Tag Archive for: John Sileo

When Encryption Isn’t Enough: How Human Error Undermines Even the Best Security Tools

In the realm of cybersecurity, we often focus intensely on technical solutions—better encryption, stronger firewalls, and more sophisticated intrusion detection. Yet, time and again, the most significant security breaches don’t come from technical failures but from something far more difficult to patch: human behavior.

The Signal Incident: A Case Study in Human Error

The Trump administration recently provided a perfect example. Top officials, including Vice President JD Vance and Defense Secretary Pete Hegseth, used Signal—an encrypted messaging app widely considered highly secure—to discuss detailed plans for airstrikes against Yemen’s Houthi militants. Then, they accidentally added a journalist from The Atlantic to the chat.

These weren’t junior staff discussing lunch plans. These were high-ranking officials planning military operations using an app on their personal devices—compromising that information through a simple mistake. President Trump later acknowledged the issue, stating, “Generally speaking, I think we probably won’t be using it very much.” An understatement, to say the least.

Encryption ≠ Security

Signal was doing exactly what it was designed to do—providing end-to-end encryption that ensures messages are scrambled on one device and can only be unscrambled by the recipient. However, as this incident highlights, encryption alone does not equal security.

National security experts pointed out that discussing classified information on consumer apps is a major security breach, regardless of how secure the app is. Conversations about military operations should take place in Secure Compartmented Information Facilities (SCIFs), where cell phones are banned. The government’s secure communication tools have strict access controls, preventing unauthorized users from being added to conversations.

The Convenience vs. Security Tradeoff

Why would top officials bypass these secure systems in favor of a consumer app? The answer lies in a challenge familiar to every security professional: secure solutions are often less convenient. Government-approved communication tools are likely clunkier and more restrictive than sleek consumer apps like Signal. However, that inconvenience is often the price of true security.

Shadow IT: A Persistent Risk

The Signal incident highlights a broader problem in organizations: shadow IT. Employees often turn to unauthorized tools because official solutions feel cumbersome. This creates significant security vulnerabilities, regardless of how secure these shadow tools claim to be.

Building a Culture of Security

Technical solutions alone won’t fix human error. Organizations must:

  1. Make security personal—showing employees how breaches affect them directly.
  2. Design for human behavior—implementing user-friendly security measures.
  3. Train on real scenarios—using case studies and hands-on exercises.
  4. Make security visible—rewarding security-conscious behavior.
  5. Lead by example—ensuring executives follow security protocols.

At the end of the day, even the best encryption can’t protect against human mistakes. True security requires a cultural shift—one where individuals take personal responsibility for safeguarding sensitive information.

With two decades of experience helping organizations build security-focused cultures, John Sileo is passionate about empowering people to take ownership of data security, both personally and professionally. His approach bridges the gap between technical controls and human behavior to create security systems that actually work in the real world. Call 303.777.3222 or contact us to inquire about booking John for your next meeting or event.

Dear Daughter, Here’s Why I Can Crack Your Passcode (And How to Avoid Her Mistake)

There are two things I’ve learned from live-hacking an audience member’s smartphone during my keynotes:

1️⃣ Most of our passwords are terrible.
2️⃣ One simple change can make hacking your phone as hard as scoring Taylor Swift tickets.

The Sleepover That Changed Everything

I didn’t set out to become that dad—you know, the one who freaks out teenagers by hacking their phones at sleepovers. But one night, when my daughter and her friends were busy scrolling and texting, I pulled out a little party trick that I spent hundreds of hours developing: cracking one of their smartphone passcodes.

Cue the gasps. The wide eyes. The sudden clutching of phones like they were life support.

Why? Because I showed them in real-time that once I was in, I could do everything—bank as them, text as them, be them. And that hit different.

The same thing happens during my keynote when I “hack” an audience member’s smartphone. It’s one thing to hear about security threats; it’s another to feel how vulnerable you really are. But here’s the good news: fixing this is easier than you think.

Upgrade Your Passcode to a Passphrase

Instead of a weak four-digit PIN (which, let’s be honest, is probably your birth year backwards), switch to a passphrase—something longer, easy to remember, and way harder to crack.

Example:
 🚫 1234 → 10,000 possible combinations (AI can crack this in seconds)
 ✅ ! L0v3 D@d → Over 60 quadrillion combinations (Good luck, hackers!)

How to Set It Up

🔹 iPhone Users: Here’s how to create a stronger passcode
🔹 Android Users: Check with your phone manufacturer for instructions

And don’t forget: Make sure someone you trust knows your passphrase in case of an emergency—store it securely in your password manager so you don’t forget it either!

