An In-Depth Guide to Personal Cybersecurity

A guided tour inside my digital security practices

I spent a day this week on an annual overhaul of my digital security. Several friends and colleagues were interested in a guide to doing the same; so I thought I would write one up and share with all of you: my closest internet friends.


Everyone’s Getting Hacked

Brands are getting hacked.

Media organizations are getting hacked.

Tech companies are getting hacked.

“Dating” websites are getting hacked.

Small companies are getting hacked.

Critical infrastructure is getting hacked.

National political parties are getting hacked.

Elections are getting hacked.

Everybody and their grandmother is getting hacked these days.

Source: Giphy

It’s no wonder online security breaches are becoming so prolific. Digital is pervading every corner of our lives, yet most people are terrible about security. In a 2016 Pew Research survey on cybersecurity, a substantial majority of online adults were able to correctly answer just two of the thirteen questions.

Let’s do something about that, by beefing up our own personal digital security.

The Guide

Over the past 5 years or so, I’ve made it a habit to do an annual overhaul of my personal digital security. Each year, I review all of my online life for security threats, and commit to improving every year. These are the practices that I use as a result of that effort.

This guide isn’t going to cover things that I would consider to be “the basics,” or practices that are typically covered in “top 10 lists of best practices” for general audiences. I have, however, included a few here for reference:

In general, I attempt to address three core questions:

  1. What data is available about me, and where is it stored?
  2. What are the risks that I’m going to guard against (i.e. what is my Threat Model)?
  3. What are the impacts to my privacy?
What We’re Covering: Passwords, social, mobile, email & cloud, and “the rest”

Some Ground Rules and Assumptions

  • Everyone’s at a different place when it comes to security; start where you are.
  • Personally, I’ve found a commitment to improving my security once every year to be a helpful practice.
  • What I’m sharing below is a security practice I’ve honed over the past 5 years or so. Doing this yourself may take time, but doing anything on this list will help.
  • I’m focusing mostly on devices I own and platforms I use personally. Feel free to add questions about platforms you’re interested in to the comments, and I may update the article.
  • Security decisions (sometimes) are a tradeoff with convenience. Your security / convenience preference may be different than mine, and that’s okay. The important thing is to make that choice consciously.
  • Not all of my practices are unassailably perfect, but they are just that: my security practices. They’re what I’m comfortable with at the moment.
  • There are times where I mention particular cybersecurity risks. Keep in mind these are not exhaustive: it’s definitely not possible to cover all possible risks in this article.
  • This is not an exhaustive list, and I’m not an attorney (talk to one if that’s important to you).

Let’s begin.

1. Passwords: Lock down your logins

Let’s face it, people are terrible at passwords. We use passwords that are easy to guess, we re-use them across sites, and we keep all sorts of terrible password practices.

Given how much sensitive information of ours is kept in our online accounts, the first thing you can do to beef up your security is to secure the way you log in online.

The risk: You use a password at a mom-and-pop website to create an account. That website gets hacked, and it turns out the company stored your password in plain text in their database. If you re-use that password for another sensitive account (bank, social media, email , etc.) an attacker can use it to access your other accounts.

My Password Practices

In general, I follow these rules when it comes to passwords:

  • Use a unique, random password consisting of 16+ characters for each account.
  • Include uppercase, lowercase, numbers, and characters.
  • Manage the passwords with a cloud password manager such as LastPass, OnePass, or others (I use LastPass).
  • Change all the passwords at least once per year.
  • Implement 2-factor authentication (2FA) for all sites that offer it. 2FA adds an extra level of security, often requiring an SMS message or code from your phone when someone tries to log in from an unknown device.

Get a Handle on All Your Accounts

The first thing to do when securing your logins is to get a comprehensive list of all the places you have online accounts. This can be daunting, and can be upwards of 100+, but this is the true scale of our online profile.

The risk: An online service account you no longer use has an old, insecure password and stores sensitive data. This account may also belong to a website that has poor security practices, and is vulnerable to hacking (especially if you’re not using it anymore).

Places to look to get a list of all the places where you have passwords to secure:

  1. Your phone: every app you have probably has a login. Write it down.
  2. Your email: many of the places that email you have accounts.
  3. Chrome saved passwords: Google Chrome can give you a readout of the saved passwords it has for you.

