If you’re like many people, you might sign up for an online account at your gym, download the local movie theater’s app and share a cat video on Twitter all before 9 a.m. — and all without thinking twice. But when navigating the internet, security experts say, a little bit of deliberation often pays off by keeping your data more secure.
“We all have day jobs, but to a hacker, we are their day jobs,” says Adam Levin, former director of the New Jersey Division of Consumer Affairs and founder of CyberScout, which helps individuals and businesses deal with cybersecurity threats. “It’s not a fair fight.”
This National Cybersecurity Awareness Month, here are four routine things to stop doing online — and a few alternatives from cybersecurity experts.
1. Recycling passwords
Study after study shows that a majority of people reuse passwords across sites. This lets a hacker who uncovers your password in a data breach of one site easily use it elsewhere.
But what to do when everyone from your dog groomer to your grocery store wants you to create a login? Doug Jacobson, director of Iowa State University’s Information Assurance Center, recommends separating accounts into security tiers. The most sensitive — such as your financial accounts — should all get a unique, robust password. Slightly less sensitive accounts can share a set of strong passwords, and the least crucial, ones with little or no personal data attached, might share the same password.
To create a solid password, Levin suggests choosing a phrase that would be tough for others to guess and changing key characters: making an “o” a zero or turning a 1 into an exclamation point. You can also use a password manager, such as 1Password or LastPass, to create and store strong passwords that are random character strings.
»MORE: Freeze your credit so accounts can’t be opened in your name
2. Granting all the permissions apps request
Many apps ask for access to certain aspects of your phone’s data when you download them. And while it’s understandable that Google Maps wants to know your location, says Kurt Rohloff, director of the Cybersecurity Research Center at the New Jersey Institute of Technology, other apps have less transparent intentions when collecting your data.
Your data might be used simply for marketing purposes, but unless you’ve done a deep dive into who’s making all your apps, it’s better to be cautious. Apps should have “the bare minimum [information] they need to provide services,” Rohloff says.
If you’ve already given an app too much access, try adjusting its permissions in your phone’s settings, Rohloff says. For directions, click here if you have an Android, and here if you have an iPhone. And if that breaks the app, find an alternative.
3. Oversharing on online account applications
You probably know the pitfalls of posting vacation updates — hello, burglars — or giving your Social Security number just because a form has a blank for it. Any personally identifying information you disclose that falls into the wrong hands can “[give] hackers a pathway into your life,” Levin says.
When creating an online account, Jacobson says, “Give them only the information that has the star by it,” indicating a required field. “You don’t need to fill out your full profile.”
And you need not always be truthful, either. For example, you can supply a fake mother’s maiden name or high school mascot for security questions, Levin says. “No website is going to conduct a national security clearance to see if you are who you say you are,” he adds.
4. Trusting appearances
Scam emails don’t always come complete with typos and graphics from 1997 to tip you off. In fact, Jacobson says, he recently received an email from a hacker masquerading — somewhat convincingly — as his boss, asking for money. These messages can also harvest your account information or install malicious software on your computer.
“Always independently confirm who that company is or who that individual is through another source,” Levin says. That might involve calling the supposed sender to confirm the request. Make sure to use a number you know is safe — for example, one you find on your bank’s own website as opposed to clicking through the email.
And if you’re ever entering payment information, look for the padlock symbol on your browser window. “What the padlock ensures is that the website you typed in is the one you went to … and the communication is encrypted,” Jacobson says.
»MORE: How to protect yourself after a data breach
Being cautious keeps you safe
Pausing to consider your clicks definitely makes the internet less convenient. But when you receive services for free online, Jacobson says, “you typically are paying for them with your information.” That doesn’t mean you have to delete all your accounts, but you should ask yourself if the service you’re receiving is worth the information you’re giving up.
Luckily, for most people, identity theft is a crime of opportunity, Jacobson says. So taking even small steps to safeguard your data can make you a less tempting target.
“Generally, my attitude about this is, something is better than nothing, and small things are better than no things,” Rohloff says.