Bonus: Lock Down Your Online Accounts

Your phone’s passphrase is just the start. For online accounts, ditch passwords entirely and switch to passkeys—they’re easier and more secure. Check out our video on passkeys here.

Because keeping your data safe shouldn’t be harder than getting into a Taylor Swift concert. 😉

Sleep tight, and stay secure! 🔐

Deconstructing DeepSeek: AI, Censorship, and State Control

In recent weeks, the launch of DeepSeek—a new AI chatbot developed in China—has sparked concerns about its potential role in spreading state-backed disinformation. While it’s marketed as a tool for curiosity and assistance, a closer look suggests it may be more aligned with the Chinese Communist Party’s (CCP) official narrative than users might expect.

Unpacking DeepSeek’s Responses

Researchers analyzing DeepSeek have found that it frequently echoes CCP propaganda. Here are just a few documented examples:

  1. Twisting Quotes: DeepSeek reportedly misrepresented statements made by former U.S. President Jimmy Carter, making them appear more favorable to China’s stance on Taiwan.
  2. Selective Praise: When asked about Xinjiang’s policies, the chatbot claimed they have received “widespread recognition”—a stark contrast to reports from international human rights organizations detailing serious abuses.
  3. Dodging Sensitive Topics: Ask DeepSeek about Xi Jinping or major historical events like the Tiananmen Square protests, and it evades the question faster than a cat avoiding a bath.

Like OpenAI’s ChatGPT, DeepSeek relies on large language models to generate responses. However, unlike its counterparts, this AI seems to be following a playbook designed to reinforce CCP-approved narratives rather than provide an objective perspective.

Why This Matters

As more people rely on AI for information, it’s crucial to recognize the biases baked into these tools—especially when they’re backed by governments with strong authoritarian leanings. If AI is being used as a mechanism for state control, it raises serious ethical and societal concerns.

How to Stay One Step Ahead

If you’re using AI chatbots like DeepSeek, here are some ways to safeguard yourself against potential misinformation:

  • Fact-Check Everything: Don’t take chatbot responses at face value. Cross-reference claims with reputable sources.
  • Spot the Red Flags: If an AI avoids answering certain questions or downplays controversial topics, that’s a strong indication of censorship.
  • Think Critically: Approach AI-generated content with a healthy dose of skepticism. Just because it sounds polished doesn’t mean it’s true.

By staying vigilant, you can better navigate the intersection of AI and state-controlled narratives—ensuring you’re informed rather than manipulated.

Need to educate your team on the latest AI-related vulnerabilities? Let’s talk: https://sileo.com/contact-us/

Is That QR Code Safe? What You Need to Know About the Cyberthreat Quishing

 

In our fast-paced, tech-driven world, QR codes have become second nature. We scan them to check out restaurant menus, access Wi-Fi networks, or join virtual events. But beneath their convenience lies a potential cyber threat that’s catching many off guard: Quishing.

Quishing—short for QR code phishing—is a sneaky variant of the classic phishing scam. Picture this: you’re at a cozy café, scanning a QR code to browse the menu. It feels harmless, even mundane. But hidden within that innocent-looking grid could be a link to a malicious website, ready to steal your personal information or unleash malware onto your device.

How Quishing Works

Cybercriminals embed harmful links into QR codes and strategically place them in unsuspecting locations:

  • Public bulletin boards
  • Flyers
  • Transport hubs
  • Online ads
  • Even restaurant tables

These codes often redirect you to phishing sites that mimic legitimate websites. Once you’re there, you might unknowingly hand over sensitive information like passwords, credit card details, or even trigger malware downloads.

Spotting Suspicious QR Codes

Knowing how to recognize potential threats is key to staying safe. Watch out for these red flags:

  1. Unknown Origin: If a QR code appears in an unexpected location or looks unprofessional, think twice before scanning it.
  2. Too-Good-To-Be-True Offers: Scammers often lure victims with promises of amazing deals or exclusive gifts.
  3. Requests for Personal Information: If a scanned code leads you to a page asking for sensitive details right away, it’s a major red flag.

Protect Yourself from Quishing

A few proactive measures can go a long way in keeping you safe:

  1. Verify the Source: Only scan QR codes from trusted entities, such as well-known brands or official communications.
  2. Use Secure QR Scanners: Many modern smartphones come with built-in security features to detect malicious links. Take advantage of these tools.
  3. Close Suspicious Websites: If a scanned QR code leads to a dubious website, close it immediately. Avoid clicking on any links.
  4. Keep Software Updated: Regularly update your device’s operating system and apps to ensure they’re equipped with the latest security patches.