Don’t Forget to Check the Following:

Adobe, Airlines (Delta, United, JetBlue, etc.), Apple, Banks / Credit Unions (Chase, Bank of America, etc.), Craigslist, Dropbox, eBay, eCommerce Stores, Eventbrite, Facebook, Github, Google, Groupon, Healthcare (Cigna, ZocDoc, etc.), Heroku, Hotel Loyalty (Hilton, SPG, etc.), Imgur, Internet Providers (GoDaddy, CloudFlare, etc.), Intuit, Kickstarter, LinkedIn, Lyft, Mailchimp, Meetup, Mint, Mobile Phone (Verizon, T-mobile, etc.), Netflix, Online Training Providers (Udacity, etc.), PayPal, Publications (WSJ, NYT, etc.), Reddit, Slack, Spotify, Square, Starbucks, Student Loans, Tableau, Tax Services (TurboTax, TaxAct, etc.), Ticketmaster, Trello, Tumblr, Twilio, Twitter, Uber, University Email, UPS, Vimeo, Yahoo…

If You Haven’t Been Using a Password Manager

  • I highly recommend migrating all your passwords to one, and systematically going through to change every password to a unique random one.
  • Every new account you create can also have a unique random password tracked by the system.

If You Have One Already, Do the Following Every Year

  • Change the LastPass master password.
  • Change the password on every account in your password manager.
  • Implement 2–factor authentication, if available. I’m a fan of Authy for any 2FA that uses an authenticator app (because it backs up the codes, which is useful if you switch phones).
  • Check that any back-up codes you have for 2FA are up to date. Print, and store in a safe place. You’ll need these to get access to your account if you ever can’t access your 2FA device.
  • If the site allows, log out of all open sessions on all devices. This will force you to log in again, but will disable any unauthorized open sessions you may have missed.
  • Remove any un-necessary data in your account (see Data Retention Policy below).
  • If you no longer use the account, have the account deactivated or deleted.
  • Review the connected devices to your account, and remove any devices that you no longer use.
  • Log out, and make sure that you can log back in successfully with the new credentials.
  • Remove any duplicates of the password in your password manager, to make it clear which one to use.
  • If the site offers third-party access to the account, check the list of sites that have authorized access. Revoke any access that isn’t needed. For example, I had authorized over 50 sites to access my Twitter profile — many of which were not needed.
  • In general, take note of the data that is stored in the account. If the account were to be hacked, how bad would it be?

Once you’re done, run a security challenge through your password manger. This will tell you:

  • If any of your accounts re-use the same password.
  • If any have been involved in a known compromise (i.e., the server of the company got hacked).
  • If any of the passwords are old.
  • If any of the passwords are insecure (too short, etc.).
2. Mobile: Secure your phone

Most people don’t consider just how much personal data is sitting in their pocket, which can potentially be compromised. In this section, I go over several common topics that come into play when securing an iPhone (though many of these topics have similar processes for Android and other operating systems).

Passcode

  • Turn on your passcode (if you haven’t already) and add a secure password of 6+ characters. Don’t use a repeating code like 111111 or simple incremental code like 123456.
  • Require the passcode immediately, to minimize the amount of time the phone is unlocked after use.
  • Set the phone to erase after 10 failed passcode attempts are made. iPhones are set with full disk encryption by default, so these protections go a long way to safeguard your data.

TouchID

Many in the security community point out that using TouchID (using your thumbprint to log in) is a bad idea for several reasons:

  • A thumbprint can be compelled by law enforcement as a search in the United States, whereas a passcode is protected by fifth amendment self incrimination protections. If you’re an activist or concerned about US law enforcement search of your phone, disabling TouchID (or turning off your phone when concerned) are potential mitigations.
  • Thumbprints can also be taken while you’re sleeping or otherwise incapacitated, where passcodes cannot.

This is an area where convenience conflicts with security: each person should make an informed choice on what they’re comfortable with.

Location Services

Location services are the systems on your phone which provide GPS location access to the apps on your phone. We often don’t consider the different ways that applications use our location data, but if unchecked, this can leak more information than we intend to tech companies who track our location, or through social media posts that attach location information to what we share.

