An In-Depth Guide to Personal Cybersecurity

A guided tour inside my digital security practices

Everyone’s Getting Hacked

Brands are getting hacked.

Source: Giphy

The Guide

Over the past 5 years or so, I’ve made it a habit to do an annual overhaul of my personal digital security. Each year, I review all of my online life for security threats, and commit to improving every year. These are the practices that I use as a result of that effort.

  1. What data is available about me, and where is it stored?
  2. What are the risks that I’m going to guard against (i.e. what is my Threat Model)?
  3. What are the impacts to my privacy?
What We’re Covering: Passwords, social, mobile, email & cloud, and “the rest”

Some Ground Rules and Assumptions

  • Everyone’s at a different place when it comes to security; start where you are.
  • Personally, I’ve found a commitment to improving my security once every year to be a helpful practice.
  • What I’m sharing below is a security practice I’ve honed over the past 5 years or so. Doing this yourself may take time, but doing anything on this list will help.
  • I’m focusing mostly on devices I own and platforms I use personally. Feel free to add questions about platforms you’re interested in to the comments, and I may update the article.
  • Security decisions (sometimes) are a tradeoff with convenience. Your security / convenience preference may be different than mine, and that’s okay. The important thing is to make that choice consciously.
  • Not all of my practices are unassailably perfect, but they are just that: my security practices. They’re what I’m comfortable with at the moment.
  • There are times where I mention particular cybersecurity risks. Keep in mind these are not exhaustive: it’s definitely not possible to cover all possible risks in this article.
  • This is not an exhaustive list, and I’m not an attorney (talk to one if that’s important to you).
1. Passwords: Lock down your logins

My Password Practices

In general, I follow these rules when it comes to passwords:

  • Use a unique, random password consisting of 16+ characters for each account.
  • Include uppercase, lowercase, numbers, and characters.
  • Manage the passwords with a cloud password manager such as LastPass, OnePass, or others (I use LastPass).
  • Change all the passwords at least once per year.
  • Implement 2-factor authentication (2FA) for all sites that offer it. 2FA adds an extra level of security, often requiring an SMS message or code from your phone when someone tries to log in from an unknown device.

Get a Handle on All Your Accounts

The first thing to do when securing your logins is to get a comprehensive list of all the places you have online accounts. This can be daunting, and can be upwards of 100+, but this is the true scale of our online profile.

  1. Your phone: every app you have probably has a login. Write it down.
  2. Your email: many of the places that email you have accounts.
  3. Chrome saved passwords: Google Chrome can give you a readout of the saved passwords it has for you.

If You Haven’t Been Using a Password Manager

  • I highly recommend migrating all your passwords to one, and systematically going through to change every password to a unique random one.
  • Every new account you create can also have a unique random password tracked by the system.

If You Have One Already, Do the Following Every Year

  • Change the LastPass master password.
  • Change the password on every account in your password manager.
  • Implement 2–factor authentication, if available. I’m a fan of Authy for any 2FA that uses an authenticator app (because it backs up the codes, which is useful if you switch phones).
  • Check that any back-up codes you have for 2FA are up to date. Print, and store in a safe place. You’ll need these to get access to your account if you ever can’t access your 2FA device.
  • If the site allows, log out of all open sessions on all devices. This will force you to log in again, but will disable any unauthorized open sessions you may have missed.
  • Remove any un-necessary data in your account (see Data Retention Policy below).
  • If you no longer use the account, have the account deactivated or deleted.
  • Review the connected devices to your account, and remove any devices that you no longer use.
  • Log out, and make sure that you can log back in successfully with the new credentials.
  • Remove any duplicates of the password in your password manager, to make it clear which one to use.
  • If the site offers third-party access to the account, check the list of sites that have authorized access. Revoke any access that isn’t needed. For example, I had authorized over 50 sites to access my Twitter profile — many of which were not needed.
  • In general, take note of the data that is stored in the account. If the account were to be hacked, how bad would it be?
  • If any of your accounts re-use the same password.
  • If any have been involved in a known compromise (i.e., the server of the company got hacked).
  • If any of the passwords are old.
  • If any of the passwords are insecure (too short, etc.).
2. Mobile: Secure your phone

