Banner image of ECSM 2019: Tips for your cyber hygiene

ECSM 2019: Tips for your cyber hygiene

Hygiene is about maintaining health by doing many different actions, such as taking a bath, washing hands, and clothes, or cleaning surfaces in rooms. When it comes to “cyber hygiene”—the first of two topics addressed by this year’s European Cyber Security Month—we think of “easy actions to keep or improve your level of information security.”

In this article, we present several quick actions to keep or improve your level of information security.

Always stay in the loop!
Subscribe to our RSS/Atom feed.

Quick actions for better cyber hygiene

In the following, we present several quick actions. There is no specific order, and you don’t have to implement everything. If you have further suggestions, feel free to contact us.

Your devices

You likely own one or more devices to access this website and the whole internet. Examples are smartphones, laptops, and desktop computers. However, there are even more devices in our “everything is smart” world like IP cameras, smartwatches, or a fridge connected to the internet. Then, you may have a router and other devices on your home network. Maybe, you also run a server somewhere. All devices need care. Here are some tips:

  • Install updates for operating systems, apps, and software packages: This tip looks very straightforward, but maybe you are one of these people who always postpone security updates. Of course, even your router or IP camera run software, and you may need to install security updates. If possible, allow devices and software to download and install updates automatically. This is especially true for software that directly communicates with the internet, like operating systems, web browsers, and many apps.
  • Keep an up-to-date inventory of your devices: This may look like an impossible or unnecessary task. However, if you ever lose devices, this inventory can be a lifesaver. Start small and continuously add and update entries. For example, write down names of devices, information about the warranty, monthly costs, and security-related data like passwords stored on the device.
  • Disable unused interfaces: Every device comes with interfaces to interact with you or other devices. For instance, there is WiFi, Bluetooth, NFC, USB ports, file sharing, or optical interfaces. If you do not use Bluetooth, turn it off. If you do not use WiFi, turn it off. If you are tech-savvy, turn off USB or network ports.
  • Delete unused apps and software packages: If you don’t use certain apps on your device, delete them. Software that isn’t on your device can’t be exploited. Sometimes, installing software also installs dependencies on your system. Regularly check if you still need these dependencies (like Java Runtime Environment or Python 2).
  • Delete unused accounts and settings on your devices: Many devices allow you to store specific authentication data, e.g., WiFi names and passwords or Bluetooth devices connected to them. If you don’t need this data anymore, delete it.
  • Never connect removable media to your devices without knowing its origin: We think of a random USB flash drive in the parking lot here. Lost and found items can be malicious.
  • Turn on full-disk (or similar) encryption: If your device allows you to set up full-disk encryption easily, turn it on. This encryption protects data at rest (data stored on your device’s storage media), for example, if someone steals your USB flash drive, hard disk, or laptop. It doesn’t protect data in transit (like your network traffic) or data in use (like data currently in your device’s memory).
  • Securely dispose devices: If you don’t want your smart-something anymore or if your laptop needs to be replaced, be aware that there is personal and sensitive data on it. Just deleting data or resetting to factory settings isn’t always sufficient. Look for possibilities to securely erase data on the devices or remove their data storage before disposing/selling the rest. If you are unsure whether your family photos, web searches, and banking data have been securely deleted, contact service providers specialized in securely disposing media.

Your accounts

Besides devices, you likely registered one or more accounts on the internet. Examples are e-mail accounts, online banking accounts, and online shopping accounts. There are also accounts created by apps on your smartphone in the background. For instance, if you register for an instant messenger, it likely registered an account for you. Again, here are some tips:

  • Think twice before registering new accounts: Before registering for a new service (like an online store, forum, instant messenger), think twice if you need this service. Read its privacy policy. Does it look complete? (see “GDPR: How to identify incomplete privacy policies?".) Who runs the service? Which data must be provided to use the service? Keep in mind that online assessment tools are never sufficient (see “Pros and cons of online assessment tools for web server security”) to rate the security or privacy of a service. These tools only look at a tiny set of technical features but can’t rate important aspects like processes, people, or organization.
  • Provide the least amount of personal data possible, and document data you enter: Like a basic inventory of your devices, it is good to document personal data you enter on the internet. This may again sound like an impossible task, but this doesn’t have to be complicated. For instance, most common password managers allow you to store notes additionally to the password itself. Use these text boxes for documentation. For instance, you registered an account for online shopping. You entered your name, your physical address, date of birth, e-mail address, and password. Since you likely already store the e-mail address and password for this account in a password manager (we hope so, at least), you only have to add “name, physical address, DOB” to this entry.
  • Download and delete old e-mails and other old data: Deleted e-mails can’t be leaked or accessed by unauthorized parties. Most people don’t keep their physical mail in their physical mailbox either. For instance, there is no reason to store 2-year-old e-mails online. However, some people never delete their e-mails. The same is true for other data. If it is still important, download it and store it offline.
  • Delete or disable unused accounts: Some people try out services by registering an account, and then they never log in again. This seems to be true for many accounts on the Fediverse, for example. If you don’t need your account anymore, delete it. If it can’t be deleted (for example, Wikipedia accounts can’t be deleted), disable it. This makes impersonation much harder. Furthermore, if this data gets leaked in the future, attackers can’t misuse it. Remember that many service providers may still store information about you even after deleting your account (for instance, for legal reasons or in backups).

Your overall security

There are many more tips, of course. In the following, we have some more general tips that affect both devices and accounts.

  • Use password managers and 2FA: Password managers help you to manage all of your accounts. They do not only store passwords. Two-factor authentication like OATH-TOTP or U2F helps you to make authentication more secure. See our in-depth article on “Modern credential management: security tokens, password managers, and a simple spreadsheet."
  • Check security and privacy settings: Many devices and services allow you to configure security and privacy settings. Spend some time to understand these settings and enable/disable them accordingly. However, you should also check if your configuration remains the same over time. Updates or attackers may change your settings.
  • Be cautious if you use public network infrastructure: Here, many tips are like “always use a VPN if you are on public networks.” But which VPN is best? And why is it useful? Does it improve your security by adding some “military-grade encryption”? We recommend to primarily use your cellular network even if there is free WiFi around. If you are a tech-savvy person, set up your own VPN. In the end, using a VPN is always about trusting another party.
  • Back up data, and check its recoverability: There are many ways to lose access to your favorite chats, family photos, and other memories. Back up your essential data from time to time, and check if it can be recovered.
  • Leave physical authentication media at home, or use RFID shielding: We think of your banking cards, employee badges, and passports here. Even if they come without NFC/RFID technology, they can be lost or stolen. So leave them at home if you don’t need them. If you have such cards and badges with radio interfaces like NFC or RFID, you may want to use wallets with RFID shielding. Some people call this overkill; others physically damage the chips in their cards to get rid of them. They are your cards, so it’s your choice.
  • Be aware of social engineering: Social engineering is much more than only phishing and perfectly works without technology since human characteristics are exploited. Be skeptical if something strange happens. Read “The story of Jessika."

Other long-term activities

Finally, we recommend three long-term activities:

  1. Burst your filter bubble: Some websites specialized in dictating what you should read and avoid on the internet. The sole mission is to keep readers in filter bubbles so that readers repeat ideas and recommendations of such websites repeatedly without understanding use cases, threat models, or many other aspects that are important in the context of information security and privacy. Due to this, it is vital to get information from many different people and sources. Read the pros and cons, understand how things work, and ask people about reasons for their recommendations.
  2. Help to debunk myths: From time to time, we come across security and privacy myths (see our articles on myths). Please help us debunking them to improve everybody’s security and privacy.
  3. Tell your friends and family members about information security and privacy: Since many people still think that information security is only related to technology (as in IT security), they are not interested in this topic. This is perfectly understandable for us. No one can be an expert in every domain. However, a basic understanding of the most critical concepts of information security and privacy are essential for everybody nowadays. As a reader of our website, you are probably part of the minority of people interested in these subjects. Therefore, it is essential to inform your family members and friends. Tell them about your thoughts about information security and privacy. Discuss your ideas. You don’t have to give a lecture.


Cyber hygiene means keeping or improving your level of information security in day-to-day life. Many tips can be quickly put into practice. Don’t stop here! Read other articles on our website, and get information from other sources. Information security and privacy affect everybody nowadays, and it is a shared responsibility.

Read also