The risk: Your location data can leak your home or work address.
Another risk: Publicly shared location can signal to potential thieves that your home is unoccupied.
Yet another risk: Publicly sharing your location in real-time can signal people to come meet you in public venues when you don’t intend.
  1. Some people like to turn location services off. If you prefer not to turn off location services entirely, make an active choice as to what situations are warranted.
  2. Note that most photos you take are Geotagged by default. Some like to have theirphotos geotagged when they take them as a way of documenting the location of the photo. But, be aware that this information is embedded into the metadata of photos and can be published by the applications that use the photos (e.g., social media sites).
  3. Manage which applications should have access to your location, and when. Go to Settings -> Privacy -> Location Services to see which apps have location services enabled. It’s very rare that apps really need the “Always” setting, and most can do fine with “While you’re using the app”
    There’s a ton of settings in here you can personalize to your liking to balance the convenience / privacy of your phone.

Access to Contacts

Go to Settings -> Privacy -> Contacts to see which apps can access your contacts. For me, this was way more than I wanted. I removed most of them. Not so much a security concern as a privacy concern, but it’s personal preference.

The risk: You start a social media account which you aren’t ready to publicly broadcast, but your social media profile is attached to your contact list, and the social network sends out a notification as soon as you set up the account to all other people who you know on the network.
Another risk: The social media site who stores your contacts gets hacked, and your contact list becomes public.

Limit Ad Tracking

This is more of a privacy-related setting than security-related, but you can tweak the default ad tracking settings by going to Settings -> Privacy -> Advertising -> Limit Ad Tracking (Turn on).

Data Accessible Outside Lock Screen

Check out what data is available when your phone is unlocked, and make sure you’re comfortable with it.

  • Several functions on the phone (calendar, directions, etc) are made available outside the lock screen through iOS’ “Control Center.” To turn off outside access altogether go to Settings -> Control Center -> Access on Lock Screen (turn off).
  • Just take a moment to decide if you’re okay with your text messages and emails showing in notifications outside your lock screen. For me, I made the decision that I didn’t like this, and disabled message content showing outside the lock screen by going to Settings -> Notifications -> Messages -> Show on Lock Screen (turn off).
  • Go through each app and check if you’re comfortable showing the data from that app outside the lock screen. This can be changed from the app’s entry in Settings -> Notifications.

iMessage on Laptop and Desktop

I’ve found that using the iMessage apps on desktop and laptop leak more personal info than I feel comfortable. For example, iMessages have shown up on my computer’s notifications when not logged in, and my personal messages have come up on my computer during business presentations (unless I explicitly turn it off). I opted to log out of iMessage altogether on devices other than my phone.

Calls on Other Devices

There’s a feature on iOS that allows you to ring multiple devices when your phone rings. For example, ringing your MacBook when your phone rings. I’m not personally very comfortable with this (it’s made it more obvious that I’m getting a phone call in business settings), so I disabled this at Settings -> Phone -> Calls on Other Devices.

Explore In-App Security

Many apps allow the option to add passcodes or TouchID inside the app. Imagine a situation where you give your phone to someone (like a curious 10-year-old nephew who wants to play a game) — is there any app you wouldn’t want that person to access?

iMessage Retention Policy

One of the main concepts in digital security is about not just preventing a breach, but minimizing the amount of data that is available in the event of a breach. In the case of iMessage, most people set their phones on the default of keeping their messages forever, but this offers a huge trove of potential data to an attacker that might access this data.

You can set your phone to delete messages after a certain amount of time — I’ve set mine to delete messages after 30 days, in Settings -> Messages -> Keep Messages (set to 30 days).

Personally, when I audited my messages, I was surprised at how much sensitive information I had sitting there. Setting the retention policy helps to keep this kind of information from persisting.

3. Social: Understand what you’re sharing

I don’t probably have to tell you about how prevalent social media in our lives. According to Pew Research, 69% of all US adults use at least one social media site. It’s everywhere.

Because social media use is so pervasive, most people I know are rather lax about the risks it can present. The social pressure to participate is strong.

In my eyes, it’s possible to marry participation with security if you educate yourself about the risks. Below, I outline several common risks to using social media in general, as well as several tips for how to configure your privacy and security regimen for each platform.

Common Risks

  • Essentially assume that everything you post has the potential to become public. Such is the nature of the internet: nothing can be taken back once it’s posted.
  • Know that it’s very easy for people to take comments out of context online. Couple that with the fact that text doesn’t often convey emotional subtext, and you can have a recipe for regret if you aren’t careful. Think before you post.
  • Analyze your online presence from the perspective of prospective employers or clients.
  • Most social networks have privacy controls to allow you to control who can view what types of content. Spend some time on each network to set the privacy settings to what you’re comfortable with.
  • Spam accounts are sometimes very convincing. Once people are in your network, they are often connected to you in numerous ways. Everyone has their own preference level for connecting with people who they don’t know personally, but make sure you’re making that choice consciously.
  • Social media profiles are fertile sources of personal information that attackers can use hack other accounts, use in social engineering scams, or other things. When sharing, consider how what you’re sharing could be used against you.
  • Social media can inadvertently be a source of a client confidentiality breach for your work. If your work requires you to maintain confidentiality, remain vigilant that your posts on personal social media sites don’t jeopardize that.

