OAKLAND – In recognition of Cybersecurity Awareness Month, which is celebrated every October, California Attorney General Rob Bonta today provided consumers and businesses with tips to defend against cybersecurity threats.
“This Cybersecurity Awareness Month, and every month, I urge Californians and businesses to protect themselves from online threats,” said Attorney General Bonta. “The California Department of Justice is providing tips to make digital security easier for all. Don’t wait for a data breach or cyberattack to think about protecting your data — the right time is right now. Cybersecurity is a team effort, and whether you are an individual or a business, there are steps you can take to protect yourself and your data.”
Consumer Cybersecurity Tips
Enable Multi-Factor Authentication. If available, use multi-factor authentication (MFA) for your online accounts. MFAs require both a password and a second piece of information – such as a one-time code sent to your phone via text message – in order to verify your identity when logging into one of your accounts. By requiring multiple methods of authentication, MFAs make it more difficult for attackers to break into accounts. As a result, your account is further protected from being compromised, even if a bad actor knows your password.
Use Strong Passwords and Password Managers. Set up unique and strong passwords for each online account you use. Don’t use easily identifiable information, such as pets’ names or birthdays, in your passwords, especially for your financial or email accounts. Using long, complex, and unique passwords is a good way to stop your account from being hacked. Additionally, a password manager is an easy way of keeping track and remembering all of your unique passwords.
Perform Regular Software Updates on All Devices. Update your operating system, browser, and important apps regularly, taking advantage of automatic updating when it's available. Having the latest security software, web browser, and operating system on your devices is one of the best defenses against online threats. These updates can eliminate software flaws that allow bad actors to view your activity or steal information.
Install Antivirus Software. Antivirus software protects your device from viruses that can destroy your data, slow down or crash your device, or allow spammers to send email through your account. Antivirus protection scans your files and your incoming email for viruses and deletes anything detected as malicious. Updating your antivirus software prevents the latest "bugs" circulating the internet. Most antivirus software includes a feature to download updates automatically when you are online. In addition, make sure that the software is continually running and checking your system for viruses, especially if you are downloading files from the web or checking your email. Set your antivirus software to check for viruses every day.
Check Your Privacy Settings. Be diligent to double check your privacy and security settings on all devices and applications, and be aware of who can access your information. Every time you sign up for a new account, download a new app, or get a new device, take a moment to configure the privacy and security settings to your comfort level for information sharing. You should regularly check these settings to make sure they are still configured to your comfort.
Opt Out of the Sale of Your Personal Information. Exercise your rights under the California Consumer Privacy Act (CCPA) and opt out of the sale of your personal information when you go online. Stopping the sale of your data will minimize its proliferation – and the less data that is out there, the better. Businesses that sell information have to post a “Do Not Sell My Personal Information” link on their websites. You can also use a browser or plugin that incorporates the Global Privacy Control, which must be honored by businesses that sell personal information.
Limit the Use of Public Networks. Free public Wi-Fi is normally not secure, and information thieves know it. While using public networks, your passwords, account numbers, and photos may be accessible to hackers. Minimize your risk by limiting the use of public networks, especially if you are accessing your personal or sensitive information, and use a secure network – such as your own – whenever possible.
Encrypt Devices. Encrypt your devices and other sources of media that contain sensitive personal information. This includes laptops, tablets, smartphones, removable drives, backup tapes, and cloud storage solutions.
Be Careful What You Share Online. Social media allows sharing of all aspects of life, but it's important to control who has access to the information you share. Information thieves can use social media postings to gather information and use it to hack into your accounts or steal your identity. To protect yourself, make use of privacy settings to limit the visibility of personal posts to your personal networks, and restrict the amount of information you share with the general public. Avoid taking online quizzes that could reveal the answers to your security questions.
Cybersecurity Tips for Businesses
As a company doing business in California, you have a legal obligation to implement and maintain reasonable data security, and you are the first line of defense when protecting consumers’ and clients’ personal information from data breaches. If you collect data, protect it by taking the following steps:
Train Employees in Data Security Principles. Establish essential security practices and policies for employees, such as requiring strong passwords, and establishing appropriate Internet use guidelines. Establish rules of behavior describing how to handle and protect customer information and other vital data.
Protect Information, Computers, and Networks from Cyberattacks. Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update and install other key software updates as soon as they are available.
Provide Firewall Security for Your Internet Connection. A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system's firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home systems are protected by firewalls.
Secure Your Wi-Fi Networks. If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name. You should also password protect access to the router.
Limit Employee Access to Data and Information. Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need in order to do their jobs and should not be able to install any software without obtaining permission.
Passwords and Authentication. Require employees to use unique passwords and change passwords regularly. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry.
Data Minimization. Review and inventory the consumer data you collect as a business and evaluate if the data is necessary. Maintain appropriate security over the data you collect and delete it once you no longer need it.
Individuals can find data privacy resources and information on our privacy and data security web page. Additional cybersecurity resources can be found on the Cybersecurity & Infrastructure Security Agency’s (CISA) cybersecurity resources website, as well as on the National Institute of Standards and Technology’s cybersecurity website.
Businesses can find useful cybersecurity resources on CISA’s resources for business web page.
California law requires a business or state agency to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, during a data security breach. You can find more information regarding this requirement on our data security breach reporting web page.