A Little (Expert) Advice: How to Protect Your Personal Data

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• Best Small Business VPN Services – Resilience Cybersecurity & Data Privacy
• 10 Easy Ways to Immediately Boost Your Online Security – Resilience Cybersecurity & Data Privacy
• 8 Useful Small Business Cybersecurity Tips You Need to Know – Resilience Cybersecurity & Data Privacy
• How To Destroy Perfectly Good Cybersecurity Policies – Resilience Cybersecurity & Data Privacy
• The Best Cloud Backup Services for Personal Data and Devices – Resilience Cybersecurity & Data Privacy

Episode Transcript

Brian: Hey, thanks for joining us here on Fearless Paranoia podcast where we seek to demystify the world of cybersecurity. I am Brian, the cybersecurity attorney.

Ryan: And I’m Ryan and I build stuff in cybersecurity.

Brian: Yeah, he’s the one who makes the stuff. And then I, I’m the one who has to warn him about what he needs to do to make sure that he doesn’t break any laws. But he’s the smarter one of the two of us. So you should definitely listen to him over me, we’re actually going to take a step away from our usual post, even though it’s helpful to I think most people, we tend to target this information towards small businesses, small business owners, this is a more general purpose episode, we’re actually series of episodes, we’re trying to help you manage your protect your personal data. And so, what these are is essentially tips and piece of advice, ways that you can make yourself more secure. We’re not saying that you must do all these things, we’re saying that if you did all of these things, that’d be great, you would be more secure. But even doing one of these things is likely to make you more secure. So, we’re going to be running through a whole list of them here. And so, without further ado, we’re going to start with protecting your stuff. Tip number one is: keep your software up to date, right? What do people need to do to improve their security this way?

Ryan: One of the nicest parts is in most of our software stuff nowadays, the biggest thing to do is not turn off automatic updates. Or if you have the option or app stopped in turn them on most software, most operating systems, Android, iOS, Windows, Mac OS, all of it has the ability to take care of and update itself based off of offerings from the from the manufacturer, turn all those things on do all the updates. If you have Adobe products, please, please, please update those same with Java update that stuff all the time, because there’s lots of vulnerabilities that come out frequently. And all it really takes is a poorly crafted document or something simple to take advantage of one of those. So just turn on your updates, click the Update button, become friends with your updates, restart your computer, if you need do to apply updates, do the updates do all the updates all the time, it’s absolutely worth it. And it will take away a lot of the attack surface,

Brian: It’s important to bear in mind that I’m pretty sure that one of the few things that most people on this planet probably have in common is the frequency with which they hit remind me again tomorrow. The best advice here is to not do that. I’m going to raise one brief gripe that I have, for some reason on my iPhone, I have automatic updates enabled. And I don’t know why. But it doesn’t seem to understand what that means I have to manually update my iOS every time now I don’t know if it what it really means is that at some point, it will happen. But I can tell you that my phone is charging every night and meets all the requirements it’s supposed to list and for some reason it’s not doing it right. So, in the event that someone who’s listening to this might know someone who might be able to pass some information along. I don’t think there’s any way that Apple doesn’t know about this, but that’s an issue anyways. So, item number one is keep your software and your operating systems up to date to use antivirus and other security software. Ryan, this kind of almost to me feels more like a relic out of the 90s in the arts because it’s just not something that is front and center for most people anymore. But what do we need to do?

Ryan: Well, again, a nice part about this one is that in a lot of cases, a lot of these manufacturers that are putting out operating systems and things have basic security systems in place. If you’re running a Windows system on your computer at home, you’ve got Microsoft defender built in. It’s kind of a lightweight version of it, it’s not quite the same as the enterprise level, it doesn’t have the reporting, but it still has their whole scanning database, their whole definitions database, it updates once a day, it looks for all the major, major, major threats antivirus isn’t as critical as back in the day, don’t install weird cheap stuff, watch out for the spam where that comes with it don’t install, like the AV G’s and the Avast and that kind of stuff anymore. But like, if you have built in stuff in your OS, make sure that you you’re not turning those off, make sure that you’ve got them running on a frequency of once a day, make sure if there’s real time protection, that stuff is turned on. If you feel like purchasing an additional tool of some sort, that’s fine, too. But I really don’t think that many of them are going to be the answer because a lot of the exploits and a lot of the attack methods nowadays aren’t leveraging really general basic malware anymore of the kind that antivirus tools typically pick up.

