Reflecting on the risks inherent to an increasingly remote workplace, one of our interns shares their thoughts on digital security after a week on the job.
The practice of digital security – those precautions taken online to mitigate risk – has never been so crucial. The COVID-19 pandemic has prompted a seismic shift in the way the modern workplace operates. Whole companies are restructuring, and adopting remote, decentralised models. Accompanying this change, however, is a growing awareness that the onus for conducting digital security best practice now lies more than ever with the individual.
To the extent that this responsibility has been recognised by most users, attention has often been focused on Virtual Private Networks – or VPNs. Whilst a VPN does provide one of the most simple and effective ways of staying secure online; this doesn’t mitigate all threats and the benefits it does offer should not come at the cost of overlooking other digital security responsibilities. Indeed, it was only when I started interning at Kiris Group that I noticed how much I took the protection provided by my VPN for granted. In this post, I will be sharing my own experiences with you, and presenting a five-point digital security toolkit to help keep your device secure.
Before starting at Kiris Group, I saw myself as quite digitally responsible. Undertaking a graduate course in Intelligence and International Security heightened my awareness of full-spectrum, malicious online threats, as well as deepening my understanding of the need to incorporate digital security best practices into everyday usage of the internet. As such, I used Two Factor Authorisation (2FA) on my mobile device; updated my different passwords regularly; employed antivirus protection, conducting regular computer scans; and, of course, I used a VPN service.
Whilst I had taken steps to improve both my personal habits and my technical capability, there was one key area that I had overlooked – browser extensions. Browser extensions, otherwise known as ‘add-ons’, are small applications that can either modify how you browse the internet or allow to you carry out additional functions. Some, if used appropriately, can improve your digital security. In particular, I will be discussing 2FA and password-managers; anti-virus software; tracker-blockers; fingerprint defenders; and encryption security.
1. 2FA and Password-Managers
2FA, the effect of adding an additional layer of encryption and security to a user platform, is most often associated with accessing mobile devices - via passwords and facial recognition software, for example. However, it is also freely available on most desktop devices and is easily enabled through the settings of most apps. The most important platform for 2FA is usually your email account as it contains a plethora of sensitive data; the simple effect of introducing 2FA is that every time you log in, you will either be sent a code via text message or be sent a code through any number of apps designed for the same purpose. This is also a handy early warning system to be alerted if anyone is attempting to access your account. Using a password-manager can also make a device more secure by ensuring that you only need to keep track of one master password, enabling greater variation in the others. Such protection is crucial, with a recent study indicating that 90% of internet users in the UK are worried about their password security.
2. Antivirus Software
Using antivirus software fundamentally makes a device more secure by providing real-time protection against malware and its subset forms. However, it will not always limit the user’s exposure to infected carriers of such malware - most commonly presented in ‘pop-up’ advertisements and phishing emails - as long as the pop-ups remain interactable. For the risk posed to the user to be best mitigated, it is vital to ensure that any antivirus has inbuilt firewall capability. By preventing carriers and malware from entering the browser through content-filtering – specifically ad-blocking – this can dynamically limit the user’s exposure to risk.
3. Tracker-Blockers
Whilst a VPN can mask a device’s IP address, a user’s location and traffic might still be discernible through other routes. The most common of these comprise analytics and marketing – taken together as tracking – cookies. These cookies (often dropped as text files on specific browsers) track highly personal data about individual users, including their IP addresses and browsing activity, for the purpose of targeted marketing. In so doing, these cookies will ‘track’ those consecutive sites visited by the user, creating a digital paper trail. This aggregated information, moreover, might be shared with third-party vendors, leaving the user open to additional risk. Tracker-blockers, quite simply, is useful in helping to prevent cookies of this nature from tracing and capturing the user’s online activity.
4. Fingerprint Defenders
Tracking cookies are not the only means through which a user’s online activity can be recorded. Another way is browser fingerprinting. When a webpage is accessed, its fingerprinting script will interact with the JavaScript of the accessing device. In turn, it draws text according to established font and size parameters and adds background colours. Once this has been achieved, it will take the hash (essentially a map of the data) and save it, leaving a fingerprint. Depending on the webpage owner’s advertising partnerships, this too could be shared for future user-identification. However, a fingerprint defender can alter the data, ensuring that it is no longer unique, and thus no longer as identifiable.
5. Encryption Security
The last type of extension to consider is communication encryption software. It affects ‘https://…’ – a five-letter abbreviation visible at the start of most web addresses. Standing for ‘Hypertext Transfer Protocol Secure’, HTTPS is a combination of the ‘Hypertext Transfer Protocol’ (HTTP) and the Secure Socket Layer (SSL). Essentially, its acts as an authentication and security protocol that carries out the crucial function of encrypting data transmitted between user and webpage – in both directions. As such, it prevents potentially malicious third parties from observing what data is being exchanged. Because HTTPS is not used on every browser, however, scope for intrusion still exists. By using an add-on that refines web searches to ‘https-only’, potentially malicious sites can be avoided.
From all of this, it should have been made clear that the line for ensuring individual digital security should not be drawn after the installation of your device’s VPN. Even though such measures are undoubtedly effective, they are not sufficient in isolation, indeed as threats perpetually evolve, it is the behaviour and awareness of the user that is every bit as vital as any technical measures.
But, by employing a range of browser add-ons, along with incorporating good personal practice, the safety of a user’s device can be further assured. The key to digital security best practice, then, lies in a combination of responsible behaviour with the right tools. While learning these revelations – just a week in, mind you – has been eye opening, I am definitely looking forward to learning more and more!