Passcode

  • Turn on your passcode (if you haven’t already) and add a secure password of 6+ characters. Don’t use a repeating code like 111111 or simple incremental code like 123456.
  • Require the passcode immediately, to minimize the amount of time the phone is unlocked after use.
  • Set the phone to erase after 10 failed passcode attempts are made. iPhones are set with full disk encryption by default, so these protections go a long way to safeguard your data.

TouchID

Many in the security community point out that using TouchID (using your thumbprint to log in) is a bad idea for several reasons:

  • A thumbprint can be compelled by law enforcement as a search in the United States, whereas a passcode is protected by fifth amendment self incrimination protections. If you’re an activist or concerned about US law enforcement search of your phone, disabling TouchID (or turning off your phone when concerned) are potential mitigations.
  • Thumbprints can also be taken while you’re sleeping or otherwise incapacitated, where passcodes cannot.

Location Services

Location services are the systems on your phone which provide GPS location access to the apps on your phone. We often don’t consider the different ways that applications use our location data, but if unchecked, this can leak more information than we intend to tech companies who track our location, or through social media posts that attach location information to what we share.

  1. Some people like to turn location services off. If you prefer not to turn off location services entirely, make an active choice as to what situations are warranted.
  2. Note that most photos you take are Geotagged by default. Some like to have theirphotos geotagged when they take them as a way of documenting the location of the photo. But, be aware that this information is embedded into the metadata of photos and can be published by the applications that use the photos (e.g., social media sites).
  3. Manage which applications should have access to your location, and when. Go to Settings -> Privacy -> Location Services to see which apps have location services enabled. It’s very rare that apps really need the “Always” setting, and most can do fine with “While you’re using the app”
    There’s a ton of settings in here you can personalize to your liking to balance the convenience / privacy of your phone.

Access to Contacts

Go to Settings -> Privacy -> Contacts to see which apps can access your contacts. For me, this was way more than I wanted. I removed most of them. Not so much a security concern as a privacy concern, but it’s personal preference.

Limit Ad Tracking

This is more of a privacy-related setting than security-related, but you can tweak the default ad tracking settings by going to Settings -> Privacy -> Advertising -> Limit Ad Tracking (Turn on).

Data Accessible Outside Lock Screen

Check out what data is available when your phone is unlocked, and make sure you’re comfortable with it.

  • Several functions on the phone (calendar, directions, etc) are made available outside the lock screen through iOS’ “Control Center.” To turn off outside access altogether go to Settings -> Control Center -> Access on Lock Screen (turn off).
  • Just take a moment to decide if you’re okay with your text messages and emails showing in notifications outside your lock screen. For me, I made the decision that I didn’t like this, and disabled message content showing outside the lock screen by going to Settings -> Notifications -> Messages -> Show on Lock Screen (turn off).
  • Go through each app and check if you’re comfortable showing the data from that app outside the lock screen. This can be changed from the app’s entry in Settings -> Notifications.

iMessage on Laptop and Desktop

I’ve found that using the iMessage apps on desktop and laptop leak more personal info than I feel comfortable. For example, iMessages have shown up on my computer’s notifications when not logged in, and my personal messages have come up on my computer during business presentations (unless I explicitly turn it off). I opted to log out of iMessage altogether on devices other than my phone.

Calls on Other Devices

There’s a feature on iOS that allows you to ring multiple devices when your phone rings. For example, ringing your MacBook when your phone rings. I’m not personally very comfortable with this (it’s made it more obvious that I’m getting a phone call in business settings), so I disabled this at Settings -> Phone -> Calls on Other Devices.