Brian: However, you could get something like Malwarebytes to at least get rid of a lot of the pups that may be dragging on your computer a little bit too.

Ryan: Yep, absolutely. Yeah, it’s a good idea just to run something every so often I run the like an E set free scanner once a month just to check I run Malwarebytes every so often as if as a free level just to check or if there’s any indication that there might be a need to but yeah, those tools all are just one more layer in the mix that’s going to help keep you and your system safe.

Brian: Okay, so you’re not going to guarantee protection. But by using and running. I think that’s actually a very, very critical distinction running, making sure that your antivirus systems are operating and running and scanning on a regular basis. That’s going to help you let’s move on to number three, securing your mobile devices. I know that this is not the same issue that it was 10 years ago, 10 years ago convincing someone that it was important to put a four-digit lock code on their cell phone was like pulling teeth, but it’s better now but they’re still a lot that can and should be done.

Ryan: Yeah, security was opt-in back in the days, it was just assumed that nobody was gonna get physical access to your device. And if they did that, that was your problem IT security was broken nowadays, it’s pretty forced upon people by the manufacturers to have at least basic security in place. I think basic encryption is both required on Android and iOS, I’m pretty sure at this point, so at least that should be in place. Stuff like not turning on untrusted sources is really critical. Unless you’re doing like active development on your phone, if some tool is asking you to turn on developer mode, or untrusted sources or something that’s a huge red flag, stay away from all that stuff. And then just good best practices like making sure your browser’s get updated, making sure you’re not downloading weird applications, like don’t go into the google play store and download this sweet game that 715 people have downloaded. You know, it’s just don’t make those kinds of weird, bad decisions. And then make sure any data that you care about on those devices is backed up somewhere, because that’s critical. Because eventually something’s going to happen to your device. Either it’s going to get ransomware, you’re going to drop it, you’re going to run over it, something’s going to happen, and something will happen to that data. Maybe you accidentally you’re trying to delete a picture on your phone, you accidentally delete an album instead. That’s a big problem. But if you have a backup in place, your data is stored in multiple locations, and it’s safe in case of those kinds of catastrophes or disasters.

Brian:   You’re listening to the Fearless Paranoia podcast. For more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms. Also, please share this podcast with anyone you think would find it helpful or useful. We rely on listeners like you to help get the word out about this show, and we appreciate the support. Now, time for some more cybersecurity…

Brian: And there’s important follow ups on that site. Number one, have your data backed up, make sure that you know where your data is being backed up. There’s some discussions now about people who have Google Photos, make sure that you know how Google Photos is storing and organizing your data. But also, beyond that, be aware of how you are unlocking your device and… damn it right… there’s something I was gonna say modern add on there. Maybe I’ll think of it later. So yeah, make sure you’ve secured your mobile devices. And I also want to stress that extends to things like using your web browser in your phone to store passwords. Just please, please don’t. We discussed password managers in our last episode do that it’s so much better. Next, data backups. So we’re gonna talk about data backups here, and you just mentioned ransomware. And I think one of the big things that a lot of people who are looking at personal devices, people aren’t really worried yet. I don’t think about ransomware on personal devices. Most people that I know assume that ransomware something that happened to businesses guess what security is getting better. And guess what else the number of criminals using ransomware is not going down, it’s probably going to continue going up and the ransomware systems that are available the ransomware as a service is going to keep proliferating and they need targets and businesses are not going to be the only ones they target. They may not ask you for a million dollars, they may ask you for $750. But ransomware against the individual is coming. So, backups on your mobile devices and backups in general are important. So Ryan, I’ll get off my thing here right now, you can educate us as how to do backups in a way that is safe, but also quite honestly doable. What does the normal person need to do for data backups?

Ryan: Everybody needs to treat it a little bit different. First thing you need to do is just classify your data identify how important is your data? And can you live without pieces of the data, and you need to kind of go through an audit all your data at that same fashion. Obviously, I’ve got a lot of stuff in my dataset that I could live without, I get a heavy majority of my data. If at all disappeared tomorrow, it’d be just so…

Brian: We can translate for him. He means your stuff.

Ryan: Yes.

Brian: Your data, he means take a look at your stuff. When he says to classify your data, he means determine which stuff is what photos, movies and things like that.

