editione1.0.0
Updated October 9, 2023🚀 As explained by Erica
On your list of things to protect, you likely have a mobile device that operates like a multi-tool. It has access to your accounts in the same way you access them on your laptop, it is connected to your multiple communication tools, it can even pay for things like a digital credit card using NFC. Aside from your mobile Swiss Army knife, you also have a laptop where you perform most, if not all, of your personal and business functions.
important Protecting these devices is critical. At a minimum, you should perform these steps:
Lock your screen. Set up a screen lock and a long, unique PIN or passcode you don’t share with others.
Set up automatic updates. Enable automatic operating system, app, and software updates.
Be picky about apps. Consider which apps and software you want on each device.
Plan for lost devices. Enable the “find my device” feature.
Enable automatic cloud backups. Configure automated backups for your device to a cloud account.
Properly dispose of old devices. Remember to log out and clean up devices before disposing or sharing them.
At the end of the chapter, we’ll also cover some extra steps you can take, including anti-virus protection and VPNs.
The first thing to have set up is a screen lock for all your devices on your list. This includes mobile phones, laptops, and any other devices that are logged into important accounts like your personal or work emails. Screen locks can come in multiple shapes and sizes.
For mobile devices: Avoid using patterns, like connecting dots on a four-by-four dotted grid. Instead, use a PIN (personal identification number) that is at least ten digits long. You can also use a password, meaning you include alphanumeric characters, but I’m personally not a fan. I find phone screens to be too small to properly type it in using trained reflexes. Once your PIN is ten digits or longer, it would take years for a machine to be able to iterate through and crack it, whereas a four digit PIN can take as little as 15 minutes.
For laptops: Use a long and unique passphrase; I say passphrase because you will have to type this baby multiple times per day. Five random words strung together is one great technique I recommend, or a phrase that makes sense to you but isn’t easy to guess. “My name is Erica” is a bad phrase, but “Baby Yoda slurps his soup” is a pretty good one.
Biometric authentication, like fingerprints and face scanning, have started to become more popular. Even if you have these enabled, you often have to set up a PIN or password backup because they aren’t always reliable. Not all biometric authentication is perfect. In general, fingerprint authentication has been harder to bypass—and even then, only after making tons of fingerprint molds and spending a whole heck of a lot of time trying to get a match. Given the context that we started off with at the start of this part of the book, it is unlikely the person trying to get into your phone is that motivated or well researched. They might find it more worth their time to just wipe your iPhone and resell it on eBay.
When Samsung originally launched their facial recognition in 2019, they faced backlash when researchers discovered that a phone could be unlocked using a photo of the owner’s face. Before relying on facial recognition or any new biometric options aside from fingerprints, do a quick search online. Look for any biometric bypass research for your device type. Not all technology is made the same, and some use a lot more sophisticated methods for checking biometrics to avoid bypass techniques. For example, Apple also uses facial recognition, but theirs relies on more data points than Samsung’s, which makes it harder to bypass with just a photo. We are still a while away from being able to solely rely on biometrics without having some PIN or password as primary backup.
danger Sharing is caring, but not when it comes to the devices you use for your business. It is tempting to give our phones to a kid who is causing a scene in public to keep them distracted, or to a partner for their own personal use. If you also use that phone for business, then this habit needs to change. Even if you tell others to be careful, the risks are too high to gamble with when that device has inside access to the most sensitive parts of yourself and your business.
Now that we have covered who can use your devices, let’s get into how we secure them.
The software on your devices provides an opening to bad actors as well—software is made by people, and it often has mistakes or bugs that crop up that can be misused. Imagine an attacker delivers an email that looks like an invoice, sent via a macro-enabled Word document. Most likely, that document has a script that will try to take advantage of a bug that hasn’t been patched in your operating system software. Software developers release patches that contain security fixes to close these bugs, but it is up to us to actually make sure we apply them.
important Enable automatic updates within your mobile or desktop operating system. Keeping software updated means you’ll always have the latest security protections. Most operating systems now allow you to set updates to happen automatically; be sure these are switched on. Mobile phones usually do a good job of telling you when an update is available, and will even auto-update your apps when you plug it in to charge while connected to wifi. Windows, macOS, and Linux on laptops are also usually configured to automatically update, but now is the best time to double-check.
