Summary

• I think that the risk of a major cybersecurity threat - of similar economic magnitude to COVID - is under-appreciated.

• My friend recently got hacked and this highlighted how easily we can lose access to our email, documents and bank account if our computers and phones.

• It's good to take steps to avoid being hacked, but, it's equally - if not more - important to be prepared to recover from a hack.

Background

Last week, one of my friends got seriously hacked and lost control over their phone, computer and internet router. They have made good progress in resolving the issue, but it was a reminder for me to revisit my own preparedness for a computer and phone hack. In particular, it made me realise how much security is now dependent on our phone.

I think that a major global cyber hack is likely over the next decades and will arrive unexpected, much like COVID-19. I've taken some time to review the security of my information and am presenting my approach here. I'm not a cyber or software expert, and this approach is imperfect, but I hope that it serves as a reminder to you to check if you could survive a hack.

Plan to survive, not just avoid, a hack

Yes, it's good to take measures to avoid getting hacked (i.e. someone getting control of your computers and digital information) - and I'll cover some of those. However, I don't believe any system can be 100% protected from hacks, so it is best to assume you will get hacked and think about how you can cope in that scenario. (I highly recommend the movie Zero Days as an eye-opening insight into how easy computers are to hack).

0. Simulate a Hack

Even if you don't read any of the rest of this article, I recommend doing the following:

a. Open up a browser in private mode.

b. Navigate to the website of an important service (e.g. your bank or email provider).

c. Assume that you no longer have i) your password/or it has been changed, and ii) your phone.

d. Try to log in to your account.

If you can't find a way to log in, then you probably are vulnerable if your phone and computer get fully hacked.

Oftentimes, the only ways to avoid this are i) having back-up codes on paper - if the service allows that, ii) having a backup e-mail to recover your password, iii) calling the company (often a slow and painful option).

1. Two Factor Authentication

For important accounts, I always turn on two factor authentication (2FA). I use an authentication app like Microsoft Authenticator, Authy, Google Authenticator where possible. Sometimes SMS/text messages to my phone are the only option for 2FA. SMS is better than nothing, but text messages can be intercepted, so two factor using an authentication app is preferable. Edit Sept 2022: Phone hacks are increasingly common, so best practise is to avoid using any SMS verification in favour of using authenticators instead. Indeed, even authenticators may not be perfect.

2. I use a VPN (virtual private network)

I always use a VPN on my laptops. A VPN helps to hide your IP address (the address of your computer when accessing the internet). This helps to stop your computer from being targeted - especially if on a public wifi network.

For a computer, there are many VPN services available like Proton VPN or Nord VPN or Express VPN that you can buy for a few euro per month.

There are also services that provide VPN for mobile phones. These are less common but becoming more common. Brave VPN is one new option for iOS that I use.

3. Save passwords to a password manager

There are many options for password managers - from web browsers to Keepass to OnePass. These are not perfect but are often better than an unprotected Excel or Word document. Make sure that the password manager requires a password to open/access passwords.

The benefit is that you can use different passwords for every website. This is important because it is highly likely that some of the services you use will get hacked and passwords will get exposed to the public. Of the 200+ services that I have passwords for, I know of at least three that have been compromised. If I had used the same password for all services, then the password for all of my services would be compromised!

Of course, holding all of your passwords in one password protected database isn't perfect. There is the risk that your password database gets hacked - especially if you hold the database on a device that is online. This is why two factor authentication is important to use for critical accounts.

There is also the risk that your password database gets damaged and the passwords can't be recovered. One way to provide some protection for this is to regularly back up your database to a hard drive that you store disconnected from the internet.

4. Do regular offline back ups of your password database, email account, website/blog and documents

One outcome of a hack is that the hacker uses your personal information to steal money or make use of your identity. Another possibility is that you are drawn into a large scale hack where an attacker gains control of your accounts but their ultimate target is someone else in the larger group being hacked. They may not care about your information, but you may still lose it or be denied access to your accounts. In other words, it's possible you will simply be collateral damage.

If you do lose access to your accounts and/or information, then you need a backup copy - ideally one or two offline hard drives. Try not to be in a position where your most important information is only stored online.

5. Create a Backup E-mail with a different service than your main e-mail

For example, if your main email is iCloud, use Gmail as a secondary email; if your main email is Protonmail, maybe use iCloud as your backup. The key point is that you don't want to have your backup e-mail being managed by the same service as your primary e-mail - that's a recipe for disaster if my main email service is hacked.

6. Prioritise and try to keep things simple

We all have so much information that security can seem overwhelming. Try to prioritise what is most important to you. Maybe that's your e-mail. Maybe it's your bank account. Maybe it's your cryptocurrency.

Work through the exercise of trying to recover your accounts and critical documents if you lose your password, your computer and your phone.

7. Wildcard measures

Take some additional precautions that aren't disclosed on a public blog :)

Invitation for Comments

What further tips do you have on avoiding and surviving hacks? Do you have any concerns with any of the approaches above? Please do comment below.