Ryan: For Windows users. I’m talking about the things in your desktop, the things in your documents folder, and the things in your pictures folder, the stuff Microsoft calls, your home libraries, those are the things I’m talking about all the crap that you have scattered all over in there. That’s our stuff.

Brian: And if you don’t have that stuff stored in another location, it is always going to be at the whims of the computer gods and the hacker demons.

Ryan: If it survives, it doesn’t even have to be a cybersecurity issue. I have had numerous hard drives just cease to function. It is the nature of hard drives that they fail, you can’t get power back to them or something on them fails and all of a sudden everything on there is potentially gone. So multiple backups of all of your critical data. I personally keep three backups of my super critical data, things like personal finance documents, anything that’s like really heavily critical, I keep a copy of.

Brian: Yeah, Ryan, neither of us have enough money for it to really be critical.

Ryan: But okay, yeah, live data, one backup that’s attached that synchronizing somewhat frequently one detached copy of that data that’s stored somewhere safe that’s not stored at the same location that all the rest of the stuff is stored.

Brian: And the good news for everybody listening is if you go to our website at for this post, we actually have a list of have consumer level and in some cases small business level backup systems that actually allow you to do this remarkably easy. Most of it is a set it and forget it cloud backup system. The other ones, I don’t know what the data backup system for Windows automatic one. But if you’ve got a Mac, use time machine and unplug that hard drive as soon as it’s done, there you go, you’ve got an offline backup, it’s not hard to do. But it is something that I don’t think most people do regularly. So, we are going to at least provide that service and provide a few links to services that we recommend. But we make it very clear, we don’t endorse any products directly here unless we explicitly say so these are not endorsed products. But these are simply products that can make your life a lot easier.

Ryan: And programs come and go. But it’s we’re more about endorsing the strategies, the behaviors and the practices that we’re talking about. Because again, there can be 1000 different tools that can do data backup, the fact that you’re doing the data backup is the important part, the tool is secondary in that conversation, just make sure you’re doing the actual deed.

Brian: Okay, so after data backups, next one is public Wi Fi use and VPN use. Now I know this is a very common lecture that I give to businesspeople. And I think most people are at least aware of this kind of risk. Ryan, why is this an important tip?

Ryan: So this one right here is the one that a lot of people have been warning a lot of people about for a lot of years, and a lot of people don’t take very seriously and definitely don’t take seriously enough is stuff like public Wi Fi. And using a VPN. A lot of businesses use VPN, they don’t technically use it for encryption, they get the side effect of it. Usually, they’re using it for connectivity purposes, they’re trying to connect somebody in to something else. But your average public user when they’re using a VPN, like a Nord VPN, or something like that, they’re doing it as a way to follow this security best practice of encrypting your data encrypting, you know where your information is, or they’re trying to use it to proxy somewhere they’re trying to change a location or trying to defeat some sort of policy. In either of those cases, the couple of things to know are if you’re using it for the sake of anonymity or any of those, you’re just moving your connection downstream one step further, but your VPN provider still going to be able to have all the visibility that you’ve moved away from your normal ISP. But if you’re using VPN for encrypting your traffic, that’s a really fantastic reason to be using those types of services, especially if you’re going to be working on either insecure internet location, or shared use internet location with other people that you’re not familiar with. And stuff like public Wi Fi, going into a coffee shop or restaurant or anywhere else, any sort of shared office space, that public Wi Fi all of those devices, your subject, first of all the configuration of that Wi Fi and what that looks like. And then all of those devices have connectivity to one another through those routers through that connection, which means that there’s opportunities for them to potentially look at other traffic. Now most of that traffic, again, is encrypted, but it opens up the fact that now we can at least look at it. So, if there is any unencrypted traffic, it’s all potentially visible. And it gives you the opportunity to start doing things like positioning yourself man in the middle and doing other ways of abusing that traffic. And so having that VPN encrypting all of that data and ensuring that it’s got a solid point to point connection is really a good way of kind of making a lot of those approaches from that public Wi Fi like that lateral movement from proximity a lot more challenging.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian: I think one of the ways to look at it is that imagine that public Wi Fi or using or any Wi Fi router using as an airport or a train station or something like that, that airport, you know, you arrive at the airport and you travel somewhere they know who you are, where you came from, and where you’re going by using a VPN, they’ll know who you are, they’ll know that you pass through their train station. But that’s it, the fact that you were there will probably still exist, but they won’t see where you’re going. They won’t see if you’re coming or going, they won’t see where you’re going to and they won’t have any idea where you went after you got to where you’re going. That’s the whole idea is that it essentially it becomes the new first step of your internet activity and everything between you and that VPN is encrypted. And that’s an important level of protection. So, piggybacking on that, encrypt your data wherever available and the strongest encryption available. I don’t know if many people on a personal level really think about this too much. What’s the best way to do it?