It is important to set these to automatic, because the last thing you will be thinking about when running your business is “Am I protected from that latest Windows vulnerability?” News like that might not even make it to your radar, so having automatic updates gives you that peace of mind.
You also want to make sure that your software is still supported—Apple has a history of supporting their device software longer than other competitors, but that doesn’t mean the other competitors are unsafe. The window of support is just shorter, which might force you to update to a newer device sooner than you would like. If a device no longer receives software updates, that is a sign you need to upgrade. Since this device is critical to you and your business, it has a wealth of information and access stored on it.
danger If software is no longer supported, then any weaknesses found in that software won’t be patched and the risk of losing that data is higher. The longer those weaknesses stick around, the more accessible they become and the more dangerous it is. Here is your business justification for investing in new technology!
After you have taken care of keeping what software you have downloaded up to date, it is time for a review of what software you actually have running on your device in the first place.
Before starting your business, you might have been a bit laissez-faire with the software or apps you downloaded. Now that you use those same personal devices for business, you need to be a bit pickier. That doesn’t mean you can’t download what you want, it just means the consequences of bad downloads no longer affect just you—they can also affect your business.
For example, downloading a social media app like TikTok to your mobile device before might have seemed harmless, despite the laundry list of permissions it asked for and vague terms-of-service wording. But who reads those when they are using something for personal use anyways (except me and other huge nerds)? However, if you have both business and personal contacts and data on your phone, TikTok would now be able to slurp up both.
Now is a great time to do some spring cleaning of your device software and apps, and see which ones you use and need, and which can go. Similar to how we cleaned up apps with third-party access to our email, if you are unsure if you need it or not, remove it and challenge that decision later if you find yourself needing it again. This is especially the case for any software that asks for permission to data that it really doesn’t make sense to need. When you open Apple Maps and it asks for your permission to share your location so it can give you more accurate directions, those permissions make sense. What doesn’t make sense is that Sudoku app you downloaded to kill time asking for permission to read your text messages.
storyYou may be thinking: “But what about the apps and software that everyone uses? I need to use them too to keep up to date with the latest social crazes!” I hear you, and I get it. I play a lot of video games, and some of those are mobile games I play with my online guild. The developers are questionable (to be nice about it). I still play these games, but on my older devices that are no longer logged into my accounts and that no longer have my business data on them. They have some limited data; all apps need basics like name and email, but this is information that I have already accepted is on every possible spam and scam list one can imagine. This is the perfect use for those devices that you have cleaned up and don’t use, which we will get to later.
storyWhen I was younger, my parents were terrible at keeping track of their keys. For Christmas one year, I got them one of those keychains that beeps when you misplace them and need help finding them. We set up a similar feature on their iPad a few years later, which came in handy when my parents accidentally left it at a customer’s office.
Most devices and phones nowadays have lost device features built into their operating system that can be enabled. Doing this gives you two options:
Learning where your device is, so you can go retrieve it.
Wiping the device, if you’re unable to retrieve it. This will turn your device into a concrete brick, rather than a golden brick of data.
important The important thing is turning this on now, because it can’t be turned on after the fact. With how often you move around and work on the go, you will misplace your device eventually. I admit to having to use the “find my device” feature at least three times in the last year. Usually it is just buried under a stack of books or left behind in the car (thankfully), but I am always glad I have the peace of mind of being able to track it down.
danger There is an important privacy tradeoff to note here. These features can also be misused to track your location if you constantly keep your devices on you. For example, if your iPhone rarely leaves your back pocket, someone else could use Find My iPhone to see where you are. Typically, you can access Find My services by logging into the email account that is tied to your device, like your Apple account. These types of location services can be a huge privacy risk if others have access to the account logged into your device. So while you might turn on these services to find your device that you might eventually lose, it can also be used by someone else to find you or track your movements.