Real-World Quishing Scams

Quishing isn’t just theoretical—it’s happening now. Here are two notable examples:

  • Public Transport Scam: In one major city, scammers replaced QR codes on transport kiosks with their own malicious codes. Commuters who scanned them were directed to phishing sites that stole credit card information.
  • Concert Fraud: Fake posters for a popular concert included QR codes leading fans to a bogus ticketing site. Attendees paid for tickets that never arrived, losing both money and trust.

Stay One Step Ahead

In this digital age, vigilance is your best defense. If a QR code seems suspicious or makes you hesitate, trust your gut. By learning to spot the signs of quishing and practicing safe scanning habits, you can outsmart cybercriminals and keep your personal information secure.

So the next time you’re tempted to scan a QR code, ask yourself: Is it worth the risk? A little caution today can save you a world of trouble tomorrow.

PS: In addition to freely scanning any QR code that pops up, make sure you’re not committing these Bad Cybersecurity Habits:  https://sileo.com/bad-cybersecurity-habits/.

The Future of Online Security: How Passkeys Can Protect Your Loved Ones

When you cut through the technical jargon (which can sometimes feel a little intimidating or dull), cybersecurity boils down to one simple truth: it’s about safeguarding the people we care about most. That’s the heart of the advice I give to my two grown daughters—practical, no-nonsense tips to help them stay safe in an increasingly digital world. Today, I’m passing those same tips along to you so you can protect the ones you love, too.

Let’s talk about passkeys—the smarter, stronger, and safer alternative to traditional passwords. They’re designed for busy people who want top-notch security without the hassle.

Here’s everything you need to know about them and why they’re a game-changer for your digital safety:

Why Use Passkeys?

While passwords have served us well, they’re no longer enough to combat today’s sophisticated online threats. Passkeys offer a major leap forward in digital security by addressing the main flaws of traditional passwords:

  1. Phishing-Proof
    Phishing attacks—where scammers trick you into entering your password on fake websites—are among the most common online threats. Passkeys eliminate this risk entirely because:
    • You don’t manually enter them.
    • Only legitimate websites can validate passkeys.

In other words, a phishing site can’t steal what you never type.

  1. Breaks Bad Habits
    Many people reuse passwords across multiple sites or choose weak, easily guessable ones. Passkeys, however, are unique to each service, so:
    • No two services share the same login credentials.
    • There’s no temptation to reuse old, insecure passwords.

This automatic uniqueness ensures your accounts stay secure, even if one service is compromised.

  1. Data-Breach-Proof
    Even if a website is hacked, the public key stored on the site is useless to attackers without your private key. And because your private key never leaves your device, it can’t be exposed in a data breach.
  2. Convenient and Safe
    Passkeys offer the best of both worlds: they’re as secure as two-factor authentication (2FA) but without the extra hassle. With a passkey, you:
    • Log in with just your fingerprint, face, or PIN.
    • No longer need to manage complex passwords or remember dozens of logins.

How to Start Using Passkeys

Setting up passkeys is easier than you think. Follow these steps to integrate them into your digital life:

  1. Set up a passkey with major retailers like Amazon
  2. Set up a passkey with all of your banks (Wells Fargo)
  3. Set up a passkey for your Microsoft & Apple accounts 

Use Your Passkey Across Devices
Switching between devices is easier than ever. Sync your passkeys using cloud services like iCloud Keychain or Google Password Manager. This ensures you always have access to your accounts, no matter where you are.

Why Passkeys Are a Smart Choice
In today’s fast-paced world, security should be simple. Passkeys make online security easier by:
• Reducing the need to remember complex passwords
• Eliminating worries about phishing and data breaches
• Minimizing the risks associated with weak or reused passwords

For me, passkeys are an easy “yes.” They offer peace of mind while keeping my loved ones safe online. That’s why I’ve already encouraged my daughters to adopt this technology—and now, I’m encouraging you to do the same.

What’s Next? Start Protecting Your Loved Ones
Cybersecurity doesn’t need to be complicated or intimidating. By switching to passkeys, you’re taking a major step toward safeguarding yourself and your family from online threats.

Whether you’re helping your kids set up their first email account, securing your partner’s online banking, or simplifying your own digital life, passkeys are the key to a safer, smarter, and more convenient future.

Ready to get started? Next time you log into a service, look for the passkey option—it might be the best decision you make for your family’s online safety.

Ps. In case you missed it, make sure you’re also aware of the One Smartphone Security Tool You Might Be Missing

Cybersecurity Alert: UnitedHealth’s Billion Dollar Data Breach

One in three Americans recently had their healthcare data hacked from UnitedHealth – TWICE. The stolen data likely includes medical and dental records, insurance details, Social Security numbers, email addresses and patient payment information.

