I put this together for a previous employer. It's slightly modified here.

Also, PrivacyGuides.org is a solid website with tips on what tools to use. A little over the top for some users, but a good place to go if you have questions.

Personal Cybersecurity

Password reuse and phishing are the top ways accounts are compromised and companies are hacked.

Using a password manager to ensure unique, strong and random passwords in conjunction with multi factor authentication mitigates this risk.

You should be securing both your personal and work accounts with a strong password from a password manager and multi factor authentication when possible.

Passwords

• Must be long (15+ characters), unique, private, and random (generated by password manager)
• Recommended Password Managers include 1Password (paid) and Bitwarden (free/paid, open source)
• Pick a good Master Password (passphrase, or better yet, a password generated by a password manager that you memorize). It's ok to write down your master password and store it in a safe place until you memorize it. How to choose a good master password
• Goal is to have unique passwords for each account.
• Don’t store passwords or credentials in documents or share over email
• "Avoid generating passwords or password recovery pass phrases based on information that can be derived from publicly available information or social media. Malicious actors will attempt to perform a password recovery against a target, then attempt to determine the recovery question against the target's social media profiles." (added by a security consultant)

Password resources

• Getting started with 1Password
• https://www.privacyguides.org/en/passwords/

Multi-Factor Authentication (MFA)

Additional methods of authentication provide another layer of protection in case your password is compromised.

We will mostly be using cell phone apps as our second method of authentication.

Use MFA for any accounts/logins that support it. But especially your important accounts, like your main Email, your Bank, social media, etc.

• Google Account (Gmail, etc.)
• Bank
• Tax software
• Social media sites
• Any business resources should have MFA enabled

Some MFA methods are stronger than others. Here’s a list in order of strength:

1. Hardware Keys
2. Authentication App - Push Notifications
3. Authentication App - One Time Codes
4. Email
5. SMS/Text message

Recommended MFA Apps

• Authy - syncs to cloud, open source
• Google Authenticator - no backups
• Microsoft Authenticator
• Ravio - syncs to iCloud
• 1Password's 2FA (but don't store your 2FA for 1Password in 1Password 🙂)
• Also see PrivacyGuide.org recommendations

Phishing

Phishing is when you receive a fake email or text message that tries to get you to click a link, download a file or fill out a password form.

• Take this phishing quiz: phishingquiz.withgoogle.com
• A CEO or manager won’t ask you to purchase gift cards or wire money
• Only open attachments if you are expecting them and they are in a format you are comfortable with.
• Opening documents in Google Docs or Google Drive is better. Since you won’t be opening them on your computer.
• If you are suspicious of an email or a request then confirm with the sender via another channel (e.g. Slack/Mattermost, Signal/Whatsapp, phone call, etc.)
• If you receive Spam text messages, report the message to your carrier and block the unknown sender. What to do about Spam Text Messages
• "Users should take extra time when they receive an email in which the sender is attempting to induce a sense of urgency, even if the email appears to have come from a coworker. Anything that is urgent, the user should take an extra moment to look for other suspicious indicators. This is a common tactic utilized to get people to skip steps in their process or just click a link or download an attachment without verifying." - security consultant

Phishing Resources

• How to avoid phishing attacks
• How to identify phishing attacks

OPSEC (beware of what you share)

Operational Security (OPSEC) is “the process of protecting individual pieces of data that could be grouped together to give the bigger picture” - Wikipedia

Be cautious of what you post on social media. Don’t overshare.

Lock down your Instagram, Facebook, etc. Set to private.

Don’t leave “breadcrumbs” of information on the internet; like Company info, addresses, etc.

Additional Security Resources

• Not All MFA is Equal
• Security Checklist
• Open source security training