53. Cybersecurity for freelancers (with Ross Wintle)

Intro

Welcome to 15 Minute Freelancer, your snack-sized guide to being your own boss and building a business and life you love. I'm your host Louise Shanahan. My LinkedIn bio says I'm a freelance health copywriter. But for the next 15 minutes, I'll be tickling your ears with practical strategies, behind-the-scenes stories, and nuggets of wisdom so you can create a freelance business that works for you. Whether you're just starting out or you've been self-employed for a while, I'll be right here with you to help you navigate the ups and downs of freelancing life. So grab a coffee relax and join me for 15 minutes of freelancing fun. Don't forget to hit subscribe.

Louise: Hello, everyone. Welcome back to the 15 Minute Freelancer Podcast. I'm Louise Shanahan and today I'm very excited to be speaking to Ross Wintle, who is a software developer and former freelancer. Today we're going to be digging into the nitty-gritty of internet security. This is something that I think a lot of us freelancers know we should be paying attention to but can probably convince ourselves to ignore for a bit until we see a headline or we hear about a friend having a website hacked or something like that, which sends us into a panic. Well, panic no more! Ross has some tips for us on how we can keep all our online assets safe and sound. Hi, Ross. How are you?

Ross: Hi, I'm good, thank you. Yeah, I know your intro introduces the podcast as 15 minutes of freelancing fun – I'm not sure we're gonna have fun today! It’s going to be a bit scary, a bit spooky, but we'll certainly show you around some of the security stuff that I've learnt from my time developing software.

L: Yeah, let's dive right into the roller coaster ride that is internet security. I'm sure we can make it fun. So what exactly do we mean, when we talk about internet security? What does that encompass? And why is this something that freelancers should be thinking about or investing in?

R: I like to think of it as the same as if you had a physical shop on a high street somewhere. You wouldn't just leave your shop open all day for people to be able to try the door or fiddle the handle and see if it opens and walk in and steal your stuff. As well as our physical presence in the world, our online presence in the world is something that we don't want to be compromised, to be broken into, to be torn apart or stolen by other people. That's why internet security is important. And if you run a business, then even more so because your income, your livelihood, might depend on those online assets being safe and people not being able to get access to them.

L: Yeah, so it could cost you time, money, and a huge amount of stress if you have any issues.

R: Yeah, and there's also data protection stuff as well. If you are running ecommerce, for example, you're collecting personal data about people, and so you have an obligation to protect that information and keep it safe too.

L: What are the main risks that we should be trying to protect ourselves against?

R: There are two basic kinds of what we call attack, if we're going to be scary, that you're likely to be subjected to. The first is what I call a drive-by attack. There are these bots on the internet, which are constantly trying to log in and try different usernames and passwords. So if your email address, for example, is on the internet, and one of these bots manages to find out what your password is they might be able to log into your email or your Facebook. Any website can be subject to that, especially if you look after your own WordPress site or something like that. The other kind of attack is what I would call social engineering where we all have to be careful what buttons we click in emails and what links we visit, because we don't want someone to send us something that's like a phishing email or something which tricks us into doing something that we don't want to do.

L: So how do we approach this then, what kind of things should we be looking out for?

R: I could present this one huge, long list of all the things that you could do to keep yourself ultra-super secure on the internet, but that huge blob of security stuff is really scary and intimidating. I like to just encourage people to identify what the next step is, and to take the next step. So maybe you start by looking at the critical services that you really don't want people to get access to. Those things are your email, your social media accounts, your website, and your domain registrar that you log into to make changes to your domain records and things. The reason that they're important is that if somebody were to get access to say, your email, then what they can do is they can go and try and use your email address to do a password reset on something like Facebook. They then might be able to reset your Facebook account and get access to that. If they get into your social media, maybe you've used your login with a Facebook button to log in to somewhere else. So once they've got your social media, maybe they can then get access to other things. Even the domain registrar, that's really important, because if someone gets access to your domain records, then they can actually divert your email somewhere else, and again, access your password reset messages and stuff like that. So those four things are a really good place to start. Don't think about all the places that you log into, go what can I do next with my email, with my website, with my domain, with my social media? Can I make a stronger password? Can I use a different password on each of those services? Those kinds of things are the next steps that you could take.