Explore In-App Security

Many apps allow the option to add passcodes or TouchID inside the app. Imagine a situation where you give your phone to someone (like a curious 10-year-old nephew who wants to play a game) — is there any app you wouldn’t want that person to access?

iMessage Retention Policy

One of the main concepts in digital security is about not just preventing a breach, but minimizing the amount of data that is available in the event of a breach. In the case of iMessage, most people set their phones on the default of keeping their messages forever, but this offers a huge trove of potential data to an attacker that might access this data.

3. Social: Understand what you’re sharing

Common Risks

  • Essentially assume that everything you post has the potential to become public. Such is the nature of the internet: nothing can be taken back once it’s posted.
  • Know that it’s very easy for people to take comments out of context online. Couple that with the fact that text doesn’t often convey emotional subtext, and you can have a recipe for regret if you aren’t careful. Think before you post.
  • Analyze your online presence from the perspective of prospective employers or clients.
  • Most social networks have privacy controls to allow you to control who can view what types of content. Spend some time on each network to set the privacy settings to what you’re comfortable with.
  • Spam accounts are sometimes very convincing. Once people are in your network, they are often connected to you in numerous ways. Everyone has their own preference level for connecting with people who they don’t know personally, but make sure you’re making that choice consciously.
  • Social media profiles are fertile sources of personal information that attackers can use hack other accounts, use in social engineering scams, or other things. When sharing, consider how what you’re sharing could be used against you.
  • Social media can inadvertently be a source of a client confidentiality breach for your work. If your work requires you to maintain confidentiality, remain vigilant that your posts on personal social media sites don’t jeopardize that.

Facebook

  • Use the same password practices mentioned above when dealing with Facebook (and all the social networks in this section). You can find this on Facebook under Settings -> Security and Login.
  • Essentially every settings page in Facebook is worth reviewing to ensure it meets your privacy expectations. I’ll mention my opinions on a few specific items here.
  • Personally, I’ve restricted my posts to be viewed only by friends. If you do the same, consider restricting your past posts to the same privacy group with the “Limit Past Posts” option.
  • Check the business pages you have access to. If you still have access to pages you are not currently involved with, remove yourself from the admin access to remove yourself as a potential source of security breach for the page.

LinkedIn

  • Review the third-party apps that are authorized to access your LinkedIn account. Remove the ones that are no longer needed.
  • Check your public profile, and customize what people can view about you if you aren’t connected.
  • Decide if you want your contacts to be able to be viewed by the public, people in your network, or only you. I’ve restricted contacts to only be able to be viewed by me, to reduce people using my network for sales and marketing purposes.
  • FYI, 2-step verification on LinkedIn is buried at the bottom of the Privacy section for some reason. I almost missed it.

Twitter

  • Decide if you want your tweets to be protected or open to the public. I’m a marketer at heart, so I keep my posts open to the public (but I treat it that way always).
  • Pay special attention if you’re making a previously-closed account public. You may not have been so careful with your past posts if you expected them to be private.
  • The “Settings and Privacy” section of Twitter is worth spending some time in.
  • Location information in tweets are a source of several security concerns. In Settings -> Privacy and Safety, you can remove location information from your tweets, and delete it from past tweets. I also turned off location services in the app (through my phone’s settings).

Snapchat

  • Despite the fact that Snapchat used to bill itself as a “disappearing photos” application, it keeps all the photos that are sent through the service. From a design perspective, it appears that the photos disappear off the recipient’s screen after a certain amount of time — this reinforces a false sense of security that the photos “disappear” after they’re sent and opened.
  • In fact, the FTC settled charges with the company in 2014 on the basis that it “deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure.”
  • Any organization can be hacked, and think through the possibility that all the “disappearing” photos we have collectively sent as Snapchat users could one day be released through a security breach.

On Anonymous Accounts

Some people create accounts for social media profiles that they want to be anonymous. Pay special attention to these accounts, because the platforms make it very difficult to remain anonymous.

Search Yourself

A cybersecurity audit isn’t complete without searching yourself to see what public information is available about you. There are two broad categories of information available to people searching for you: information you put out about yourself (through social media, your website, etc.) and information put out about you by third parties (news articles, data brokers, etc.).