UnitedHealth Group’s subsidiary, Change Healthcare (which processes an estimated 50% of all health insurance transactions in the U.S.), fell victim to a ransomware attack that thrust the U.S. healthcare system into chaos as pharmacies, doctor’s offices, hospitals and other medical facilities were forced to move some operations to pen and paper.

Behind the scenes, UnitedHealth Group chose to pay the BlackCat ransomware gang (aka ALPHV) an estimated $22 million in blackmail ransom to restore system functionality and minimize any further leakage of patient data.

Problem (expensively) solved, right? Not even close. After UnitedHealth paid the initial ransom, the company (or quite possibly BlackCat itself being hacked by hackers) reportedly experienced a second attack at the hands of RansomHub, which allegedly stole 4TB of related information, including financial data and healthcare data on active-duty U.S. military personnel.

To take the breach and ransom to an entirely new level, RansomHub is now blackmailing individual companies who have worked with Change Healthcare to keep their portion of the breached data from being exposed publicly. For many small providers, the ransom is far beyond what they can afford, threatening the viability of their business. Some of the larger individual providers being blackmailed are CVS Caremark, MetLife, Davis Vision, Health Net, and Teachers Health Trust.

As of today, even with millions of dollars collected by the hackers, all systems are not up and running.

There are three critical business lessons to take from the UnitedHealth breach:

  1. Ransom payments do not equal the cost of breach. The ransom amount companies pay is a fraction of the total cost of breach. In UnitedHealth’s case, they paid a first ransom of $22 million, but only months into the breach have reported more than $872 million in losses. Operational downtime, stock depreciation, reputational damage, systems disinfection, customer identity monitoring, class action lawsuits, and legal fees will move the needle well beyond $1 billion within the fiscal quarter. Risk instruments like cyber liability insurance can balance the losses, but prevention is far more cost-effective.
  2. There is no honor among thieves. Even when organizations pay the ransom demanded, (and in the rare case that they get their data back fully intact), there is no guarantee that the cybercriminals won’t subsequently expose samples of the data to extort a second ransom. In this case of Double-Dip Ransomware (as I call it), a dispute among partnering ransomware gangs meant that multiple crime rings possessed the same patient data, leaving UnitedHealth open to multiple cases of extortion. Paying the ransom instead of having preventative recovery tools places a larger target on your back for future attacks. If you haven’t implemented AND tested a 3-2-1 data backup plan and a Ransomware Response Plan, do so immediately.
  1. The Human Hypothesis on the Source of Breach. There has been no disclosure to date on exactly how the hackers got into Choice Health’s systems, but my highly educated guess (from seeing so many similar breaches) is that an employee of, or third-party vendor to, UnitedHealth was socially engineered (scammed) to share access into one of their business IT systems. The company will generally report this human oversight and poor training as “compromised credentials” which tries to make it look like a technological failure rather than a human decision. From there, the hackers “island hopped” laterally to increasingly critical servers on the network. It’s likely that the cyber criminals are still inside of key systems, hiding behind sophisticated invisibility cloaks.

The solution here is to make sure that the heroes in your organization, the human employees who are your first and best line of defense, are properly trained on how to detect and repeal the latest social engineering attacks. Over 90% of all successful attacks we see are due to a human decision that leads to malicious access.

All organizations and leadership teams must ensure your Security Awareness Training addresses all the changes that artificial intelligence brings to the cyberthreat sphere. To ignore the alarm bells set off by UnitedHealth Group’s disastrous breach is to risk your organization falling ill to a similar fate.

Anyone in your organization can be the unfortunate catalyst that triggers a disastrous data breach similar to UnitedHealth’s. My latest keynote, Savvy Cybersecurity in a World of Weaponized A.I., teaches the root cause of successful social engineering scams and necessary technological preparation for ransomware attacks. REACH OUT TO MY TEAM TODAY to discuss this vital topic at your next meeting or event.

  1. If you are a patient of UnitedHealth, Change Healthcare, OptumRx or any of their subsidiaries, take the following steps immediately:
  2. Visit the Cyberattack Support Website that UnitedHealth Group established for affected customers.
  3. Make sure that you have a Credit Freeze on your Social Security Number.
  4. If you are an OptumRX customer, call them directly (1-800-356-3477) to make sure that your prescriptions haven’t been affected and that they will ship on time.
  5. Monitor all of your health and financial accounts closely for any changes or transactions. Create automatic account alerts to make this easier.