We don’t explore those risks in detail in this book, as we assume that you are able to protect access to these accounts and not share them with anyone else. However, we know it’s not that simple for all business owners. There are groups that specialize in providing security advice to people with high privacy needs, such as those who need to maintain privacy and anonymity of their contacts (like an investigative journalist) or need to maintain their own privacy (like those dealing with stalkers or abusive relationships).
important You should set all your devices up to back up, automatically and daily, to a cloud-based storage account. This is important because there may come a time where your device is infected or lost, and you need to restore it back to the point before this happened. With the rise of destructive malware, like ransomware, and the fact that we are often on the move and at risk of losing devices, having a backup gives you peace of mind that you can hit “undo” on that whole bad outcome.
controversy The concept of using “cloud storage” can be concerning because it still feels new for a lot of us. There is also a fair share of bad takes and jokes from technical people about how “the cloud is just someone else’s computer.” This isn’t necessarily wrong, it just doesn’t consider the alternative—using a computer that you do own and control. This alternative takes time to learn and set it up right, and requires ongoing maintenance to make sure that the computer is kept up-to-date and secured. While I might have a hard drive at home that I use to copy important files to as a backup, I know this isn’t an option I can expect from others.
The cloud-based storage that you will end up using will be the one provided by the device manufacturer or email account tied to that device. Vendors like Apple, Samsung, Microsoft, and Google have been in the cloud storage game since before we called it “the cloud.” The original iPhone released in 2007 had an app called MobileMe, which helped users back up their devices to their MobileMe account. Before that, 2002 Mac devices could use software from Apple called .Mac, which would allow you to perform your own personal backups to their iDisk service. These services and software were the blueprints that Apple used for making iCloud in 2011. So if you feel uneasy with the term “cloud,” just remember that we have been using these services for years now, minus the cool, hip name rebranding. As long as you secure that account using the advice we have given you, you’ll be fine using cloud-based storage.
Turning on your device to automatically back up to your cloud storage account is a low effort move to make sure if you were to lose your device, or get it infected beyond repair, you can restore it to a last-known good state. Most operating systems, like macOS and Windows, allow you to easily configure these backups to be stored in cloud storage accounts, which means you don’t have to stress and do the manual gymnastics required for storing backups locally on a removable hard drive. If you prefer to not use cloud storage, a physical hard drive is still OK, it just requires more effort.
important If you have old devices that you no longer use, or have upgraded to a new one after realizing the old one is no longer supported, be sure to clean it up before passing it on to someone else or storing it away. How you clean it up will depend on how you used it before.
If you only used it to access your personal or business data via a browser or web application: You are fine to just log out and clear any data in the browsers you used. This would be the case for a device that you might have used temporarily, perhaps one you used while your main device was being repaired, or a computer in a hotel business center you used to print documents from your email.
If you used it for more than just the browser, perhaps to store copies of documents or to log into specific software or apps: A full factory reset is the best option. There will be small breadcrumbs of data that you may leave behind, and clearing them completely by doing a full reset is the best way to ensure safety.
If you are planning on selling the device to someone else: You will need to do more. A factory reset doesn’t always guarantee that no files were left behind if someone was actually looking for them. It all depends on how your device performs its factory reset. When looking to on-sell an old device that was used to carry your data, you can use a professional device wiping service that will make sure the entire hard drive is cleaned. When determining if a business that provides this service is legit or not, check if they follow the standard NIST 800–88 (or follow that standard yourself, as it has some helpful guidelines to follow depending on the device). What I do instead is purge data from old devices and keep them in my closet, which I lovingly refer to as my old technology museum. It is always good to have a device to use as a backup, or a device for others in the house to use without lending them my own.
With so many manufacturers out there, multiple media outlets talking about privacy, and geopolitical risks relating to large technology companies, it can be hard to know if the devices we use are safe.
For phones, sticking with a major provider is your best bet. This includes Apple, Google, and Samsung.
Apple is the sole manufacturer of the iPhone, the only phones with the iOS operating system, which means it is easier for them to commit to security updates for longer periods of time without having to worry about cross-compatibility across different hardware manufacturing providers (unlike Android).
Google is the main commercial sponsor and major contributor to the open-source Android operating system, and also happens to manufacture their own hardware devices (Pixel phones). Since Android is an open-source operating system, the software is freely available for other device manufacturers to use. It also means they tend to add their own changes, often in the form of ads and other unnecessary apps (also called bloatware). These changes and customizations make it harder for them to keep up to date with any Android project updates due to compatibility issues, which often means these devices are left on older, unsafe versions of the Android operating system.
Some manufacturers recognize that leaving their whole customer base vulnerable to security weaknesses is not a great look, and make promises to dedicate time and resources to keeping their devices supported. In February 2021, Samsung promised to keep their devices supported with security updates for up to four years after initial release. Google also promises to support their devices for security updates for up to five years for their latest device.
