From the Marriott data breach that affected up to 500 million people to a bug that allowed third-party app developers access to the photos of nearly 7 million Facebook users, there is no shortage of reminders of the rapidly evolving scale of online threats that Canadians face each day.

But despite the flurry of headlines, experts say that Canadians are not doing enough to protect themselves online.

Some Canadians will readily admit to their lackadaisical approach to cybersecurity. According to a Google Consumer Survey, 20 per cent of Canadians give themselves a failing grade when it comes to their internet hygiene.

“The internet has become such an ingrained part of our lives these days and because the Internet and browsers now function in such a seamless way, a lot of the friction is gone,” Aaron Brindle, the head of communications for Google Canada, told CTVNews.ca

Advances in combatting malware attacks, he added, have lured internet users into a “false sense of security.”

These are sobering statistics ahead of Safer Internet Day, which is Feb. 5.

So how is an internet user supposed to stay safe?

Install software updates

It can be tempting to select “remind me tomorrow” when the dreaded notification appears on your computer screen announcing a new software update. But despite how annoying the constant nagging may be, experts say it’s dangerous to leave your software out of date.

Many cyberattacks work by exploiting flaws in outdated software. Security updates include patches that address those bugs and vulnerabilities once they come to the attention of the software developer, helping to plug up the digital holes that allow hackers unfettered access to your system.

Use multiple strong and unique passwords

Nearly 40 per cent of Canadians say they never or rarely change passwords for frequently used accounts, according to the Google Consumer Survey, making it easier for malicious actors to get their hands on sensitive information.

Brindle said that while people generally know to use “super complex passwords” -- containing numbers, special characters and even nonsensical, difficult to guess phrases -- few of them use diverse passwords for different accounts.

And if keeping track of and remembering multiple, symbol-laden passwords for each account is too onerous, experts recommend turning to a password manager such as LastPass. Password managers create a unique password for each account and then store them in a database protected by a master password -- the only password you need to remember.

Turn on two-factor authentication

No matter how you store your passwords, experts recommend using an additional layer of protection known as two-factor authentication.

If you’ve never heard of it, you’re not alone. Thirty per cent of Canadians do not use it and 20 per cent of Canadians don’t know what it is, according to the Google Consumer Survey.
Two-factor authentication works by using a second step -- often a one-time code sent to your mobile device via text message or through an authenticator app -- that you must enter after your password in order to be logged in.

Brindle also recommends using a physical key-shaped fob, such as the Yubi Key, that plugs into your devices and also helps authenticate your identity.

“These little fobs cost $15 and they’re well worth it if you care about your security,” he said.

Watch out for spear phishing attempts

Spear phishing schemes have replaced malware attacks as the biggest risks for internet users, according to a Safe Browsing Transparency Report from Google.

The attacks are rooted in “social engineering,” Brindle said, allowing cybercriminals to attack users by using an official-looking email that includes personally meaningful information and appears to be from a person or business with whom the target is familiar.

The email contains malicious attachments, such as Word documents or PDFs, or links that trick users into typing in their usernames and passwords.

Brindle said that setting up a recovery phone number or email address with each account can help you regain access to those services if they are breached by hackers.

Last month, Jigsaw, a subsidiary of Google’s parent company Alphabet, created a quiz to see if you can tell a benevolent email from a phishing attempt.