L: I think there's actually a website where you can check if your email address has been accessed already. Is it called have I been “powned” [pwned]? Or something like that? Am I saying that right? I don't know how you say this funny internet lingo?

R: I think you say the P as an O, technically, but everybody says, have you been “powned”. What happens there is there's a guy who collects information from what we call leaks. Let's say a big website gets attacked and somebody gets access to the database of that website, which has got all of your information about your user account. That can get leaked, and it can go on the dark web, and all sorts of scary stuff can happen. People can get access to that database of usernames and addresses and stuff like that. That happens, that's just an ordinary part of internet life, there's nothing really secure anymore. What this guy does is he collects up all of those leaked databases, and he processes them all into one place. While I would normally say don't ever go and type your password into another website, what he lets you do is put your email address in or your password in, and it will tell you if those things have ever appeared in one of these leaks. So you can actually check if your username and password have been put on the internet somewhere, and that some bot might be using it to try and login as you somewhere.

L: And this could have happened, say you signed up for a service, and they had some sort of data breach. I actually had a look at this before we spoke, and I could see a list, unfortunately, my email address had been pwned. It said, it was things like Canva had a breach in 2019, and things like that, there were just a couple. But it's definitely a bit of a fright to be honest when you see that someone's had access to that information. And it's a good reminder to practice good password hygiene and change your passwords regularly. Is that something that you would recommend? Or do you think just having a password manager is sufficient?

R: Yeah, so one of the next steps that you might take is you might identify those critical services, the four that I mentioned earlier. Say for example, you use the same password for your Canva account as you did for your email, then the fact that your Canva password has been leaked and is available on the internet somewhere and is probably tied up with your email address means that someone might be able to grab that database and try to log in to your email account. So the first really basic step is, for those four critical services, don't use the same password for all of them, and for other things. If you're just using one password for all services, your next step is to identify critical services, change passwords on the critical services, and make sure you keep them strong and keep them different.

L: And password managers like LastPass and 1Password make it quite easy to generate really random passwords, so you don't even have to come up with it yourself, do you?

R: And they even make logging in even more seamless: you don't have to think or type, because they'll automatically fill in the password on the login form for you, which is great. I also just want to dispel a little myth. Sometimes on the internet, you'll see someone's seen in a stationery store, like a password book, and they're kind of mocking, ha-ha, this looks like a really silly thing, nobody should do this. But actually, I would say if the thought of having a password manager is a bit intimidating, that you don't want to learn a new tool, then actually having a password book helps you take that next step. So as long as you don't – like some people put sticky notes on their screen, and then they'll take a picture of their office and then their password that they've put on a sticky note on the screen is all over the internet. Don't take pictures of what's in this book. Keep it closed, keep it somewhere safe. But having a book with different passwords in it is actually way more secure than just using one password on all these services. Because the probability that someone breaks into your house and steals your password book is much, much smaller than the probability that you get a drive-by attack, or that one of these leaked databases is used to try and login to one of your user accounts somewhere.

L: Yeah, or even saving them in a Word doc or something on your laptop.

R: Yep, something like that. I mean, that's a step on from having an offline book, is putting it online somewhere, but somewhere that is secure. So if you're going to put it in a Google doc, you've then got to make sure that your Google account is secure enough to be storing that kind of data.

L: What are some other steps that we could be taking to protect our domains or social media? Banking, as well, is another one lots of us are using.

R: If you're happy that you're using different passwords in different places, the next step might then be to use a password manager to make sure you're doing that everywhere, and that you're using complex passwords that are really hard to guess. These password managers, like 1Password and LastPass, I always say that they cost about the same as a cup of coffee or two a month. Some people are reluctant to pay for software, they think that software, you know, should be free or should always have free entry. But just consider if you had that physical building, if you had that shop, you'd be putting locks and alarms on it, and you'd be paying for them. And your internet presence is also worth spending money on. Just paying this four or five, pounds or dollars a month, just to have a password manager is a really great investment for your business and well worth doing. They will generate strong passwords for you. They will help you store them securely. And in some cases, they'll let you share them with other people as well.