Regular security updates aren’t the only thing to consider. The large device manufacturer Xiaomi also provides promised updates, but has been caught in the middle of some challenging research and news reports in the past few years. While they successfully pushed back on the US government after they unlawfully blacklisted them, they still got caught collecting excessive amounts of data from their devices (even in incognito mode). While they did make changes in favor of privacy, they still have some ways to go to build trust for me.
confusion To be clear, there are definitely other great open-source mobile operating systems out there (like LineageOS or PureOS). As we have discussed earlier, we assume that you, the reader, have already made the trade-off between using a large tech provider and giving them control over hosting and securing things like your email and file storage. These other operating systems are often built to keep large tech providers off your device, ultimately favoring privacy over convenience and resources. I don’t recommend these to everyone because it adds friction to your life when we are trying to find solutions that seamlessly fit into how you already live.
All this talk about mobile operating systems applies to tablets too. Apple’s iPad tablet runs iPadOS, which is very similar to their iPhone operating system. Samsung’s Galaxy tablets run Android, same as their mobile phones. Google is the only odd one out that runs a different operating system (called Chrome OS, which is used in their netbooks). This makes sense as tablets are often treated and used like a mobile phone with a larger screen and detachable keyboard. You often still download software from a central app store, and are quite limited in what you can and can’t do. It is when we get to laptops, or devices that tend to have a lot more freedom and functionality, that security considerations start to change.
The National Security Agency’s Mobile Device Best Practices
ExpressVPN’s The Ultimate Guide to Mobile Security
Electronic Frontier Foundation’s (EFF) research and advocacy on mobile devices
EFF’s survelliance self-defense privacy breakdown of mobile phones
For laptops, it’s a tad more complicated. It will depend on what your business does, and if it is easier for you to operate your business on a specific operating system. There are pros and cons between picking Mac, Windows, or any flavor of Unix. So long as it allows you to configure the protection steps mentioned earlier, it will do fine. The biggest issue you may run into is operating system updates. So if you have recently dusted off an old laptop that you are using to start up your new venture, make sure it isn’t still running Windows 7 (which went end-of-support in January 2020).
The great thing about device operating systems nowadays is that they are being made with the features you need built-in, so there is no need to find, research, and download other software to perform your security for you. We will get into this concept a bit more when we talk about anti-virus software.
Free Code Camp’s operating system handbook
NYTimes Wirecutter guide to securing macOS
Microsoft’s guide to securing your Windows computer (focused on home use rather than business/enterprise use)
If you want to go an extra mile and enjoy organization, start using browser profiles, which are a browser feature that let you and others maintain separate privacy and personal settings while using the same browser. The main browsers of today, like Firefox and Chrome, all support the use of multiple profiles.
Using browser profiles is as much a usability benefit as a security benefit. They let you keep your personal and business life separated from each other digitally. Your browser history, plugins, stored passwords, and bookmarks are all stored in a separate profile. For example, if you use a not-so-safe browser plugin on one profile to watch Netflix in the UK, then that won’t put at risk any browser data stored for your business accounts in your business profile. (That is totally just a hypothetical example.) Browser profiles also tend to give you different visual cues to help you tell which one you might be in, either by having a profile picture overlap the software icon in your taskbar or by even letting you change the color backgrounds. If you’re a constant multitasker, this feature alone is a huge help.
Years ago, everyone manually installed anti-virus software (which is more accurately called anti-malware software) to detect, mitigate, and prevent malware on your computer. Now, operating systems have become advanced and contain most of the protective features we need without having to download other third-party software. This is a good thing, because half the battle of downloading something is trying to understand if it is safe.
confusion For mobile phones, you will see anti-virus software in the app stores, but you don’t need it. You should only be downloading your apps from the pre-built-in app stores like Google Play Store and Apple App Store. There are multiple checks that happen before an app can be hosted in an app store, and while it is not perfect, it covers most of your needs. (If you know what an APK file is, you should only be downloading these from the internet if you actually know what you are getting into, and if it is to a device that is essentially a throw away.)
