.

What if the automatic update setting is unavailable?

If the automatic update setting is unavailable, you should regularly check for and install new updates through your software or device's settings menu. 

What if my older device and software do not receive any updates?

If your device, operating system or software is too old, it may no longer be supported by the manufacturer or developer.

When products reach this ‘end of support’ stage they will no longer receive updates, leaving you vulnerable to cyber-attacks due to known software ‘bugs’. Examples of products that are end of support include Windows 7 operating system and the iPhone 6.

If your device, operating system or software has reached end of support, we recommend upgrading as soon as possible to stay secure.

For more information you can read our Quick Wins for End of Support guide.

Activate Multi-Factor Authentication (MFA)

What is MFA?

You can use multi-factor authentication (MFA) to improve the security of your most important accounts. MFA requires you to produce a combination of two or more of the following authentication types before granting access to an account.

• Something you know (e.g. a PIN, password or passphrase)
• Something you have (e.g. a smartcard, physical token, authenticator app, SMS or email)
• Something you are (e.g. a fingerprint, facial recognition or iris scan)

MFA makes it harder for cybercriminals to gain initial access to your account by adding more authentication layers, requiring extra time, effort and resources to break.

Two-factor authentication (2FA) is the most common type of MFA, requiring two different authentication types.

How can I activate 2FA to protect my most important accounts?

You should activate 2FA now, starting with your important accounts:

• All online banking and financial accounts (e.g. your bank, PayPal)
• All email accounts (e.g. Gmail, Outlook, Hotmail, Yahoo!)

If you have a lot of email accounts, prioritise those that are linked to your online banking or other important services.

The steps for activating 2FA are different depending on the account, device or software application.

For more information on how to turn on 2FA read our step-by-step guides.

Regularly Backup Your Devices

What is a backup?

A backup is a digital copy of your most important information (e.g. photos, financial information or records) that you have saved to an external storage device or to the cloud.

Backing up is a precautionary measure so that your information can be recovered in case it is ever lost, stolen or damaged. 

How do I backup my devices and files?

You should regularly back up your files and devices. What that looks like, whether it is daily, weekly or monthly, is ultimately up to you. Backup frequency could depend on the number of:

• New files you load onto your device
• Changes you make to files

Tip: Check your backups regularly so that you are familiar with the recovery process, and ensure your backups are working properly.

For more detailed information on backing up to both external storage devices and the cloud you can read our step-by-step guides. These cover back-up guides for PC, Mac and iOS.

Use Passphrases To Secure Your Important Accounts

Multi-factor authentication (MFA) is one of the most effective ways to protect your accounts from cybercriminals. If MFA is not available, a unique strong passphrase can better protect your account compared to a simple password.

What is a passphrase?

A passphrase uses four or more random words as your password. For example: ‘crystal onion clay pretzel’.

• Passphrases are more secure than simple passwords
• Passphrases are hard for cybercriminals to crack, but easy for you to remember

How can I create a passphrase?

Create passphrases that are:

• Long: at least 14 characters long, using four or more random words. The longer your passphrase the more secure it is.
• Unpredictable: use a random mix of four or more unrelated words. No famous phrases, quotes or lyrics.
• Unique: not re-used across multiple accounts.

If a website or service requires a complex password including symbols, capital letters, or numbers, you can include these in your passphrase. Your passphrase should still be long, unpredictable and unique for the best security.

Which accounts should I secure with a passphrase?

If your most important accounts are not protected with MFA, change your passwords to unique strong passphrases, starting with your:

• Online banking and financial accounts
• Email accounts

If you have a lot of email accounts, prioritise those that are linked to your online banking or other important services. You can typically change your password to a unique strong passphrase through your account settings menu.

Tip: Always remember to never reuse a passphrase across multiple accounts.

For more advice on how to build strong passphrases you can read the Creating Strong Passphrases guidance on the website.

