editione1.0.0Updated October 31, 2022
🚀 As explained by Erica
Before we look at protecting the digital assets of your business, we need to cover your personal digital security. Your online identity connects to your finances, your work, your family, and your relationships.
If you are a business owner, co-founder, or a key member of a small startup, your digital assets may have even more value. As the person making key business decisions, impersonating you can give a bad actor access to financial and business accounts. The financial consequences to the company are your responsibility. Even worse, poor personal security by employees often leads to new risks for the business, such as a compromised personal email account leading to compromise of a business account.
The bottom line is, you need to think about protecting your own money and assets the same way you would a business asset.
Choosing where to start may be intimidating. We’ll look at a few of the most important areas that attackers find valuable, how to protect them, and some common scenarios to consider. These areas include money, devices, identity, social profiles and online communities, and your family and their public exposure.
important As we walk through the chapters in this part, I suggest you create of a list of your digital assets, accounts, and devices, and begin to consider how you use them. Think of common scenarios and any risks you are concerned about for each. This list needn’t be complete at first, but can grow and become a sort of personal roadmap of things you want to ensure are secure.
confusion One of the biggest challenges most people face in securing their digital life is just keeping track of the all their exposure to risks in the online world. Simply being organized enough to have a single list like this will put you ahead of most people when it comes to security.
Keep your list in any format that works for you—it could be notes on your phone or laptop, or just pen and paper. Just be sure it is somewhere safe and doesn’t include anything sensitive like usernames or passwords in this list itself. It’s purely a tool for you to stay organized and prioritize your efforts.
The value of your money to an attacker is straightforward—there is literal financial value assigned to your bank accounts, credit cards, cash apps, physical cards, and cash. An attacker’s goal would be to try to funnel that money out of your account.
List the apps and accounts that you use to access things that have monetary value to you. If there are any risks you’re worried about, put them down too.
exampleTo get us started, here are some common scenarios involving access to your money. Included here are risks that you may not have thought of at first—but that we’ll have to protect:
Scenario: You access your banking and credit cards mostly online.
Accounts: Your bank’s and your credit card’s online payment systems.
Risks: These accounts could be compromised or data leaked, and an attacker could transfer money.
Scenario: You use SMS messages on your phone to log into your financial accounts or to approve transfers. Your bank uses text messages and email to confirm your identity before giving access to your bank account.
Accounts: Your online account with your cell phone carrier.
Risks: Even if you have strong authentication with your bank, an attacker might trick your telephone provider into transferring your service to a different phone (with a different SIM card) and gain full access to a financial account.
Scenario: You have a few devices that you use for financial services.
Accounts: Everything you use on your phone(s), tablets, and laptops.
Risks: You access and stay logged into these accounts from a device that you let your family and friends use. You or your family may take a device to school or other public places, and they may be lost or stolen.
Scenario: You send cash to friends using cash and payment apps that are linked to your bank account or credit cards.
Accounts: PayPal, Venmo, iMessage (Apple), etc.
Risks: If your PayPal or Venmo account isn’t secured, your money isn’t safe either. Your password could be guessed, or you may lose your phone and someone can use the app to make payments from your bank account.
Scenario: You have online accounts where you manage financial assets, like retirement, investments, stock, or cryptocurrency.
Accounts: Retirement and investment accounts like Vanguard, Fidelity, Carta, and Coinbase.
Risks: Each of these accounts could get compromised and financial assets could be sold or transferred. Especially for unregulated markets like cryptocurrency, it may not be possible to get these assets back once they are gone.
Scenario: Your salary is deposited directly into your bank account. You manage your pay slips and salary data online through your business’s online HR system.
Accounts: Your company’s HR system, like Gusto or Paychex.
Risks: Each of these accounts could get compromised, which could result in your direct deposit information being changed or your personal information getting leaked. These changes can go unnoticed if the business doesn’t verify them with you in person, or if they are tricked by a phishing message. These accounts also often hold tax information that could be used for tax fraud. If you are an administrator, this risk extends to all the employees you manage.
Scenario: You have physical debit or credit cards with chips that allow you to pay effortlessly in person. You have a phone that also works for contactless payment (NFC).
Accounts: Major credit cards, Apple Pay, your smart watch.
