I wrote a basic information security policy at work and figured the public might get something out of how to protect themselves using a minimum of effort.
Basic information security (infosec) is important for various reasons, not the least of which is not getting your sensitive files leaked.
Here’s a basic rundown of what all employees who travel on official Driveline business (Tour of America, Winter Meetings, Bat Fitting, anything) must take on their corporate and/or personal laptops. These are the bare minimum standards.
1. Enable a Password
If your Macbook or PC laptop boots into single-user mode (no password required), change that immediately to require a password on boot and when your screensaver is triggered.
2. Enable a six digit or larger passcode on your phone
Your phone contains sensitive information. On iOS, increase the passcode to 6 digits from 4, and on Android, use anything over 6 characters (numbers and/or letters). The difference in brute force cracking 4 to 6 characters goes from 10,000 combinations to 1,000,000.
This is true even with FaceID or TouchID enabled.
Fun fact: Cops can compel you to unlock your phone using your face or fingerprint but cannot compel you to remember your password. Think about the implications of this when traveling internationally and just in general. FaceID / TouchID are not passwords. They are usernames.
3. Download and use Backblaze
Backblaze is a constant backup solution that will upload files from your computer securely. Should your hard drive crash or you lose your laptop, you can download individual files/folders from their website or you can order a hard drive / USB stick to have your files shipped to you.
Don’t wait for backups to be required. Just get it done and put it in receipts.
4. Full disk encryption
If your laptop is stolen and it has a password, the hard drive can be removed and mounted in another device, giving the attacker access to the files. Full disk encryption prevents this from happening.
For MacOS, use FileVault 2 which is built into the operating system.
For Windows, use Bitlocker if you have Windows 10 Pro or higher.
(Right click your C:\ drive and click “Turn on Bitlocker”)
If you do not have that option, you don’t have Windows 10 Pro. You can pay for the upgrade if you like ($99 for most), but if you don’t want to do that, I am evaluating options and will update this post when I have a good one.
5. Use a VPN (optional, but highly recommended)
When you are in a hotel / Starbucks / public place on their WiFi, data is sent over the air unencrypted. The Internet connection in 4-3 (if hardwired in) is automatically encrypted using a VPN tunnel, which sends all your data to a secured server, which then sends your data out to the intended target.
If your logs are seized or reviewed with a VPN on, they will just see connections to the secure server, which then can be compelled to turn over logs… if they kept any. The (very well reviewed) service we use does not keep logs and the parent company is not based in the United States for protection.
If you would like to use a VPN when traveling – and again, I highly recommend it for both business and personal use – download ProtonVPN. We have a corporate account; please talk to me in person for the username and password for business purposes.
For personal use, you can use ProtonVPN free servers or cheap alternatives like Windscribe and various other providers that pop up on Slickdeals.net. ProtonVPN is somewhat expensive and our licenses are limited, so only use the login if you are on official business, thank you.
6. Use Signal messenger for sensitive topics (optional)
Text messages are horribly insecure and last forever.
If you are talking about sensitive topics or anything off the record to journalists, it is highly recommended you use the Signal app on your phone and/or desktop.
Signal works on Android/iOS/PC and is endorsed by Edward Snowden, so, you know.
It provides end-to-end encryption of messages, files, and even phone calls, in addition to ephemeral (self-deleting) messages after a given amount of time.
I use Signal exclusively with journalists and any others that require sensitive transmission of information, like legal matters, and highly recommend you do the same.
Paranoid / Crazy Security Steps you can take
7. Use PGP / Flowcrypt for emails (very optional)
If you REALLY need secure communications, I recommend looking into PGP and Flowcrypt for Gmail, which is the easiest way to encrypt emails using military-grade standards.
My public key can be found here: https://firstname.lastname@example.org
It’s extremely unlikely you need to know about PGP / secure emails, but in case you are interested, there you go.
8. Use ProtonMail (very optional)
ProtonMail (yes, same developers as ProtonVPN) offers the most secure webmail that is end-to-end encrypted and keeps no logs, and is based out of Switzerland. If you are using secondary email accounts for anything, this may be worth investigating, and it’s free.