Ryan: Well, the two major things are encrypting you’re two different types of data. You’ve got data in transit and data at rest. And they’re treated entirely differently. Most of the data in transit, most users don’t have a lot of opportunity to do anything other than turn off that encryption also. That is, you’d have to opt out of that because those security controls are just in place on the browsers in place on those file transfer connections. Most of those data connections that are modern nowadays have an encryption mechanism but with our previous conversation on the VPN, just to ensure that you’ve got that connection being in cryptid put another layer like that in so that you know that that data is encrypted. And if it’s encrypted twice, so I’ll be at more encryption is going to be fine, it might be a little bit more latency, but it’s going to be worth it.

Brian: In the end. I think one of the things definitely mean is if hard disk encryption is available on your computer, use it implement it immediately.

Ryan: And now we’re talking about data at rest, right. So, we want to make sure that absolutely, that’s the data that we need to be more concerned with there. Most data in transit is already going to be encrypted because of the protocols and the applications. The data at rest is the data that we control the data that’s just sitting in a storage location locally, or in a cloud service, or somewhere else, we rely on stuff like Google to say that they’ve encrypted all of our data that’s in Google Photos, we have to kind of trust them the same way that we kind of trusted LastPass that they were encrypting all of the data and everything else usernames were encrypted in the last pass as a quick update to our previous conversation, but

there was some conflicting information there. But I hope that they were encrypted, but

the same way that all of that data should have been encrypted, anything that’s super critical to you should be encrypted also. So, any data that you’ve got sitting on your hard drive, if somebody were to come into my house and steal my computer, they can’t log into it, they’re not going to have my password, they’re not going to be able to multifactor into the operating system anyways. And so, they’re stuck trying to pull data directly off the hard drive. Well, if that data is encrypted, it’s going to make it much more challenging for them to be able to actually access any of that data. But if that data is not encrypted, all they got to do is fire up any sort of other operating system attached to that hard drive just as a slave next to it and about a bit and reread all the access or potentially write access to all of that data sitting there unencrypted.

Brian: And when you consider that one in seven laptops purchased is either lost or stolen, that’s an important thing to have. Just because they don’t have your login doesn’t mean they can’t find a way to get into your hard drive. So, make sure that if they get there, they have a whole nother hurdle to leap over.

Ryan: Yeah, every time I worked at a business, and we get a report that some users laptop has been stolen or misplaced. The first thing we always check was encryption level just to give them an idea of what the potential impact would be like if somebody were to get in there. Because I just assumed that every user has got their login password on a post that don’t shove it up on the bottom side of their laptop. It’s just an assumption I make being in cybersecurity. So, you just assume that that level of security has been breached and will be breached. So, you start looking at what comes after that.

Brian: All right. Well, thank you for joining us here on Fearless Paranoia, we’ve gone through this particular list of how to keep yourself a little bit more safe in the increasingly internet focused, connected and cyber aware world that we’re in, we’re going to have a whole nother series on how to keep yourself safe regarding the Internet of Things. That’s what I’m actually really looking forward to talking to Ryan about because he’s got some phenomenal ideas on how to both keep yourself safe and to set up a more private and protected system that we’re going to talk about. But until that happens, please visit our website at WWW dot Fearless Paranoia.com. You can check out any of our previous episodes, check out the information and additional resources including all of the available product solutions that we’ve identified, and you can get additional advice on keeping yourself safe at resilient cybersecurity.com Please subscribe to us if you have enjoyed this episode at any of your favorite podcasting platforms. I think I covered it Ryan, did I get everything there?

Ryan: Nah, man, you covered it like and subscribe, please. It’s what really keeps us motivated to keep doing this stuff here. And whether you guys like it as this is all really important stuff nowadays, and it’s going to become ever more important over the coming years. So, we appreciate you guys coming back and please bring your friends and keep coming back.

Brian: Yeah, we’re plugged in. We’re very algorithm motivated this point. For Fearless Paranoia. I’m Brian.

Ryan: And I’m Ryan

Brian: And we’ll see you next time.