As far as computers, people who create malware tend to make it mostly for Windows. Windows comes with built-in anti-malware features that are turned on by default using Microsoft Defender. Now is a great time to check that this is still enabled for you, along with all the other security recommendations it provides, such as signature updates and an enabled firewall.
confusion Malware for macOS used to be very rare because there wasn’t a large market share of users using Apple operating systems. This is no longer the case, and while Windows has quite a large lead on malware, macOS is far from being invulnerable. Similar to Windows though, macOS also has anti-malware protection built-in by default in the form of a firewall and their Gatekeeper feature, which checks software and files before they are run to make sure it is made by a known developer and doesn’t contain any nastiness. This is all you need, and you don’t have to go out and buy something extra. Do a quick check of your settings under “Security & Privacy” to make sure these are both still enabled.
If you are running Linux, you are kind of in the camp of macOS circa 2000. Malware writers rarely write malicious software for Linux-based operating systems, and they come pre-built with some strong security features and designs already. None of this means that you can go all willy-nilly, downloading everything off the internet. You still have to do your bit to read what you are downloading. Regardless of the type of device you have, it is good to remember not to download pirated files or software onto the same device you also use for business because of the risk these files can carry.
Large tech companies have started to recognize that they are in the best position to do something about the rising problem of security incidents affecting their customers. By providing security features as part of their standard offerings or subscriptions, they can make it easier for their customers to protect their accounts and devices. In October 2021, Apple updated their iCloud subscription offering to include some neat new security features. Customers who are already paying the few bucks a month for extra storage space are also able to opt in to two new features: a private relay when browsing in Safari (which acts like a lightweight VPN), and Hide My Email (which, as it says on the tin, hides your email when you register for a new account to protect your main account from spam and phishing). Both of these features are not new, groundbreaking techniques; however, they do make these techniques accessible to the everyday user. I think we can expect new security features like these to be the norm in the future, and I am all for it.
If you travel often, and have to rely on free internet in cafes, libraries, or hotels, investing in a VPN service is worth it. A VPN has two purposes. Many of us know it for its benefit of showing our traffic as originating from somewhere else, so you can bypass geo- or region-based filters on the internet. However, the main benefit is the secure tunnel it forms between your laptop and the VPN server.
A free, public wifi network can leak information to others on that network. When you connect to a VPN server, it will send all your traffic through a secure connection that only your device and the VPN server can see.
important Use a paid VPN service. Free VPN services are often murky on the details of how their services operate, and may put you at risk. It is possible to run your own VPN server, but that requires many technical hoops and I don’t recommend it unless you truly know what you’re doing. Instead, just pay for a service that seems trustworthy.
When looking for a VPN software, I always recommend people to the VPN comparison research and table that is maintained by the /r/VPN community on Reddit (which you can find under their subreddit’s wiki). Some of you may be using VPNs for more than just protecting yourself on a public, untrusted wifi network. This comparison can help you find the right software for you based on a rating across multiple areas like privacy, security, business practices, and pricing. Privacy Tools also does great research and provides their recommendations too.
How I manage my devices might feel closer to your reality than how I protect my email and password managers:
For my phone, I used a PIN that is over 12 numbers long. I also use biometrics as the main form of unlocking; however, my phone will always fall back to my PIN when I restart my device or if my phone thinks someone is trying to bypass their way in. For my laptop, I use a long passphrase and biometrics, and it has the same fallback.
When my family or friends need to borrow a device, I give them an old tablet or laptop that doesn’t have any of my accounts logged in. Sorry nieces, no you can’t play games on my phone. (I am not very popular at family gatherings for this reason.)
I have a spare phone I use for downloading apps that I wouldn’t trust on my main phone that is used for both business and personal use. As an avid MMORPG fan, I want to be able to enjoy these without having to do a full security audit each time there is an update.
I have a laptop that dual-boots Windows and Linux that I use for both personal and business. I have two Chrome profiles, again for personal and business use. I use all built-in operating system security features, and don’t download additional security software. I store my backups in my cloud account.
I have my hard disk encrypted (a setting provided in most operating systems) so that if the physical disk is stolen, the data stored on it can’t be accessed.
The only downloaded security software I have is my VPN. I pay for a VPN service through NordVPN, but I usually opt for a hotspot on my phone and use my mobile data rather than going through the terribly unfun process of getting kicked off cafe wifi for exceeding bandwidth.
🚀 As explained by Erica
Now it’s time to secure the rest of the accounts on your list. You will want to:
Re-save passwords and enable 2FA. Reset and save passwords into your password manager, and enable 2FA.