Facebook

  • Use the same password practices mentioned above when dealing with Facebook (and all the social networks in this section). You can find this on Facebook under Settings -> Security and Login.
  • Essentially every settings page in Facebook is worth reviewing to ensure it meets your privacy expectations. I’ll mention my opinions on a few specific items here.
  • Personally, I’ve restricted my posts to be viewed only by friends. If you do the same, consider restricting your past posts to the same privacy group with the “Limit Past Posts” option.
  • Check the business pages you have access to. If you still have access to pages you are not currently involved with, remove yourself from the admin access to remove yourself as a potential source of security breach for the page.

LinkedIn

  • Review the third-party apps that are authorized to access your LinkedIn account. Remove the ones that are no longer needed.
  • Check your public profile, and customize what people can view about you if you aren’t connected.
  • Decide if you want your contacts to be able to be viewed by the public, people in your network, or only you. I’ve restricted contacts to only be able to be viewed by me, to reduce people using my network for sales and marketing purposes.
  • FYI, 2-step verification on LinkedIn is buried at the bottom of the Privacy section for some reason. I almost missed it.

Twitter

  • Decide if you want your tweets to be protected or open to the public. I’m a marketer at heart, so I keep my posts open to the public (but I treat it that way always).
  • Pay special attention if you’re making a previously-closed account public. You may not have been so careful with your past posts if you expected them to be private.
  • The “Settings and Privacy” section of Twitter is worth spending some time in.
  • Location information in tweets are a source of several security concerns. In Settings -> Privacy and Safety, you can remove location information from your tweets, and delete it from past tweets. I also turned off location services in the app (through my phone’s settings).

Snapchat

  • Despite the fact that Snapchat used to bill itself as a “disappearing photos” application, it keeps all the photos that are sent through the service. From a design perspective, it appears that the photos disappear off the recipient’s screen after a certain amount of time — this reinforces a false sense of security that the photos “disappear” after they’re sent and opened.
  • In fact, the FTC settled charges with the company in 2014 on the basis that it “deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure.”
  • Any organization can be hacked, and think through the possibility that all the “disappearing” photos we have collectively sent as Snapchat users could one day be released through a security breach.

On Anonymous Accounts

Some people create accounts for social media profiles that they want to be anonymous. Pay special attention to these accounts, because the platforms make it very difficult to remain anonymous.

The risk: Your email is linked to your public profile, and the platform uses this in recommender algorithms to suggest your real friends.
Another risk: You use the application on your phone which uploads your contact information, inviting your contacts to connect with your “anonymous” account.
Yet another risk: The geolocation embedded in your posts, combined with other subtle cues, allows people to identify you.

The practicalities of remaining anonymous in social media accounts are beyond the scope of this guide, but suffice it to say that it is very difficult.

Search Yourself

A cybersecurity audit isn’t complete without searching yourself to see what public information is available about you. There are two broad categories of information available to people searching for you: information you put out about yourself (through social media, your website, etc.) and information put out about you by third parties (news articles, data brokers, etc.).

It’s a good practice to do a “background check” on yourself to see what you find. A couple places to try:
1. Google
2. Bing
3. Pipl
4. Spokeo

  • Make sure there isn’t any information about you that is out of date. If so, attempt to remove it. If the information comes from an out of date social media site you control, you can attempt to remove the information or lock down the privacy settings.
  • Audit the information from the perspective of a hacker. Is there any information about you that could aid in an attack on your personal information?

Lastly, consider how the information you find about yourself could be used in a social engineering attack against you. The data you share here could be used to gain access to your accounts. For example, if you use your dog’s name as a recovery password, and post your dog’s name publicly, it could be used to guess a password.

4. Email & Cloud: Decide what data to keep

In the words of Andy Chen, “email is like a postcard.” Despite the imagery portrayed of emails being like a sealed envelope, unencrypted emails are often sent through multiple servers in plain text on their way to their destination.