 

John Sileo is a privacy keynote speaker, award-winning author and media personality as seen all over TV. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.

Tax Time Scams: Beware of ‘Accidental’ Deposits from the IRS

“YEAH for tax time!” – Said no one ever.

After years of agonizing tax preparation, you might think the universe is finally in your favor when you notice a surprise $20,000 pop up in your bank account. But before you book that vacation to Ibiza or run to the car dealership, pause and remember what you know to be true: If something seems too good to be true, it usually is.

Tax fraudsters will steal your personal information (typically from your tax accountant) and create fake documents that they submit to the IRS to ensure a hefty refund is deposited in your account. They then call or email you to let you know about this “mistake” and ask you to deposit the money back into an “IRS Collection Company” account. They will also pepper in threats like money penalties or jail time to try to get you to act as soon as possible before you can rationally assess the situation.

The first step to protect yourself against tax time scams is to make sure your tax accountant has the highest level of security for client information. It’s okay to ask questions about their cybersecurity and physical document security. An email or call leading with, “I heard about this scam and it just got me curious about your security protocols” is completely appropriate. After all, they work for YOU!

If you see the shady deposit in your account, call your bank immediately and they can help you navigate the situation. If the bank representative doesn’t advise you to close the account, do it anyway. Your information has been successfully stolen and you don’t want to chance it happening again. Yes, it’s an inconvenience, but it’s necessary for your safety and peace of mind.

The last tip to remember – and one that is vital to share with your loved ones, co-workers, etc. – is:

THE IRS WILL NEVER COMMUNICATE WITH YOU BY EMAIL OR PHONE.

All communication from the IRS is sent via direct mail. So, if someone from the IRS calls you, HANG UP! If they email you, SEND IT TO SPAM! If they text you, BLOCK THE NUMBER!

Most of us have the intuition to not be rude – especially to a government agency who can uproot your life – but when you are steadfast in your knowledge knowing how the IRS communicates, you will have confidence to make the right decision in these moments that raise our blood pressure and make it hard to think clearly.

These tax time scams prey on our fears of not being in good standing with the United States Government. But what these scammers aren’t taking into account is that your knowledge equals power and protection from their nonsense. Here’s a video about Hanging Up on IRS Phone Scammers. Stay safe, informed and, “Happy Tax Season!” – Said no one ever.

 

John Sileo is a privacy keynote speaker, award-winning author and media personality as seen all over TV. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.

A.I. Deepfake Posing as the CFO Scams $25 Million: How to Protect Your Organization from the Exploding Deepfake AI Cyber Scam

Deepfakes use Artificial Intelligence (A.I) to create fake, hyper-realistic audio and video that is generally used to manipulate the viewer’s perception of reality. In most deepfakes, the legitimate person’s face or body has been digitally altered to appear to be someone else’s. Well known deepfakes have been created using movie stars and even poorly produced videos of world leaders.

Removing the malicious part of the definition, deepfakes have been used in the film industry for quite some time to de-age actors (think Luke Skywalker in The Mandalorian) or resurrect deceased actors for roles or voiceovers (think Carey Fisher in Rogue One – okay, can you tell I’m a Star Wars geek?). Cybercriminals have latched on to the technology, using AI-generated deepfakes in conjunction with business email compromise (also known as whaling and CEO fraud) to scam organizations out of massive amounts of money.

Just recently, a finance worker at an international firm was tricked into wrongly paying out $25 million to cybercriminals using deepfake technology to pose as the company’s Chief Financial Officer during a video conference. And it wasn’t just one deepfake! The fraudsters generated deepfakes of several other members of the staff, removing any red flags that it wasn’t a legitimate virtual meeting. As a subordinate, would you refuse a request from your boss that is made face-to-face (albeit virtually)? You might be savvy enough, but most employees aren’t willing to risk upsetting their boss.

The days of just sending suspicious emails to spam is no longer adequate. Our Spidey Sense (the B.S. Reflex I talk about in my keynotes) must be attuned to more than business email and phone compromise. We have entered the age of Business Communication Compromise, which encompasses email, video conferences, phone calls, FaceTime, texts, Slack, WhatsApp, Instagram, Snap and all other forms of communication. It takes a rewiring of the brain; TO NOT BELIEVE WHAT YOU SEE. AI is so effective and believable that workers may even feel like they are being silly or paranoid for questioning a video’s validity. But I’m sure as the employee who lost their organization $25M can attest, it’s way less expensive to be safe than sorry.

