I was having dinner with a friend who travels often, going over some quick internet security tips. She’s not a technical person, and the more I tried to explain things, the more I realized how difficult it is for the everyday person to get a grasp on these digital dangers, not to mention the convoluted steps they have to take to defend themselves.
So I’ve assembled a quick guide to digital defense for her and the everyday person. I’ve tried to list them in order of ease and magnitude, so you can work them from the top down.
Before you start, I need to explain two things. One is the difference between digital security and privacy.
Here’s a quick example: You can login securely to Facebook with an encrypted connection and 2FA. But then you reveal all of your innermost thoughts on Facebook and share your location in real-time wherever you go. That’s secure but not private.
On the other hand, you might have a Facebook account and not post anything at all. But you log into your account on public Wi-Fi over an unencrypted connection. That’s private, but not secure.
Knowing the difference will help you in your personal digital defense strategy. This guide focuses more on security than privacy, as digital privacy is another long discussion.
The second thing is that there is always a tug of war between convenience and security. An unlocked front door is the most convenient way to leave your home, but it’s also the most insecure. In the same vein, some of these tips will make your digital life a little more inconvenient. How much you’re willing to tolerate in order to protect your contacts, messages, files, photos, etc. is up to you.
This is what I would suggest, in more or less this order.
If you lose your smartphone, tablet or laptop to a disk failure, drop, malware or theft, you’ll want to have a backup of your files somewhere.
Update every digital device you own to the latest version of its operating system. That includes your smartphone, your laptop, your tablet, and your router. This isn’t so that you get the latest features, but because you’ll get the latest security updates.
If you’re running an old OS like Windows XP, seriously consider upgrading, as these older OSes are no longer officially supported. Plus, since you’re already at your router, encrypt your Wi-Fi with WPA2 if you don’t already.
Turning on 2-factor authentication, or 2FA, requires you to enter both your password, plus a secret code sent to your smartphone, before you can log into a website. It’s more secure this way, because even if someone has managed to get your password, he or she won’t be able to log into your account without possessing your phone as well.
I suggest you enable 2FA wherever it’s offered, or at least for your key accounts.
If you’re savvier, enable 2FA on an authentication app like Google Authenticator, Authy, or 1Password instead of SMS, as SMS can be less secure. Frequent travelers might want to use apps for 2FA instead of SMS, as I’ve found that 2FA SMSes can get lost or delayed while overseas.
Together with 2FA, create stronger passwords. And not just for your online logins, but for your devices as well. Ideally, I’d suggest you use a password manager like LastPass, because they can generate and keep very strong passwords, but using a password manager does require a learning curve.
If you don’t already, please lock your smartphones, tablets, PCs and laptops with a PIN or passcode. The longer the passcode, the better. A four digit passcode has 10,000 possible combinations, a six digit passcode has one million.
There are plenty of good paid and free anti-virus apps out there. Just remember to keep them running in the background so they can scan for constant threats, and be aware that even anti-virus software can’t protect you from everything.
The main vector of attack is quickly switching from virus infections to phishing, where attackers send you links through email or messages, pretending to be an authority like Google or a friend whose account has been hacked.
By clicking on these links, you might be asked to enter your credentials and thus have them stolen. The worse kind of ‘drive-by’ attack doesn’t even involve any interaction, once you visit the site your device might be compromised.
Previously, I’d temper my suggestions to only ignore links that appear suspicious, but phishing attacks are so good these days that it’s hard to tell the difference between legitimate and malicious links. If the link and email look legit, you can always go to the site via your browser to.
The HTTPS Everywhere extension from the EFF forces your browser to connect securely to websites that support encrypted connections. You should know that this kind of security measure has been compromised before, but having the extension is still better than not.
Encrypting your smartphones, tablets, laptops and portable hard drives make it incredibly difficult for thieves to simply copy your files over to their hard drives. However, you should also know that encryption is a double-edged sword. When you encrypt your device, you’ll need to remember your password and recovery codes, because if you lose those, there is no way you can recover your data.
Since my friend travels a lot, I recommended that she use a Virtual Private Network (VPN) to connect to public and hotel Wi-Fi.
Whether or not to use a VPN is complicated. Websites and apps are getting better at sending encrypted data. WhatsApp, for example, does end-to-end encryption, so messages are protected by default. But you can’t be certain which sites and apps are sending data securely. On the other hand, it’s also true that you’re entrusting the VPN provider with your data, and it’s possible that they’re snooping on you.
Popular VPN providers include Private Internet Access and F-Secure Freedom. Big-name security companies like Norton also offer VPN. I use Cloak on iOS and macOS for its convenience; it automatically starts whenever it detects you’re on an unfamiliar network. If you still want to think about it, here’s a long and short answer as to whether or not you should use a VPN.
Never get complacent.
There is no perfect digital defense, and you can only become safer, but never 100% safe. Automate your backups, don’t wait too long before installing updates. Set up 2FA and passcodes, even if they delay your logins by a few seconds more. Avoid clicking on suspicious links, and don’t be lured by free Wi-Fi.
The unfortunate truth is that as technology becomes more intertwined with our lives, attacks also evolve and become more sophisticated. At the same time, the everyday person can’t be expected to keep up with the latest cyber attack news. I wish there were a better conclusion, but there really isn’t.