Once they get there, a pile of 10’s of 1000’s of emails can be a treasure trove of personal information to hackers.

In this section, we explore some of the security practices around securing the data we keep in email and the cloud.

Most of the security practices mentioned in the above sections are focused at preventing security breaches of your data. When it comes to email and cloud, these practices are especially important. If you haven’t already, make sure that you’ve hardened the logins for all your email and cloud file storage systems using the steps in Section 1 above.

It’s not enough to assume that we’ll be perfect when it comes to preventing security breaches. The next level of security considers how to minimize the amount of data that would be compromised if your data were to be breached.

This is where a “Data Retention Policy” comes in.

The main idea in a data retention policy is to switch from a mindset of “do I need to keep this?” to a mindset of “why am I not destroying this?”

The risk: Nearly any piece of personal data accessed by an attacker in a breach can be used to access other areas of your personal life, be used to gain access to other accounts, or be used in a social engineering attack. It can contribute to identity theft, be used to damage your reputation, be used as blackmail material, be released to the public directly, or be sold to third parties.

This way, if your data is ever breached, the amount of data that is compromised will be much less than if you had emails going back several years.

An Overview of My Data Retention Policy

  • I will only keep emails in my main email accounts for a period of 1 year.
  • Emails older than this will be deleted.
  • Emails in any accounts that I no longer actively use will be deleted entirely.
  • Any email I deem important for more than 1 year will get stored outside email for a particular reason. This includes Legal contracts, documents, regulatory things (taxes, employee filings, etc), Software License Keys, and a few others.
  • I’ll actively delete any sensitive information I send or receive (SSN, credit card numbers, passwords, etc).

Important: People working in certain industries may be prohibited from doing this for legal compliance reasons. You may want to check with an attorney if you’re doing this for other than personal email.

How to Do This in GSuite (Google’s Paid Email Solution)

  • Control email and chat message storage (Google Support).
  • Specifically, follow the instructions to implement the “email and chat auto-deletion” function.
  • I’ve added an exception to this rule: any emails that I put in a label called “retain” are excluded from deletion.

How to Do This in Gmail

Apply the Same Concept to Other Cloud Data

Once implementing a data retention policy for the data kept in email, apply the same idea to all the places your data is stored in the cloud.

  • Consider other Google Services, like Google Drive, Calendar, Contacts.
  • Consider cloud file storage platforms like Dropbox, Box, OneDrive and others.
A personal anecdote:
When I first began doing this audit for myself, I was shocked to find how much more sensitive information was stored in insecure places than I thought. As I was reviewing my files, I found old client passwords, credit card numbers, employee personal information and more in places I didn’t expect them. This was shocking for me, since I had thought I was keeping a strict security practice in my company while I was running it.
It was definitely an eye-opening experience, and made me realize how easy it is to leave sensitive data unguarded.

Backup and On-Disk Data Retention

It’s a good practice to make sure that you would easily survive any of your devices being stolen or lost — not just things in the cloud. This entails two major areas:

  • Make sure your devices are backed up, such that they could be stolen at any time and you wouldn’t lose any data.
  • Assume that, once stolen, attackers would be able to access any data on your device. Is all the data you keep necessary?

Browsing History

The browsing history and cookies in your browser can sometimes be a security risk. It’s a good practice to clear these regularly. To do this:

  • In Chrome: History -> History -> Clear Browsing Data
  • In Safari Mobile: Settings -> Safari -> Clear History and Website Data

Old Accounts

  • Go into any old accounts you used to have and do your best to remove your data from their servers. For example, I transitioned from using Evernote to Bear Writer this year, and hadn’t used Evernote in several months. However, I forgot to remove all the 1034 notes I had in Evernote from their system.
  • Watch out for trash: I thought I had deleted an additional 1000+ notes, but found them sitting in the trash on my account.
5. The Rest: “High-risk types” and special cases

Not everyone has the same level of digital security threats as others do. The advice above is what I would consider appropriate for general internet users to follow.

However, there are some situations which can expose people to increased threats that aren’t typical to members of the general public.

Tailoring Your Personal Threat Model

In CyberSecurity, “Threat Model” is a term used to represent the different types of attacks you want to consider when assessing security risk.

For this guide, I’m breaking down “personal threat models” into common archetypes of increased risk. While not perfect, considering the following special cases that present higher risk can help you plan for specific types of threats that may not be present for the general public.

