IT pros do threat modeling every day. That sounds like something out of a Mission: Impossible script, but it’s really just a fancy way of saying they regularly ask the question “What can go wrong?”
You can do the same to protect your online identity and your assets, and you don’t need the skills of a secret agent to get started. The trick is to keep asking questions after you’ve got the cybersecurity basics out of the way. Firewall enabled? Check. Strong passwords and 2FA? Got it. Antimalware solution deployed? Sure.
Indeed, those steps will protect you from the majority of online attacks. But there’s more you can and should be doing.
Start by asking if there are threats you’re not taking into account. What happens if you get fooled by a clever phishing attempt and accidentally give away your password? What happens if someone steals your phone or laptop? What can you do if your files are locked up by ransomware? And most important of all, will you be able to recover from a security incident, regardless of its origin?
In this article, I lay out four steps you should be paying attention to in addition to the basics. None of them are platform-specific. They apply to Macs, Windows PCs, and yes, even computers running Linux. Most of these security precautions are even useful if you do nearly everything on a smartphone or tablet and never touch a laptop.
1. Make sure all your data is encrypted
Anyone who’s ever watched a horror movie knows that sometimes the threat is coming from inside the house. Or the office.
If you spend all your time worrying about protecting your online accounts, you might forget to plan for the possibility that someone will steal your laptop or your smartphone. Losing that expensive piece of hardware is painful enough, but the data on that device can be even more valuable if a thief can use it to steal your identity and drain your bank accounts.
The best form of protection you have against this sort of damage is strong encryption, which makes your data completely unreadable to someone who steals your physical device. AES-256 encryption, the worldwide gold standard for modern tech gear, is extremely effective — just ask the FBI, which has fought (and lost) some well-documented battles to weaken its effectiveness.
The data on your smartphone is probably encrypted already. On Android devices and iPhones, all data on the phone itself is encrypted automatically as soon as you set a passcode. Just make sure that passcode is long enough (at least six characters). And consider setting the option to erase your phone after too many unsuccessful attempts to enter your passcode:
- On an Android device, search for Auto Factory Reset in Settings.
- If you use an iPhone, go to FaceID and Passcode in Settings and find the Erase Data option.
For a PC running any edition of Windows 10/11, including the Home edition, Windows Device Encryption is available and enabled by default, but only if you sign in using a Microsoft account. This automatic encryption protects the system disk; however, you can’t encrypt secondary disks or external disks. You’ll find the switch for this feature in Settings > Privacy & Security > Device Encryption.
On systems running Windows Pro, Enterprise, or Education editions, you can tap into a more advanced set of encryption management features called BitLocker. These tools allow you to encrypt all available disks, including removable disks. For more details, check out ZDNET’s “BitLocker Guide: How to use this Windows encryption tool to protect your data”.
The equivalent feature on a Mac is called FileVault. Get all the details you need in this Apple Support article: “Protect data on your Mac with FileVault”. Don’t forget to save a recovery key.
For files stored in iCloud, there’s also an option called Advanced Data Protection, which turns on end-to-end encryption; no one (not even Apple) can access that data, which means it’s crucial to set up a recovery method just in case you lose the ability to sign in to that drive. You can save a recovery key in a safe place, or you can designate a trusted friend as your recovery contact and call them if you lose access to your account. For more details, see “How to turn on Advanced Data Protection for iCloud”.
2. Back up the stuff that matters
Some digital things are irreplaceable. Your collection of family pictures certainly falls into this category, especially the ones you created by painstakingly scanning old photographs. Other super important files, like your tax returns and real estate records, might technically be replaceable, but it can be inconvenient (not to mention expensive) to order those copies. And files that seem trivial now might turn out to be useful later.
Ask the question, “Which files would I absolutely hate to lose?” and you will probably end up with a list that looks something like this:
- Your smartphone’s camera roll
- Product keys and license info for software and services you’ve purchased
- Passwords and encryption keys
- Sensitive documents like medical records, tax returns, and will or trust papers
- Receipts for valuable items like artwork
Knowing what needs backing up is half the battle. The other half is figuring out where to store those backups. You have lots of alternatives.
Your smartphone can automatically be backed up (to iCloud or to Google’s servers) for quick recovery. It’s worth checking your phone occasionally to ensure that those backups are up-to-date. And consider uploading the contents of your camera roll separately to your preferred online photo storage. Either iCloud or Google Photos will work; here, too, you will likely need to pay to save full-resolution copies of all your photos and videos.