L: Yes, I was going to mention that I absolutely agree. I think it's a very small but important investment to make just for that peace of mind and security. I know with LastPass, when you get the paid version that allows you to share with other people. Because if you're working with a virtual assistant, or you have other subcontractors where you need to share access to different accounts that are password-protected, then you want to be able to do that in a safe way. So these password managers will allow you to do that too, don’t they?

R: And if you have a website or something that has multiple user logins, don't go sharing your login with other people. Always be hesitant if someone asks you to share your username and password with them. Try and find a way to create them an account that has access to the thing that they need access to. I get that a lot, people send me their username and password, and I go, no, don't send me that, I don't want to know what your password is. Set me up an account. You can do this in WordPress, you can do this in a lot of domain providers, grant me the access that I need, and then take it away, so delete the account or close it down when we finish working together.

L: Another thing I wanted to ask you about is VPNs. Can you explain what they are, how they work and why we might want to think about them? I'm specifically thinking of those of us who like to work from coffee shops and log on to WiFi and things like that. Why is a VPN important in that situation?

R: When you are accessing the internet, you are sending all sorts of information, to websites, to your bank, to all these other places. Generally, these days that information is encrypted between you and the service that you're using, but not always. What a VPN is, it's an extra intermediary, secure layer of encryption, which sits between you and the services that you're using. This is really important, if you are in a public place, like a cafe or working from a co-working space. Particularly if you're handling some kind of sensitive data, it's really important to use a VPN to encrypt all of your internet traffic and make sure that nobody else can intercept it and view the stuff that you're sending back and forth across the internet. So that's what VPNs, do and are. I would really seek out a recommendation, use a trusted, well-known company for your VPN, because there are lots of small companies setting up VPNs now, it's really easy to do. You need to find a trusted provider for that and make use of them. And again, a few pounds a month gets you VPN access if you're out and about a lot then it's well worth having.

L: Okay, what else should we be thinking? What would your next step on that step-up process been?

R: The other step that's really good to take is to use what's called two-factor authentication. So you maybe get sent codes to your phone, or maybe you have a little app on your phone that generates codes for you. These are really good because if someone tries to log in as you and they've already got your username and password, they then need something else to prove that they are you. This is where we can talk briefly about the trade-off between convenience and security. You might think that it's really annoying having to type these little codes in every time I log in somewhere. Well, it is. But you've got to weigh that up against, what are you gaining by having that extra level of security. It's annoying that I have to get my key out to unlock the front door of my house, I'd much rather just turn the handle and walk in. But that key, that lock on my front door, keeps out people that I don't want in the house. So that bit of inconvenience gets me a lot of safety and benefit for my home and my family. So I should do the same with my business and my online presence too. So your next step, if you've got your password manager, you're using strong passwords, is go to the four critical services at first, set up two-factor authentication, or sometimes it's called multi-factor authentication or whatever they call it. Set that up and start using these extra codes as your logins because it's an additional check that it's you that's logging in.

L: Well, thank you Ross that’s been so helpful. I know it's a bit of a whistle-stop tour through the world of internet security and there's probably a lot more that we could dig into. But I just thought it would be helpful for people to get a high-level list of some tips that they can follow to try to keep their online assets more secure. And hopefully not be one of those people who's jumping into the Slack channel saying, oh my god, something's happened to my website, or you know, whatever it's gonna be. I'm definitely feeling a little bit more confident about what I need to do to get my information secure. Thank you very much, Ross.

R: Great stuff. You're welcome.

L: If people want to ask you any more questions about this, if they want to find you online, where should they go?

R: My username on Twitter is @magicroundabout for reasons that I won't go into. But also there aren't many Ross Wintles in the world. If you search for me, you'll either find me or you'll find an Australian cricketer. And I'm not the Australian cricketer. So I'm easy to track down. Get in touch if you've got any questions.

L: Thank you so much, Ross, and thanks, everyone for listening. If you enjoyed this, please leave a review. And otherwise, we'll see you next time. Thank you. Bye. 

Outro

You've been listening to 15 Minute Freelancer with me Louise Shanahan, freelance health copywriter and content marketer at thecopyprescription.com. If you enjoyed this, please hit subscribe, leave a review or share it with a freelance friend. And if you've got a freelancing question you want to be answered on the podcast, find me and say hi on Twitter, LinkedIn, or Instagram. Thanks, and until next time, happy freelancing.