Risks: You may forget these or they may be stolen, and you’ll need to disable them and get replacements. Multiple transactions could be made under the limit that requires a PIN.
Scenario: The passwords for all these services are in four or five different places.
Accounts: Some passwords are in Google Chrome on your laptop, some in Apple Keychain and iCloud on your phone, and a few on Post-its by your desk.
Risks: It’s hard to remember where each password is, so you’re afraid to update them. A few are not in secure locations and if the file is compromised, the consequences could be dire. Some passwords are used for multiple accounts, so if one is compromised an attacker could get into the others.
If the list of examples above looks scary—well, it is. But don’t panic. It’s these risks that this part of the book is here to help you with.
Your devices carry an inherent security risk themselves. That risk can also change depending on their environment. Risk is like a temperature scale. For example, if you are logging into your PayPal account to check your recent incoming payments, the risk goes from cold to hot in these situations:
Using your desktop computer at home (cold, lowest risk)
Using your mobile device on a partially full train (cool, low risk)
Using your mobile device on a crowded, elbow-to-elbow train (warm, moderate risk)
Using your laptop on public wifi at a cafe (warm, moderate risk)
Using a public computer at the library (hot, highest risk)
Figure: Environment affects risk.
important Your devices have a worth far beyond the monetary value of the hardware itself. A device is as valuable as the data it holds or can access. For example, a laptop may hold copies of your social security number and passport, or copies of business IP and code bases. Just as important are the passwords you have saved to browsers or accounts where you kept yourself logged in. If you don’t wipe the data from your old devices, a future owner may gain access to all this information.
Figure: How you use and share devices affects risk.
How and where you use your devices also matter. List out which devices you use most often to access your data and accounts, and how they move around with you.
Scenario: You have a mobile phone and laptop that are practically glued to you. You use these for both personal and business use, and are logged into a number of personal and business accounts. Or you have even more mobile devices, phones, and tablets!
Scenario: You have a device that you let others in your house or family use. This might have been an old personal device, or might still be one you use to access personal or business accounts.
Scenario: You have a desktop computer that stays in your house or office.
Scenario: You work from public or community spaces often with your mobile devices, like cafes, libraries, or coworking spaces. Occasionally, you might even use the public library or hotel business center computer for printing documents or accessing your accounts.
Scenario: You have an old device and want to sell it or give it to a friend.
There is value in impersonation. As an individual, a business owner, or a decision maker, your voice carries weight. You are the person who can authorize changes, information disclosures, and transactions.
The two most common types of attacks you might face would be requests to your staff to transfer money to an attacker’s account, or requests to your phone provider to transfer your SIM to another phone. Once your SIM is transferred to another phone, password resets or two-step login prompts would go to an attacker’s phone rather than yours. Such attacks are becoming more expensive as we rely on SMS for verification on logins when making large payments.
In the physical world, identity is established through government-issued documentation, such as driver’s licenses, passports, and birth certificates. In the online world, our identities are inferred in the email addresses, usernames, and communication channels we use and share with others—WhatsApp, WeChat, Facebook Messenger, Signal, the examples are endless. You build trust with friends, staff, and business contacts through regular interactions using these digital identities, and they may not second guess any favors or questions that seem to come from you.
There is also more traditional value in your identity that you have probably heard of. Attackers can use copies of your identity to commit fraud like opening loans or credit cards, and then going on a bit of a shopping spree. When the financial survivability of your business early on depends on credit, these types of events can be damaging.
danger Treat your email like your crown jewels. If you lose access to your email, it is catastrophic. Everyone knows you at this email address, it is what is used for most of your accounts (and their password reset functions). It would be a nightmare to try to change the emails across every account. (We’ll cover how to protect your email next.)
Back to the list you’re creating—add the things that represent you online and in the physical world. We will cover social and community profiles and the information you share openly with the public or private followers in the next section. For now, think through ways you may directly communicate with others (like email or messaging apps) or official identity documents.
Scenario: You have more than one personal email you use to sign up for different online accounts. Perhaps one is quite old and mostly forgotten. You also have one or more work email accounts.
Scenario: You have some important documents saved in your email account or cloud storage account, including copies of your passport, national identifier (like your social security card), and bank details.
Scenario: You use a variety of communication channels for talking to business contacts, staff, friends, and family. Some accounts are tied to your phone number (like WhatsApp and WeChat) or your social media accounts (like Facebook Messenger).