The solution to not falling prey to deepfake scams is similar to the tools used to detect and deter any type of social engineering or human manipulation. Empowering your employees, executives and customers with a sophisticated but simple reflex is the most powerful way to avoid huge losses to fraud. When you build such a fraud reflex, people will be less likely to ignore their gut feeling when something is “off.” And that moment of pause, that willingness to verify before sharing information or sending money, is like gold. These are the skills that I emphasize and flesh out in my newly-crafted keynote speech, Savvy Cybersecurity in a World of Weaponized A.I.

Get in touch if you’d like to learn more about how I will customize a keynote for your organization to prepare your people for the whole new world of AI cybercrime. Contact Us or call 303.777.3221.

Cybersecurity Habits Meet Neuroscience

Bad Cybersecurity Habits

Hack your cybersecurity habits to avoid being hacked! The human element of cybersecurity is the most overlooked and underused tool for data protection. People are our strongest line of defense. In other words, your employees are your greatest asset in the fight against cybercrime, but only if you train them to be. By fortifying data at its source –us– we have a much better shot at preventing cyber disasters in our businesses.

Drawing inspiration from the book “Atomic Habits” by James Clear, we can apply his principles to reinforce best cybersecurity practices. Just as small, incremental changes lead to significant long-term results in personal growth, cultivating atomic cybersecurity habits can fortify our digital defenses. In this article, we will explore how the concepts of “Atomic Habits” can be seamlessly integrated with cybersecurity practices, empowering individuals to navigate the online world with confidence and security.

Let me hack your brain to make security simple. 

Healthy Cybersecurity Habits 

  1. Strong and Unique Passwords: Use strong, complex passwords. Avoid reusing passwords. Use a password manager to generate and store passwords.
  2. Two-Factor Authentication (2FA): Enable 2FA whenever possible. 
  3. Regular Software Updates: Keep your operating system, antivirus software, web browsers, and other applications up to date. Updates often include important security patches that address vulnerabilities.
  4. Secure Wi-Fi: Use a strong, unique password for your home Wi-Fi network. Enable encryption (WPA2 or WPA3). Avoid using public Wi-Fi networks for sensitive activities unless you are using a reliable VPN (Virtual Private Network).
  5. Phishing Awareness: Be cautious of suspicious emails, messages, or calls. Verify the legitimacy of requests and avoid providing personal information unless you are certain of the source.
  6. Regular Backups (Daily): Backup your important files and data regularly to an external hard drive, cloud storage, or other secure location.
  7. Privacy Settings: Review and adjust privacy settings on your devices, apps, and social media accounts. Limit the amount of personal information you share. Consider what permissions an app truly needs (spoiler alert: not much).
  8. Secure Web Browsing: Use secure websites (HTTPS) when providing sensitive information. Look for the padlock icon in the address bar. Be cautious of clicking on suspicious links. Avoid downloading files from untrusted sources.
  9. Device Protection: Use reputable antivirus or security software on all your devices and keep them updated. Enable device lock screens or biometric authentication (fingerprint or facial recognition). 

How to Hack your Habits

ATOMIC HABIT CYBERSECURITY APPLICATION
Use the two-minute rule: identify a small, actionable step you can take that only takes two minutes. Do it immediately.
  • Change one password.
  • Put. A. Password. On. Your. Lock. Screen. 
  • Enable two-factor authentication for one account
  • Grab your phone. Settings >> privacy >> location. Turn off location services for apps that absolutely don’t need your whereabouts. 
  • Delete 2-3 apps you do not use.
  • Unsubscribe from a few junk mailing lists
Make habits obvious: Create clear cues and reminders to engage in the healthy habit. 
  • Create a regular and recurring phone reminder to update software or add another financial site to your two-step login list. Make cybersecurity a visible part of your daily routine.
“Habit stack” for better integrations. 

Link new habits to existing ones to help them become more automatic and ingrained. 
  • Before you start browsing the internet each day, make it a habit to check for secure connections (HTTPS) or verify the legitimacy of websites. 
  • At the same time, check to make sure that your backup is working properly.
  • Monthly family/business meetings? Add a 5 min technology check-in to the schedule (updates, passwords, issues). 
Environmental design can make 

  1. desired behaviors more convenient (make good habits EASY to do)
  2. undesirable behaviors more difficult (make bad habits HARD to do)
  • Enabling fingerprint recognition on your password keeper will make it more appealing to log into.
  • Invest in a larger cellular data plan so that you aren’t tempted to join insecure free WiFi hotpsots.
Track habits to maintain motivation and measure progress.
  • Keep a log of actions such as updating software, conducting regular backups, or practicing safe browsing.
Make habits satisfying: immediate rewards increase the likelihood of habit formation. 
  • After completing any of the above, or even a thorough scan of your device for malware, reward yourself with a short break or engage in an enjoyable activity. 
Build an identity of the person who embodies desired habits. 