  • Make sure there isn’t any information about you that is out of date. If so, attempt to remove it. If the information comes from an out of date social media site you control, you can attempt to remove the information or lock down the privacy settings.
  • Audit the information from the perspective of a hacker. Is there any information about you that could aid in an attack on your personal information?
4. Email & Cloud: Decide what data to keep

An Overview of My Data Retention Policy

  • I will only keep emails in my main email accounts for a period of 1 year.
  • Emails older than this will be deleted.
  • Emails in any accounts that I no longer actively use will be deleted entirely.
  • Any email I deem important for more than 1 year will get stored outside email for a particular reason. This includes Legal contracts, documents, regulatory things (taxes, employee filings, etc), Software License Keys, and a few others.
  • I’ll actively delete any sensitive information I send or receive (SSN, credit card numbers, passwords, etc).

How to Do This in GSuite (Google’s Paid Email Solution)

  • Control email and chat message storage (Google Support).
  • Specifically, follow the instructions to implement the “email and chat auto-deletion” function.
  • I’ve added an exception to this rule: any emails that I put in a label called “retain” are excluded from deletion.

How to Do This in Gmail

Apply the Same Concept to Other Cloud Data

Once implementing a data retention policy for the data kept in email, apply the same idea to all the places your data is stored in the cloud.

  • Consider other Google Services, like Google Drive, Calendar, Contacts.
  • Consider cloud file storage platforms like Dropbox, Box, OneDrive and others.

A personal anecdote:

When I first began doing this audit for myself, I was shocked to find how much more sensitive information was stored in insecure places than I thought. As I was reviewing my files, I found old client passwords, credit card numbers, employee personal information and more in places I didn’t expect them. This was shocking for me, since I had thought I was keeping a strict security practice in my company while I was running it.

It was definitely an eye-opening experience, and made me realize how easy it is to leave sensitive data unguarded.

Backup and On-Disk Data Retention

It’s a good practice to make sure that you would easily survive any of your devices being stolen or lost — not just things in the cloud. This entails two major areas:

  • Make sure your devices are backed up, such that they could be stolen at any time and you wouldn’t lose any data.
  • Assume that, once stolen, attackers would be able to access any data on your device. Is all the data you keep necessary?

Browsing History

The browsing history and cookies in your browser can sometimes be a security risk. It’s a good practice to clear these regularly. To do this:

  • In Chrome: History -> History -> Clear Browsing Data
  • In Safari Mobile: Settings -> Safari -> Clear History and Website Data

Old Accounts

  • Go into any old accounts you used to have and do your best to remove your data from their servers. For example, I transitioned from using Evernote to Bear Writer this year, and hadn’t used Evernote in several months. However, I forgot to remove all the 1034 notes I had in Evernote from their system.
  • Watch out for trash: I thought I had deleted an additional 1000+ notes, but found them sitting in the trash on my account.
5. The Rest: “High-risk types” and special cases

Tailoring Your Personal Threat Model

In CyberSecurity, “Threat Model” is a term used to represent the different types of attacks you want to consider when assessing security risk.

Small Business Owners

  • Your client’s data
  • Your company’s financials
  • Your client’s financials
  • Credit card info
  • Your company’s social media accounts
  • Client website credentials and domain name access
  • Any client credentials you might manage

Web Developers (Especially eCommerce Developers)

Employees of Large Organizations

If you work for a large organization (especially one that’s well-known), it’s very likely that you have access to all kinds of juicy data that hackers or competitors would love to get their hands on.

  • Whenever possible, keep your personal and corporate data separate. This will avoid having one be a source of breach for the other (plus, your company likely has access to view anything you put on corporate devices).
  • Follow your company’s InfoSec guidance to a “T.” Let the pros do what they do.
  • Some of the techniques mentioned in this guide aren’t appropriate for larger organizations because they may be subject to different regulatory and compliance guidelines. Check before you implement.