Definition Passive information is information others can discover that does not directly have value or identify you, but can add more legitimacy or trust when someone is impersonating you or trying to get into your accounts.
danger Even if you have been safe about your passwords, there are a few old-school systems that still rely on knowledge-based questions and answers for resetting passwords. They may ask about things like the name of your high school or your mother’s maiden name. If these questions are easier to guess than your password, this can be used as an easy side entrance to valuable accounts.
Your passive information can also have indirect value, and may help an attacker appear legitimate because they know things that only the real you may know. For example, if you are updating your social media accounts with photos of your glamorous overseas holiday, this passive information gives an attacker an opportunity to spoof your work email to ask for an urgent overseas payment to be made because you need to “replace your lost passport.” To your growing list, add the social accounts that you or your business rely on.
One would hope it stops there. However, there are still more areas of passive information to cover! The next area to consider is not directly related to you, but is related to the group of people you likely trust most: your family.
When you receive messages or requests from family, you are likely to respond or act without much question. In the same way your employees may respond to a fake request from someone impersonating you to send money overseas, you may respond in the same way if your child, parent, or sibling makes a similar request.
Perhaps more likely is the lack of suspicion when asked to download an attachment. You might let your guard down if your dad asks you to check a document for him, or if your mom asks you if you want to check out her latest cruise photos in a zip folder.
The lists we went through already and made for you can also be helpful to make for your family. However, I know making these lists for them can be less fun than watching paint dry. At a minimum, add situations where you often interact with family digitally to your own list, as those would be your highest risk points.
Scenario: You communicate with family members via email, different communication tools, and social media networks. For some family members, digital communication is your primary source of communication and you don’t often see them in person or chat on the phone.
Looking at your list, it might feel daunting to get started on securing all these things. Now is an important time to learn about the 80% theory.
storyFirst, a confession: I used to be a perfectionist and completionist, and I also am a huge video game nerd. Every video game I started I would push to get 100% completion. My Pokédex in Pokémon Red was complete with 151 Pokémon. I found every Easter egg and secret ending there could be found. My goal in life was to finish level 255 in Pac-Man so I could experience the level 256 integer overflow glitch. When I started picking up more hobbies, my ability to complete games started becoming harder and harder.
Most of us probably know the experience of playing a game. You can play it from start to finish, and that represents roughly 80% of the game play. You can play again to finish up side quests and alternative paths to the ending and get closer to 100% completion, but it takes more or more time and investment the closer you get to 100%. You end up investing more time in that final sprint than you do playing the game for the first time from start to finish. And the value received is quite minimal at this point.
I try to apply that same thinking to securing everyday situations. There will be situations where you need to cover that final 20%. For example, when implementing a login function to a web application, you want to go that extra mile. But for most situations, you get the most value out of investing that first 80%.
Right now I am giving you permission to start with applying security for the areas on your list with 80% effort. When resetting your passwords to all your social accounts to unique passwords, it is OK to tackle only the accounts that come straight to memory—and perhaps forget about that old MySpace or Friendster account from the 2000s. When setting up two-step or two-factor authentication, it is OK to set up just a one-time password token generator app rather than going for a hardware security key, even though one is stronger than the other.
You can’t afford that extra 20% time. You have a business to run and other things to do, and I get that. I will tell you when there are areas where you might need to spend that extra time. For the rest of this part of the book, we’re going to look at protecting your email and devices. As you start securing the items on your list, if you promise to give it 80%, I promise to keep it practical.
🚀 As explained by Erica
Your email is like a skeleton key—it is effectively a single key that can be used from anywhere to sign in to various services. Once an attacker obtains your email password, their job gets a lot easier. In this chapter we’ll cover how to set strong passwords all around, but particularly with your email.
Most of us probably set up our password to our email years ago, before hacks were a common everyday occurrence. When I was 12 years old creating my first Yahoo account, I wasn’t thinking about long passphrases or special characters—and as it was inspired by Hanson, it was certainly not secure. Nowadays, most of us can barely recall all the online accounts we have signed up for using our email address—especially with the rise of social media and Software-as-a-Service. There has also been a rise in reported data breaches, where the companies that provide these online services have lost copies of their password databases.