You are more likely to put effort into something that relates to who you are (identity) rather than what you do (behavior)
  • Embrace the identity of a proactive and security-conscious individual. Visualize yourself as someone who prioritizes protecting their digital assets. By identifying as a cyber-conscious person, you’ll be more likely to adopt and maintain good cybersecurity habits

Cybersecurity often feels like an endless journey. This is why celebrating progress is crucial to maintaining hope and momentum. By embracing the principles of “Atomic Habits,” we can forge a path towards a more secure digital future. And we can do so without burning ourselves out or becoming digital nomads (I know how tempting it may seem…). What matters is that we show ourselves some grace as we build better cyber health. 

The power lies within our daily actions—the consistent implementation of small, atomic cybersecurity habits that reinforce our protection. Just as Clear’s book teaches us to focus on the process rather than the outcome, let us concentrate on the journey of developing healthy cybersecurity habits, one smart step at a time. 

 

___________________________

 


John Sileo is an award-winning keynote speaker who educates audiences on how cybersecurity has evolved and how they can remains ahead of trends in cybercrime. He is proud to have spoken at the Pentagon and Amazon, written four books on cybersecurity, and been inducted into the National Speakers Hall of Fame. He has appeared on 60 Minutes, NBC, ABC, Fox, CNN, Rachael Ray, and Anderson Cooper. John’s work has been quoted and published in The Wall Street Journal, The Washington Post, USA Today, and Kiplinger’s.

Looking for a customized speech to make your next event unforgettable? Call 303.777.3221 or fill out our contact form to connect with Sue, our business manager extraordinaire. She’ll work with you to brainstorm ideas and explore how John can tailor his speech to fit your needs perfectly.

John Sileo Cybersecurity Expert Top Tips

I get asked at almost every keynote speech how the audience members can protect themselves, their families and their wealth personally. So I put together a series of videos to take you through some of the first steps. I hope this gets you started, and that I am lucky enough to meet you in person at a future speech!

Freeze Your Credit

A freeze is simply an agreement you make with the three main credit reporting bureaus (Experian, Equifax and TransUnion – listed below) that they won’t allow new accounts (credit card, banking, brokerage, loans, rental agreements, etc.) to be attached to your name/social security number unless you contact the credit bureau, give them a password and allow them to unfreeze or thaw your account for a short period of time.

Equifax Credit Freeze
P.O. Box 105788 Atlanta, Georgia 30348
Toll-Free: 1.800.685.1111

TransUnion Credit Freeze
Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834
Toll-Free: 1.888.909.8872

Experian Credit Freeze
P.O. Box 9554 Allen, TX 75013
Toll-Free: 1.888.397.3742

Two-Step Logins

There are three basic ways to find out whether or not your provider makes two-step logins available:

  • Call them directly and ask them how to set it up. I especially like this method when working with financial institutions, as you want to make sure that you set it up correctly and they should be more than happy to help (as it protects them, too).
  • Visit the provider’s website (e.g. Amazon.com) and type in the words “two-factor authentication” or “multi-factor authentication” or “security tokens”.
  • Google the name of the website (e.g., Schwab.com) along with the words “two-factor authentication” or “multi-factor authentication” or “security tokens”.
  • Visit this helpful listing (https://twofactorauth.org/) to see if your desired website appears on the list of two-factor providers.

Online Backups (for Ransomware)

You need to have an offsite backup like in the cloud or elsewhere that is well-protected that happens daily on your data. That way, if ransomware is installed on your system, you have a copy from which to restore your good data. You have the ransomware cleaned off before it enacts and you’re back up and running. Make sure it:

  1. Is updated whenever a change is made or a new file is added.
  2. Is stored somewhere different than your computer.
  3. Actually works when you try to restore a file.

My personal recommendation and the one I use is iDrive online backup (iDrive.com).  I recommend buying twice the hard disk space of the data you need to back up.

Personal VPNs

A Virtual Private Network (VPN) extends access to a private network across a public network, so a user can send and receive data across a public network as if their personal device was directly connected to the private network. In layman’s terms, it’s like having a private tunnel between your device and your destination. If you haven’t already, research the term “VPN Reviews” to get the latest research and then install a VPN on every device to cyber secure your virtual office and smartphone.

Free Credit Reports

Go to annualcreditreport.com to see your three credit reports from the three credit reporting bureaus.  Periodically request a report from one of the bureaus and cycle through each of them every three months or so.