Parents of Young Children

I don’t have have children myself, so this is a difficult topic for me to comment on directly, but I found a few articles on this topic to consider if you’re a parent:

Parents of Teenagers

Again, not a parent — mostly a thought experiment here.

Internet Personalities

  • Is there enough information in your public profile that would allow someone to identify your home address or place of work? This HuffPost article on Dealing with Online Stalkers outlines several best practices for preventing online stalking.
  • Does the content of your online postings put you at additional risk for hackers to target you?
  • If you often post content of a controversial nature, it’s possible that you could be involved in a news story that picks up into a large scale controversy. Hacking attempts and online harassment could pick up quite sharply as a result before you would have a chance to harden your website and online presence. The best practice is to harden to this in advance if it is a concern.

Activists, Public Figures

  • You may want to pay additional attention to what information can be subpoenaed by governments and law enforcement, if this is an issue.
  • If you’re going to a protest, prepare for the case that you’re arrested and searched.
  • Consider having you, and everyone in your organization, use an encrypted communication application such as Signal instead of email, SMS, or other less secure methods.
  • Is your website robust to Distributed Denial of Service (DDoS) attacks? I talked to a developer at a conference who is part of a team that runs a progressive political activism website. Every time Donald Trump mentions his organization by name, he spends the following days defending his site against DDoS attacks and other hacking attempts. If your work attracts this type of attention, make sure your website is robust to these attempts.

People Who Send Explicit Pictures

  • Yes, there are risks involved with sharing explicit photos with others. Digital media is easy to share, and it’s difficult to control what is done with a photo after you send it.
  • Snapchat and other “ephemeral” methods of sharing photos like this can be circumvented quite easily (e.g., by taking a screenshot).
  • Companies housing the data can get hacked.
  • Social media accounts are common hacking targets — if someone’s account gets hacked, the private photos sent often go with it.
  • Legal protections for explicit images shared without consent vary state-by-state. Depending on the state where you live, there may be no legal recourse available to someone who shares your images without your consent.
  • If sending images to someone you’re in a relationship with, take a moment to consider what may happen to the images if the relationship changes.
  • That being said, sharing NSFW photos of one’s self is common: a 2013 study found that 30% of 18 to 24 year olds surveyed reported having sent explicit images on their phone. Yes, it’s risky. But, it’s something people do quite frequently. As is the case with many issues surrounding sex, the best thing for people to do is to make an informed decision after considering the risks.

Think of Your Data Through the Lens of Common Attack Vectors

So far, this article has focused on a platform-centric approach to security: how to secure your cloud data, your email, your passwords, etc. Another way to approach security is by analyzing common “attack vectors” that we are often vulnerable to, in order to consider our own preparedness for these situations.

Physical Access to Your Computer

  • Ensure that all users on your computer have strong passwords that are difficult to brute-force.
  • Use full-disk encryption on all of your computer’s disks. You can use this by turning on FileVault (for Mac) or BitLocker (for Windows). Without this, attackers can boot your drive in another operating system and access all your files without your password.
  • Set your computer to lock after a short time of inactivity, and actively lock you computer whenever leaving it.

Unpatched Vulnerabilities in Software

Sniffing on Unsecured Wifi

  • Don’t use unsecured wifi whenever possible. If you must, use a VPN (I use NordVPN, but there are tons that are great — just find one that doesn’t log your activity).
  • Use HTTPS whenever possible. This encrypts the data in transit between you and the server you’re communicating with. A plugin like HTTPS Everywhere can help enforce this where it’s supported.

Swiping a Flash Drive

Develop an “authentication protocol” for emergencies

  • Contacting each other from an unknown channel (in a way that you don’t normally communicate).
  • Contacting each in channels we use regularly — it can be especially difficult to be skeptical of messages sent back and forth in ways you use daily (SMS message, etc.). Talk to your close family and friends who might be targeted and set the expectation that you would both rigorously authenticate one another before sending any aid in emergencies while traveling.

What are your personal digital security practices?

If you have a practice that I missed, leave it in a comment below.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store