If you’ve been brave enough to turn on the news or log into Twitter recently, you know that digital systems are rife with compromise, theft, and cyber-attacks that affect everything from your credit score to presidential elections. It may feel overwhelming and scary. But with a bit of proactive work, you can prevent most of the typical security issues that come with living a 21st century online presence. We want to make sure your personal accounts, government agency and/or campaign organizations are digitally secure so you’re free to pursue your mission with less worry.
- If you suspect you’ve already had a cyber incident of some sort, this is not the guide for you. Do not pass go. Do not collect $200. In fact, don’t change your online behavior at all just yet. Contact us or another qualified cyber security firm to help you respond, and don’t disrupt your digital tools or devices until further instruction.
- This is a list of recommendations that range from absolute beginner to pretty ruthless daily secure measures. Digital hygiene is a balance of convenience versus security. So do as much as you can from this list until things get too burdensome and pause for a bit until you’re ready to reach for more. It can take time to solidify new habits and get used to the overhead associated with good security practices. A little bit of paranoia goes a long way too!
Now, let’s get started.
1) Ensure your devices are always up to date
The easiest thing you can do to protect your systems from unwanted guests is to make sure the software is up to date. That means enabling iOS updates for your Apple products and turning on Windows Update for your Microsoft products. Gone are the days when we had the luxury of testing each new release or patch from a manufacturer. The cyber world moves too quickly today. But the good news is that manufacturers are putting in more time ensuring their patches go smoothly.
Takeaway: Just do it. Err on the side of caution and implement any and all system updates as soon as possible once they’re available.
2) Protect your systems with antivirus software
This may seem like a no-brainer, but we still see too many clients, especially with Apple products, without it. Install a trusted antivirus program and keep it up to date. This will protect you from all manners of nefarious activities, including the dreaded Ransomware attacks that are still making news. We recommend these lightweight starter products: Avast, Avira, Trend Micro. These all have free versions that will keep you well-protected, but spend a few minutes searching and comparing which features you want and what fits your budget if you’d like to upgrade to fancier packages (this is usually not necessary).
Note: Avoid anything from Kaspersky Labs. They are just too close to our enemies in Russia to be viable for anything related to a U.S. government or political operation these days.
Takeaway: Spend 10 minutes installing antivirus software on your devices and configuring it to automatically update. It’ll save you a lot of pain by protecting you when you need it most.
3) Enable two-step authentication on your accounts
Protect your online accounts with an additional layer of security using two-stepauthentication. Most serious online products provide this feature and they’re absolutely must-have for your bank, email, social media and Google or Apple accounts, for example, that may be securing your data or serving as log in providers for other apps. Two step authentication combines two layers of security: a standard password plus a randomly generated, one-time code or PIN, to arrive at a much higher security level than just a password alone.
- First: Apple.
- Next: Google
- Finally: Facebook
Takeaway: Two-step authentication makes your online accounts muchstronger and is a must-have for any sensitive account.
4) Enable encryption on all your hardware
This one is pretty straightforward and takes little effort on your part. Enable “Data Protection” on your Apple devices and “Device encryption” on your Windows systems. Windows is a bit trickier as some older PCs might not support disk encryption. But we recommend enabling this wherever you can, paying special attention to your mobile devices and laptops. This will ensure that if your device is stolen or lost, an attacker will have a tough time getting at your data without having your passwords as well.
For Apple iOS 8+:
- Open the Settings App.
- Tap “Touch ID & Passcode.”
- Set a six-digit passcode (if you haven’t already).
- Look for “Data protection is enabled” at the bottom.
- Open the Settings app.
- Navigate to System > About.
- Look for a “Device encryption” setting at the bottom of the About pane.
If you don’t see anything about Device Encryption here, your PC doesn’t support Device Encryption and it is not enabled. If Device Encryption is enabled — or if you can enable it by signing in with a Microsoft account — you’ll see a message saying so here.
Takeaway: This is a set-it-and-forget-it configuration you can set in less than a minute that will give you great data protection in the event of device loss or theft.
5) Use a password manager
Password managers are a must-have in today’s digital climate, but they take a bit of getting used to. They securely store your account passwords in a central location under a “master” password. Then, after you get set up, you need only to remember your master password to get into your password manager app and then it handles the rest for you. We recommend using LastPass as it has great cross-platform support and apps for your mobile devices that will help make the switch to a password manager easier.
To get started with LastPass:
- Create a LastPass account and choose a very strong master password that is completely unrelated to any other password in your portfolio.
- Be sure to enable two-step authentication on your LastPass account!
- Install the LastPass plug-in on your web browsers and import your accounts when possible.
- Start using LastPass and logging all your credentials as you browse.
As a bonus, LastPass has two extremely useful features:
- It can create random strong passwords and use them for new or existing accounts as you create them or when you update your password routinely. Once you’re comfortable using LastPass to control your password portfolio, take advantage of this feature to create really strong passwords that you never have to remember!
- After you’ve used LastPass for a few weeks, utilize the Security Challenge feature to audit your passwords. This will scan through all the passwords you’ve logged with it and point out ones that are weak or that are shared with other accounts. You can then create stronger passwords or use unique ones for your accounts to be sure that, even if an attacker compromises one of your passwords, they do not have access to another account because you used the same password for it.
Takeaway: Using a password manager will simplify your online life and, if used properly, dramatically increase your security posture and mitigate damage if a password is compromised.
6) Be ready to disable FaceID and TouchID
You should be ready to disable FaceID and TouchID on your Apple devices at a moment’s notice. Face and TouchID can conceivably be used without your consent (perhaps while you’re asleep?) to gain access to your entire phone.
