How to stay safe online in eight steps
At the end of each year I complete what I like to call "an end of the year security review". The idea is to follow a set of small steps to review and improve my online security and privacy setup.
This year I consolidated all the steps in a checklist and I decided to share it in case you want to use the list as a guide to review your current setup and stay safer on the Internet. Each of the steps I propose are easy to follow and can be completed by anyone with basic digital skills so you could even send the checklist to any of your friends and loved ones.
This is a TL;DR; checklist with the steps we will cover:
- Use a password manager
- Use a multifactor authentication app (MFA)
- Enable automatic software updates on your devices
- Review your browser extensions
- Create a list of your key digital assets
- Enable two factor authentication for your key digital assets
- Enable storage encryption for your physical devices
- Reduce the amount of permissions granted to the apps you use to the minimum
Use a password manager
Let's start with the basics. You probably use dozens of digital services and apps. If you are like me, remembering the password of each of them is mission impossible. Using the same password is not an option either. So, the first step is to install a password manager if you don´t already.
If you already have one, the action for us is to improve how we use it by:
- Making sure we can access our password manager from multiple devices. We don't want to lose all our most important digital assets, passwords and credentials if we lost the only device that allows us access.
- If you use the same password manager for both personal and work credentials, make sure you store your work passwords in a different folder or vault.
- Making sure the password manager password is secure by 2022 password standards. That password is the gate to all your identities on the Internet.
Use a multifactor authentication app (MFA)
A password manager is the first step towards a better digital experience. But if we want peace of mind, we should use a multi-factor authentication service. So, step two is to install one on your smartphone.
If you already use an MFA service, the action for us is to improve how we use it by:
- Making sure we can access the MFA services from at least two devices. This ensures that if we lose our phone, we can still access accounts with MFA enabled.
- If the MFA service uses a backup password or recovery code, let's ensure we store it in a secure place and, of course, we remember where.
- Let's perform a security drill: let's leave our phones in another room and go to our sofa with our laptops. First, open an incognito window. Second, check if we can still access the digital services where MFA is enabled. Did you have to leave your sofa and go to the other room to grab your phone? If the answer is yes, then congratulations on a successful MFA setup."
Enable automatic software updates on your devices
This is a simple one but is easy to forget. Make sure your devices (smartphone, tablet, laptop, smart TV...) have automatic software updates enabled. Automatic updates will ensure potential security patches are installed as soon as they are made available. Here is a typical checklist:
- Enable automatic operating system updates on MacOS, Windows, Linux, Android, and iOS.
- Enable automatic application updates in your desktop, tablet, and Android app stores.
- For the advanced users, make sure your OS package manager (e.g. brew in mac) has the option to automatically update packages enabled.
Review your browser extensions
Browser extensions like ad-blockers improve our experience while browsing the web but they are also a potential attack vector that can compromise our privacy.
- Make sure you reduce the number of browser extensions to the minimum. For each extension, ask yourself if you use it often enough that it deserves to clutter and slow down your browser. If the answer is no, just installed the extension every time you need it.
- Once you get down to the minimum viable extensions, make sure they are up to date and come from trusted sources. I usually look at things like the number of reviews, number of installations, if it is featured by the browser company...
Create a list of your key digital assets
A key digital asset is an asset that if it gets compromised we will be panicking and running around with our hands in our heads. So, these assets are worth taking extra care of. By creating a list of your digital assets you know how to prioritise what to protect. Here are some of mine. I divide them into two categories:
- Work laptop
- Personal laptop
- Portable SSD with personal documents
- Password manager service
- Phones numbers
- MFA or second-factor authentication service
- Personal email accounts
- I bet that we don't want anyone to be able to access the thousands of personal emails you forgot to delete over the years
- Work email account
- Cloud file storage services like GDrive, OneDrive, and iCloud
- Social accounts like Instagram, Facebook, WhatsApp, Twitter...
- I bet we don't want anyone to hijack our digital identity
- Other important online accounts like bank accounts, Github, etc...
Enable two factor authentication for your key digital assets
Adding two factor authentication is going to add an extra layer of security to the key digital assets identified in the previous step. For each item, we are going to:
- Enable a second factor authentication method using the services we configured during day two.
- If the online service has a phone number associated with it, make sure is up to date and it is a phone number that you have access to.
- For online services with mobile apps (like bank accounts, email, etc), make sure those apps are protected with an additional PIN or biometric authentication mechanism. Some smarphones allow to add this extra layer of security even if the native app doesn't support it.
Enable storage encryption for your physical devices
Next step is to review if the storage encryption option is enabled in our devices. Storage encryption ensures that our data at rest is protected even if our devices get lost or stolen. We can use the list of physical assets created in day five to prioritize the devices that need to be protected.
Some devices already ship with this option enabled, for example my phone running on Android 12 comes with it enabled by default. Other devices like portable SSD disks may ship with third party software that allows you to encrypt them.
In some cases, like when you use FileVault on MacOS, you will have to generate a recovery code. You can save this code in a secure place like your password manager.
Reduce the number of permissions granted to the apps you use
Review the app privacy settings for each of our devices to reduce the level of access we give to the apps we have installed is a simple action that will improve our privacy online and will give us control over our data.
We should pay attention to the permissions that grant apps access to the private data we value the most. Some examples are:
- Our location
- Our contact list
- Our devices inputs like camera and microphone
- Screen recording and input monitoring
You made it until here, congratulations!. Hope you found it useful. As a next step, I recommend you to do like me and create a reminder in your calendar to schedule your next security review.
If you have any suggestion for additional steps you think can be useful please let me know so I can add them to the list :)