Secure Your Mobile Device

Today smartphones and tablets are used to connect, shop, work, bank, research, track our fitness and complete hundreds of other tasks at any time and from any location.

What can happen if my mobile device is compromised, lost or stolen?

• It may be used by cybercriminals to steal your money or identity, using information stored on your device including social media and email accounts.
• You may lose irreplaceable data like photos, notes or messages (if it is not backed up).
• A cybercriminal may use your phone number to scam other people.

How do I secure my mobile device?  

Device Security

• Lock your device with a passphrase, password, PIN or passcode. Make it difficult to guess – your date of birth and pattern locks are easy for cybercriminals to deduce. Use a passphrase for optimal security. You might also consider using facial recognition or a fingerprint to unlock your device.
• Ensure your device is set to automatically lock after a short time of inactivity.
• Don’t charge your device at a public charging station and avoid chargers from third parties.

Treat your phone like your wallet. Keep it safe and with you at all times.

Software and App Security

• Use your device’s automatic update feature to install new application and operating system updates as soon as they are available.
• Set the device to require a passphrase/ password before applications are installed. Parental controls can also be used for this purpose.
• Check the privacy permissions carefully when installing new apps on your device, particularly for free apps. Only install apps from reputable vendors.

Data Security

• Enable the remote locking and wiping functions, if your device supports them.
• Ensure you thoroughly remove personal data from your device before selling or disposing of it.

Connectivity Security

• Turn off Bluetooth and Wi-Fi when you are not using them.
• Ensure your device does not automatically connect to new Wi-Fi networks.

Develop Your Cyber Secure Thinking

Personal cyber security is not just about changing settings, it’s also about changing your thinking and behaviours.

Watch Out For Cyber Scams

Cybercriminals are known to use email, messages, social media or phone calls to try and scam Zambians. They might pretend to be an individual or organisation you think you know, or think you should trust.

Their messages and calls attempt to trick you into performing specific actions, such as:

• Revealing bank account details, passwords, and credit card numbers
• Giving remote access to your computer
• Opening an attachment, which may contain malware
• Sending money or gift cards

Scam messages can be sent to thousands of people, or target one specific person.

How do I recognise scam messages?

It can be difficult to recognise scam messages. Cybercriminals often use certain techniques to trick you. Their messages might include:

• Authority: is the message claiming to be from someone official, such as your bank?
• Urgency: are you told there is a problem, or that you have a limited time to respond or pay?
• Emotion: does the message make you panic, hopeful or curious?
• Scarcity: is the message offering something in short supply, or promising a good deal?
• Current events: is the message about a current news story or big event?

What should I do if I get a scam message?

If you’ve engaged with a scam and think your bank accounts, credit or debit cards may be at risk, contact your financial institution immediately. They may be able to close your account or stop a transaction.

What if I’m unsure if a message is a scam?

If you think a message or call might truly be from an organisation you trust (such as your bank) find a contact method you can trust. Search for the official website, phone their advertised phone number, or visit a physical store or branch.

Do not use the links or contact details in the message you have been sent or given over the phone as these could be fraudulent.

Tip: Think Before You Click

• Think before you click on links on emails, websites and SMS.
• Always be sceptical of attachments you receive.
• If your browser tells you a website is unsafe, close it immediately.

Remember: No IT person, government department or business will contact you and ask for your login details.

Stop And Think Before You Share On Social Media

Cybercriminals can use information you have publicly posted on your social media account/s in their scams and cyber-attacks.

Remember the internet is permanent and you can never fully remove what has been posted.

How can I stop and think before posting?

• Think: How could a cybercriminal use this information to target me or my accounts?
• Think: Would I be comfortable showing this information or image to a complete stranger offline?

What information should I avoid sharing?

Avoid sharing information (including photos) online that cybercriminals can use to identify you, manipulate you through a scam or deduce your account recovery questions. This may include your:

• Birthplace and date of birth
• Address and phone number
• Employer and work history
• Where you went to school
• Any other personal information that can be used to target you