Identity Monitoring

Ask four questions as you research your options:

  1. Does the service have a simple dashboard and a mobile app that graphically alert you to the highest risk items?
  2. Does it include robust recovery services? (How long does it take to reach a live human being in the restoration department?)
  3. Does the service monitor your credit profile with all three credit reporting bureaus?
  4. Do you have faith this company be in business three years from now?

Password Managers

A password manager is a software application that helps a user store and organize passwords. Password managers store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password that grants the user access to their entire password database.

Research Password Management services such as Dashlane, LastPass, or the one I personally use, 1Password. Google the term “Password Manager Reviews” and look for articles in a magazine you trust to find the one right for you.

Junk Mail

To opt out of pre-approved credit offers with the three main credit reporting bureaus, call 888-5-OPT-OUT (888-567-8688) or visit www.OptOutPreScreen.com.

Phone Scams

If you receive a call that triggers your scam alert reflex, HANG UP!  If you receive a call from someone supposedly from a financial institution, utility company or a government agency and they ask for personal information like your Social Security number, HANG UP! Or if someone calls from “Apple” or “Microsoft” promising to help with a computer issue, HANG UP!  You get the idea.  If you think it is a legitimate call, tell them you will call them back from a published number.  If they start making excuses, HANG UP!!!

Google Maps

  1. Go to www.google.com/maps
  2. Locate your house by typing its address into the search box and pressing Enter.
  3. Click on the small picture of your house that says Street View.
  4. Adjust Google Maps Street View by clicking the left and right arrows on the Street View image until you see your house.
  5. Click the Report a Problem link at the bottom-right corner of the Street View image or, depending on the device you are using, click on the three dots in the upper right-hand corner.
  6.  It will take you to a page to Report Inappropriate Street View.  Here you can ask to have any number of things blurred, including the picture of your house.
  7.  You will need to provide your email address and submit a CAPTCHA.

Smart Speakers

Ask yourself how comfortable you are having a corporation like Amazon or Google eventually hearing, analyzing and sharing your private conversations. Many people will say they don’t care, and this really is their choice. We are all allowed to make our own choices when it comes to privacy. But the vitally important distinction here is that you make a choice, an educated, informed choice, and intentionally invite Alexa or Google into your private conversations.

Account Alerts

To monitor accounts quickly and conveniently, sign up for automatic account alerts when any transaction occurs on your account. If you spend even a dollar at a store, you receive an email or text notifying you of the purchase.

  1. Go to the bank or credit card company website.
  2. Search for “Account Alerts” in their search window.
  3. Set up your alerts for a dollar threshold that makes sense for you.

Internet of Things

  1. Understand your exposure.  What do you currently connect to the internet?
  2. Make a list of the devices you have that connect to apps on your smart device.
  3. At a minimum, make sure you have CHANGED THE DEFAULT PASSWORD!!!
  4. Also consider disabling location services, muting any microphones and blocking any webcams.
  5. Finally, update the firmware regularly.

Tax Return Scams

If you suspect tax fraud, call 877-438-4338 or go to consumer.ftc.gov to alert them.  (They will not EVER call you or reach out via text or email!)

If you had a fraudulent deposit made directly to a bank account, contact your bank’s automated clearing house department to have it returned.  And close that bank account and open a new one while you are at it!

Safe Online Shopping Habits – Episodes 1, 2 & 3

  1. Stick to websites you know and trust. Beware of imposter websites that have a URL nearly identical to the one you mean to use.
  2. Always look for the lock icon in the browser and and “https” in the URL.
  3. Use long strong passwords.
  4. Never shop with a debit card online. It’s even better to use a dedicated credit card just for online purchases.
  5. Set up automatic account alerts on your bank account.
  6. Request a new credit card number once a year (after the busy shopping season).
  7. Set up two-factor authentication on your bank, credit card and retail accounts.
  8. Use a Personal Virtual Private Network (VPN).
  9. Download the apps for your favorite retail sites onto your smart devices and shop directly from them using your cellular connection.  This will assure you are not on a fraudulent site, you are protected by at least two passwords and your internet connection is encrypted.

Phishing Scams

  1. Mistrust every link in an email unless you know who it is coming from and you were expecting that link.
  2. If you’re suspicious about a link in an email, type the URL directly into the address bar of your browser to make sure it takes you to the legitimate website.
  3. Use the hover technique to see if you’re going to the real site or the site of the cyber criminals.

John Sileo, cybersecurity expert and identity theft speaker, has appeared for the Pentagon, Amazon and on shows like 60 Minutes and Anderson Cooper. Contact us for more details on 303.777.3221 or using our contact form.