Personal Information Security For Business Leaders - Part 2

This is the second blog article in a two article series on personal information security for executives. In case you missed it, the blog article laying out the first 8 steps is here. Hopefully, by now, it’s clear that we don’t expect you to become a super spy or cybersecurity expert… This really requires a few do-able steps to ensure you aren’t an easy target. Those attackers who don’t try too hard (most of them) will move on.

9. Update your software regularly.

Most cybersecurity incidents aren’t the result of a skilled bad guy finding a previously-unknown chink in your digital armor. The vast majority of problems stem from old, well-known flaws in software that could have been patched, if anyone had bothered to update. Remember that network attached devices like printers and firewalls also require updates. Never run end-of-life operating systems at home, and ensure that all your devices and software are updated at least weekly. We link to several products we recommend here. We actually use these (except for the malicious USB cable, no one should use that). None of these are advertisements or affiliate links. We believe in recommending the best most secure technology, not what is the best deal for us.

10. Keep good back-ups.

Anyone can get hit with malware, anyone can have a drive go bad, or have a toddler knock your glass of tea over on a device. It shouldn’t cost you your family photos, tax records, or other important data. Back up your most important data regularly, and if possible keep a copy of your most important tax and financial records on an encrypted USB stick or SD card stored in a safety deposit box or other secure place away from your home.

11. Beware “smart” devices.

Now that so many of us work from home, the proliferation of internet-connected “smart” devices means that we’re doing sensitive work on the same network as a host of appliances, light bulbs, and other gear that may be especially insecure. Opt for non-connected devices where possible. When it’s not, separate your home into at least three networks: the one you and your family work from, one for guests, and one for IOT devices. A compromised IOT device can otherwise become a safe jumping-off point for attacks against your personal and work devices.

12. Consider a VPN

Your workplace should provide you with a VPN to connect to when working remotely. This prevents the random coffee shop routers and possibly-compromised ISPs from seeing business traffic, and provides a trusted way to access internal resources. You may want to invest in one for personal use. A VPN won’t prevent all attacks against your personal devices and accounts, but it does make it harder to profile you as you move about the world. DuckDuckGo and Proton are two trustworthy providers of personal VPNs. Be careful with random app store offerings, and YouTube advertisements: some VPNs encrypt nothing at all. You should always use secure firewalls that support a VPN when travelling. Connect the firewall to the Hotel WiFi, then connect to your encrypted wifi. We love Gl.inet travel routers which use open source firmware, and are easy to configure with many VPN providers built in. These travel routers are produced by a Taiwanese company for those who have to travel to China. They are jokingly referred to as “seditious routers” in the office.

13. Don’t trust public chargers or unknown usb cables.

It’s been a while since we saw an organization compromised by an executive using the wrong USB port for phone charging in an airport or on a train. Mobile operating systems – Android and iOS – have done some work to harden against these attacks. Unfortunately, most laptop makers haven’t, and most of our laptops now charge via USB-C.

NEVER use a USB charging port in a public place like an airport terminal or lounge. You may be giving an attacker physical access to your device in the process. If you need to charge on the go, use your own charger plugged into a regular power outlet, or at least place a USB data blocker between your device and the charging port. A data blocker allows power to flow without letting the port talk to your device (and potentially try to break in).

Likewise treat any USB charging block, or USB cable that you don’t own (including those from vendors and trade shows) with some suspicion. We have seen USB chargers, and cables for laptops, tablets, and phones from companies like Huawei in the wild, and we cannot recommend using these.

14. Use full-disk encryption and a screen lock to mitigate risks from physical access.

When someone has physical access to your device, a number of attacks are possible which wouldn’t be over the network. To prevent direct access to your device’s storage, you need to encrypt it. All major operating systems have this ability built in now. If you didn’t set it up at install time, you should be able to do so from your system settings on Mac, iPhone/iPad, Android, or Windows. Depending on your distribution and install type, a Linux computer may need a re-install to go from unencrypted storage to encrypted. Full-disk encryption, as described above, protects your device from access when it’s off. When it’s running, you need a screen lock.

15. It’s information security, not computer security: mind your physical environment and papers as well.

We work from coffee shops or trains. We travel with laptops full of valuable accounts and information. We read paperwork from home, both for business and for our personal business. The face of information security failures is often the ransomware or the financial scammer, but too often a failure starts with lack of control of physical spaces.

Mind what is on your screen when using your computer in public places. Keep sensitive papers – business or personal – put away. It’s unlikely that your spouse is a corporate spy, or that your child is looking to change your direct deposit, but it’s quite plausible that someone forgets what papers are on the table before photographing your son with the cake he baked. Some minor detail no human sees is then scanned off of someone’s social media post about the cake, and sold to your competitor or used in identity theft.

16. The ups and downs of AI and digital assistants

Many people love the convenience of digital assistants (e.g. Alexa, Siri, “hello, Google”) and “AI” tools. However, it’s necessary to be mindful of both the information going in and the information coming out. Unless you have a contract with the AI provider–one with real teeth–everything you expose the AI or digital assistant to is being assimilated by its owner, and possibly resold to others or used by foreign contracting companies they don’t control. Everything you get out needs to be confirmed by a human, lest you become the company torn between standing behind statements you didn’t want an AI to make, or being caught lying to your stakeholders. Consider banning devices with microphones (apart from your phone and laptop) from the room where you work, to prevent eavesdropping. We recently wrote a blog article about AI security and considerations before deploying an in-house AI which the company controls.

Personal Information Security for Executives - Conclusion

Personal cybersecurity for executives is just as important as corporate security. You worked hard to get where you are today, part of that was being able to get things done. For minimal cost, you can get one or two of these steps done each week and put your family, company, and career in a much better position.