The easiest and most comprehensive solution is to store the files in a cloud storage service like OneDrive, Dropbox, Google Drive, or iCloud. (You’ll need to pay for anything more than a trivial amount of storage, however). Depending on the service, you might even be able to recover from a ransomware attack. OneDrive and Dropbox subscribers, for example, can use features that allow you to access a snapshot of your backed-up files by date; after you clean the ransomware, pick a date before the files were forcibly encrypted and restore that version.
For sensitive documents and secrets like encryption keys (more on that later in this post), see if your password manager is up to the challenge. Using 1Password, for example, you can upload up to 1GB of files per account to the Documents folder, and you can save secrets in the Secure Notes folder; Bitwarden offers a similar capability, but only for paid accounts.
For your PC or Mac, there are always the old-school options of full backups, to the cloud or to removable local storage, using either built-in tools like Apple’s Time Machine or third-party software. If you need advice on how to get your files organized, see “PC and Mac backup: How to protect your data from disaster”; for recommendations on which backup app to use, read “The best backup software: Top picks for Windows and Mac”.
Oh, and don’t forget to make sure your backup copies are encrypted and stored securely.
3. Know where the reset button is located
If you’ve got a useful backup, the easiest way to recover from any kind of issue on most devices is to reset it, restore your backed-up files from the cloud, and then restore apps as needed. That’s easy with a mobile device; just search for the reset option in your phone settings and follow the prompts to restore your most recent backup.
For PCs running Windows, you can find Reset options in Settings, but what happens if you can’t start the PC? Consider creating a recovery disk and keeping it handy. This bootable USB flash drive allows you to perform some simple repairs, by booting into recovery mode; it also allows you to reset the device using the manufacturer’s preinstalled recovery partition. You can find full instructions here: “Windows 10/11: Create a recovery drive”.
On a Mac, you don’t need any special tools to start fresh or restore from a backup. You can boot into recovery mode by restarting the Mac. The specific instructions vary depending on whether your Mac is based on Apple Silicon or an Intel chip. For details, see the Apple Support article “How to reinstall MacOS”.
With any of these options for a Mac or PC, you can perform a variety of simple repair tasks or do a repair installation.
4. Save your recovery codes
The most annoying security incidents are the ones where the cause isn’t a malicious actor but a simple hardware failure or human error. Recovery can be nearly impossible if you’ve been locked out of a hacked or otherwise compromised account or you’re trying to recover data from an encrypted disk. Until you prove your identity and your right to access the device or data, you look exactly like a malicious actor.
If your device is managed by your organization, your support desk can almost always help you recover by resetting your password or locating the saved encryption key for your device.
If you’re using an unmanaged device, you’re literally on your own, which means some advanced preparation is in order. Specifically, you need to generate and save recovery codes that you can use in case of emergency. Exactly what you need to do depends on which platform you’re using.
Microsoft accounts: If you’ve forgotten your password, you can use any of your multi-factor authentication options to recover. If the account’s been taken over by someone without your permission, you’ll need to go through the painful process of recovering by starting at this page: “How to recover a hacked or compromised Microsoft account”.
Windows PCs: Need a recovery key to unlock an encrypted drive? If you signed in using a Microsoft account, the key will be available at https://microsoft.com/recoverykey. If you turned on BitLocker Device Encryption on a device running Windows Pro/Enterprise/Education, you’ll need to find the key you printed or saved during setup. You can also locate and save that key anytime by right-clicking the drive in File Explorer and choosing Manage BitLocker > Back Up Your Recovery Key.
Google accounts: If you’ve lost access to your phone to receive recovery codes or sign in with Google Authenticator, you can use a backup code to sign in. (Hint: If you know you saved the recovery codes but can’t find them on your computer, use your computer’s search option to look for “backup-codes-username.txt” (substituting your username before the file extension. For details on how to generate a new set of backup codes, see Google’s “Sign in with backup codes” help page.
Apple accounts and devices: You have the option to create a recovery code for your Apple ID. For details, see “Set up a recovery key for your Apple ID”. To access data on a Mac that’s been encrypted using FileVault, you’ll need the recovery key. Mac expert Glenn Fleishman has detailed instructions (including info on how to find your recovery key) in this excellent article: “How to unlock your Mac with its Recovery Key and FileVault active”.
To regain access to data in your iCloud account with Advanced Data Protection enabled, you’ll need the recovery key you (I hope!) saved earlier, or you’ll need to call your recovery contact and enlist their help.