Furthermore, while you cannot be compelled by law enforcement during a search to affirmatively enter your PIN on your device, they can easily hold the phone up to your face without your consent or, in certain cases, such as customs inspections, require your fingerprint.
There are two quick ways to do this on iPhone:
- Press the Side Button five times in rapid success to get the emergency options screen (and also disable Face/TouchID temporarily).
- For iPhone X: Squeeze one of the volume buttons and the Side Button simultaneously.
Either option will temporarily force the next login to be PIN-only and save you from trouble if you have to hand over your phone for any reason. Then, if you can live without the convenience, consider turning Face/TouchID off altogether. While this may sound counter intuitive, it is really another question of security versus convenience.
Bonus: Use strong PINs, six digits or more, that are unique to each device.
7) Switch to Signal for messaging and calls
Start using the Signal app exclusively for messaging conversations. It’s an app that is 100 percent open-source code created to secure conversations between individuals in a way that doesn’t give the provider or app manufacturer any access to the content of those conversations. This is a sharp differentiation from SMS, Apple’s iMessage, Facebook Messenger and WhatsApp on which the service provider generally has access to the content of a conversation even though the conversation might be encrypted from prying eyes.
Why Signal? A few reasons:
- Signal is cross-platform and ensures you can’t communicate with someone without Signal accidentally. While Apple iMessage is handy and very popular, if you text someone without an Apple device, many of those messages are sent in the clear as SMS messages!
- Signal is completely third-party and not connected to any service provider, whereas Apple iMessage, Facebook Messenger and WhatsApp are operated by the respective companies. This means they can change their mind about security policies any time and you can’t do much about it. It also means they control the encryption keys on their servers. So while your conversations are protected from outside eavesdroppers, that doesn’t mean they’re protected from the companies themselves. In cases when you need more certainty that your conversations aren’t being intercepted by the service provider themselves (or being turned over to the government), you cannot count on Apple or Facebook to protect you.
- Signal lets you control your own encryption keys and validate your contacts. Your keys aren’t stored anywhere centrally and you get notified anytime someone else’s key changes or if your device doesn’t recognize them as trusted.
- Signal’s code is completely open-source, which means you get the benefit of many smart programmers bringing their paranoia and engineering skill to bear on this problem. Having their code stand up to public scrutiny improves the product over time and also makes it slow to change to the whims of the current tech or political environment. It also removes any “black box” concerns you may have that Apple or Facebook could be doing almost anything with those apps in their proprietary code (like selling your conversation data for ad targeting).
Takeaway: Signal gives you more certainty that your conversations are private.
8) Secure your browsing
We recommend ditching Apple Safari and Microsoft Edge in favor of Google Chrome. While Google presents its own questions of corporate ethical responsibility, technically, Chrome is usually a half-step ahead of most browsers and quick to update if there is trouble.
Download it on your systems and devices and set it as your default browser. Then, log into Chrome using your secured, two-step-authenticated Google account to sync your security settings, bookmarks, and plugins.
Which leads us to plug-ins. You should install Google’s IBA Opt-out and uBlock Origin. These plugins will monitor every connection your browser makes online and proactively block lots of nefarious trackers, adware, and sites that are known for being up to no good. They are worth their lines of code in gold in terms of protecting you while you’re surfing the web.
Bonus: Once you’ve made the jump to Chrome, dump your history and autofill data out of your old browsers like Safari.
9) Back up your data
This item is more a question of potential loss of productivity or sensitive data than preventing attacks, but being mindful of data integrity is critical. Backups will protect your data from hardware failure or device theft as well as accidents such as office fires.
There are two possible approaches: 1) use a mainstream cloud service provider, or 2) use an external hard disk with periodic data copies. There are a few easy choices to meet this need: Google Backup and Sync, Apple iCloud Drive, Microsoft OneDrive, Dropbox.
All of these offer free or affordable plans to get started and they all encrypt your data to keep it relatively safe. After you set up your account, install the necessary plugin to connect you to the cloud drive and sync your files. Voila! You now have a fairly effortless copy of your data stored in the cloud for easy retrieval if a problem arises. As for external drives, there many good options as well, but we recommend Buffalo drives for Windows or Time Capsule for Apple products. These will take some time to configure and set up, then you’ll need to get in the habit of running backups to them.
Bonus for external drives: Store it in a different location than your other devices are when you’re not using it.
Note: This approach helps ensure you won’t lose your data due to hardware failure or accidents. But if you require additional protection of your data to keep it private from even cloud service providers, we’ll need to take you to the next level and encrypt your data with a key that only you control. Contact us if you need help with this as it’s beyond the scope of this writing.
10) Upgrade to multi-factor authentication
Consider buying a YubiKey to upgrade your authentication protection from two-step as noted above to two-factor. The addition of this device gives you the added protection of something you know (your password) plus something you have (the key device.) It makes hacking your account more difficult by magnitudes!
These devices are cheap — at around $20 USD for the basic unit — but they provide an even stronger level of authentication protection. They work in tandem with your two-step codes from Google Authenticator for many services. They also have fully FIPS-compliant models that are usable at the highest levels of government for authentication and identity protection.
Use it as you would a physical key and insert it into your computer’s USB port any time you want to connect to a cloud service. It will require that the key be inserted before use, which circumvents third-party attacks that might have somehow acquired your two-step codes or pass-through authentication attacks for services like your Google account. We cannot recommend these devices highly enough given the added security you get for the low cost and minimal inconvenience of using them.