Small Business Owners

The risk: Your laptop is stolen, and you didn’t yet have a chance to implement full-disk encryption on your drive. You run a social media agency, and the attacker finds a database of client financial information and web account logins on your computer. Now, not only is your own personal information subject to compromise, but so too is your clients’.

If you run a small business, most of the above applies to you, but the risk is significantly higher. Not only do you have your data to protect, but you may have:

  • Your client’s data
  • Your company’s financials
  • Your client’s financials
  • Credit card info
  • Your company’s social media accounts
  • Client website credentials and domain name access
  • Any client credentials you might manage

Housing this data opens you up to additional liability and reputational damage if it is compromised through you or anyone on your team. I definitely recommend implementing the security procedures mentioned above (and more, where appropriate) to safeguard the data.

Web Developers (Especially eCommerce Developers)

The risk: Your website (or a client’s website) gets hacked. The compromised website is used to spread malware to visitors, promote advertising for unsavory products, and the site is blacklisted by Google and Chrome until the hack is mitigated.

Having a website exposes your servers to the full hacking power of the global internet. Hardening a website to resist attackers is beyond the scope of this guide, but it’s worth researching / following up on if you haven’t considered it recently. At the very least, make sure your site’s data is backed up and it’s software is up to date.

Another risk: Your eCommerce site gets hacked and isn’t properly secured, exposing private financial information of customers to attackers.

Taking credit cards over the internet can put developers and business owners at huge additional liability in case of a breach. My recommendation is to attempt to have another organization handle the credit card transactions so customer financial info never touches your servers.

If you must house the data on your servers, make sure you’re following PCI compliance guidelines, and consider insurance to cover data breaches.

Employees of Large Organizations

If you work for a large organization (especially one that’s well-known), it’s very likely that you have access to all kinds of juicy data that hackers or competitors would love to get their hands on.

Corporate InfoSec is outside the scope of this article, but I will offer three general guidelines:

  • Whenever possible, keep your personal and corporate data separate. This will avoid having one be a source of breach for the other (plus, your company likely has access to view anything you put on corporate devices).
  • Follow your company’s InfoSec guidance to a “T.” Let the pros do what they do.
  • Some of the techniques mentioned in this guide aren’t appropriate for larger organizations because they may be subject to different regulatory and compliance guidelines. Check before you implement.

Parents of Young Children

I don’t have have children myself, so this is a difficult topic for me to comment on directly, but I found a few articles on this topic to consider if you’re a parent:

Parents of Teenagers

Again, not a parent — mostly a thought experiment here.

Most teens aren’t very worried about getting hacked. Many are more worried about their parents finding out sensitive details about their personal lives than they are about data breaches. Just think about that for a second — you may be a part of your child’s personal security threat model. In my opinion, it’s a big part of the appeal of Snapchat and other similar platforms.

Teenagers are the worst.

Internet Personalities

The risk: Becoming the victim of online harassment or stalking.
  • Is there enough information in your public profile that would allow someone to identify your home address or place of work? This HuffPost article on Dealing with Online Stalkers outlines several best practices for preventing online stalking.
  • Does the content of your online postings put you at additional risk for hackers to target you?
  • If you often post content of a controversial nature, it’s possible that you could be involved in a news story that picks up into a large scale controversy. Hacking attempts and online harassment could pick up quite sharply as a result before you would have a chance to harden your website and online presence. The best practice is to harden to this in advance if it is a concern.

Activists, Public Figures

The risk: Involvement with controversial issues can raise your profile and attract increased attention from hackers and other attackers.
Other risks: If your work involves activism directed at governments, law enforcement, or other entities capable of surveillance, your online profile may be subject to increased surveillance.

Hardening your personal profile and organization against sophisticated attackers is beyond the scope of this guide, but a few items to keep in mind:

  • You may want to pay additional attention to what information can be subpoenaed by governments and law enforcement, if this is an issue.
  • If you’re going to a protest, prepare for the case that you’re arrested and searched.
  • Consider having you, and everyone in your organization, use an encrypted communication application such as Signal instead of email, SMS, or other less secure methods.
  • Is your website robust to Distributed Denial of Service (DDoS) attacks? I talked to a developer at a conference who is part of a team that runs a progressive political activism website. Every time Donald Trump mentions his organization by name, he spends the following days defending his site against DDoS attacks and other hacking attempts. If your work attracts this type of attention, make sure your website is robust to these attempts.

If this is you, Matt Mitchell is a great source for more info.

People Who Send Explicit Pictures

The risk: Explicit pictures could be published, used as blackmail material, or shared in other ways without your consent.

We’ve all heard about the risks of sending NSFW pictures to others. There’s more to keep in mind on this issue than the security concerns, however.

  • Yes, there are risks involved with sharing explicit photos with others. Digital media is easy to share, and it’s difficult to control what is done with a photo after you send it.
  • Snapchat and other “ephemeral” methods of sharing photos like this can be circumvented quite easily (e.g., by taking a screenshot).
  • Companies housing the data can get hacked.
  • Social media accounts are common hacking targets — if someone’s account gets hacked, the private photos sent often go with it.
  • Legal protections for explicit images shared without consent vary state-by-state. Depending on the state where you live, there may be no legal recourse available to someone who shares your images without your consent.
  • If sending images to someone you’re in a relationship with, take a moment to consider what may happen to the images if the relationship changes.
  • That being said, sharing NSFW photos of one’s self is common: a 2013 study found that 30% of 18 to 24 year olds surveyed reported having sent explicit images on their phone. Yes, it’s risky. But, it’s something people do quite frequently. As is the case with many issues surrounding sex, the best thing for people to do is to make an informed decision after considering the risks.

Side note: please have compassion for people whose private images are made public without their consent. We live in a culture that is often quicker to shame a victim of this kind of sharing than to blame the sharer of the images. Always ask for consent before sharing any images of anyone (explicit or not) in any capacity, and always ask for consent before sending photos (especially explicit ones) to others. For more info, see Amy Adele Hasinoff’s TED talk on the topic.

Think of Your Data Through the Lens of Common Attack Vectors

So far, this article has focused on a platform-centric approach to security: how to secure your cloud data, your email, your passwords, etc. Another way to approach security is by analyzing common “attack vectors” that we are often vulnerable to, in order to consider our own preparedness for these situations.

I’ve outlined several below.

Physical Access to Your Computer

The risk: Your computer is stolen, and attackers mine the data on the hard drive for personal information.
Another risk: An attacker accessing your device while it is left unlocked and unattended.

How to prepare:

  • Ensure that all users on your computer have strong passwords that are difficult to brute-force.
  • Use full-disk encryption on all of your computer’s disks. You can use this by turning on FileVault (for Mac) or BitLocker (for Windows). Without this, attackers can boot your drive in another operating system and access all your files without your password.
  • Set your computer to lock after a short time of inactivity, and actively lock you computer whenever leaving it.

Unpatched Vulnerabilities in Software

The risk: A vulnerability in an application you use is discovered, and can be used to exploit your device, apps, computer, web browser, or data.

Always keep your software up to date on your phone, computer, and laptop.

Sniffing on Unsecured Wifi

The risk: Unless you’re on a VPN, you should essentially assume that all your browsing activity and unencrypted credentials can be read by others on the network you’re using.
  • Don’t use unsecured wifi whenever possible. If you must, use a VPN (I use NordVPN, but there are tons that are great — just find one that doesn’t log your activity).
  • Use HTTPS whenever possible. This encrypts the data in transit between you and the server you’re communicating with. A plugin like HTTPS Everywhere can help enforce this where it’s supported.

Swiping a Flash Drive

The risk: Your flash drive gets stolen, and it has sensitive data on it.

Flash drives are a huge deal for data security. You should essentially assume that anything in a flash drive could get stolen at any time. If possible, encrypt the drive to protect the data. At the very least, only keep the minimum amount of data on the drive that you need in order to do what you need to do — and wipe it often.

Develop an “authentication protocol” for emergencies

The risk: An attacker can pose as you to contact a friend or family member while you’re traveling. The attacker can invent a fake emergency to convince people close to you to send money or other sensitive personal documents.

How to prepare:

Develop an authentication protocol to share with all your family members, and instruct them to use it whenever they receive a message from someone claiming to be you asking for money or personal documents.

The protocol should be robust to:

  • Contacting each other from an unknown channel (in a way that you don’t normally communicate).
  • Contacting each in channels we use regularly — it can be especially difficult to be skeptical of messages sent back and forth in ways you use daily (SMS message, etc.). Talk to your close family and friends who might be targeted and set the expectation that you would both rigorously authenticate one another before sending any aid in emergencies while traveling.

What are your personal digital security practices?

If you have a practice that I missed, leave it in a comment below.