Cybersecurity Advice

Most people have embraced connected technology to some degree. If you are online ... reading this ... you have too. If you have not yet applied basic risk management to how you interact with the connected digital world, maybe a little worry would do you good.

I created this site to share my thoughts and the practices my family uses regarding Cybersecurity. The cleanest distillation of the purpose of this site is probably--to help ordinary people navigate their digital life safely and with confidence. As a Cybersecurity professional--I have received many questions from family and friends. "Should I do this?" "Is this safe?" "What do I do now?" "What would you do?" "How do you do it?"

There is a flood of information in the security space, but sadly, good, grounded advice is just too hard to find. The security industry wants to scare you into consuming their services. The rest of the tech industry just wants to convince you that their products are safe. Where do you get friendly, unbiased info?

Why would my thoughts on Cybersecurity interest you? If you are not confident in your security as you interact with all-things-digital and do not have a deep knowledge of technology security--you may benefit from the experience of one who's spent a lot of time with the subject. I have 20+ years of experience in Cybersecurity. Half of this time with Big 4 consulting services providing technology security and privacy services to fortune 500 companies. The other half in-house with multi-billion dollar .coms, leading their security and privacy functions.

I have spent tens of thousands of hours working with some really smart people solving complex security and privacy challenges. In the end, my advice to my friends and family who ask is that basics of personal digital safety and privacy are reasonably manageable, but it requires building a few basic competencies. I'll talk about these competencies and how I choose to practically address them. I'll also cover some of my practices that are a little less core, less necessary, but that I find satisfying.

So, welcome friends..

This site will use color coded links to differentiate between internal and external links as follows--links within this site, links to other sites.

TL;DR Long-time Cybersecurity professional shares perspective on various information security topics for an audience of average consumers of technology.

Where to start?
Risk management.

Risk management is a necessary life skill. For us, finding our comfort zone in any contested/dangerous arena is about:

1. Deciding what we care about,
2. Understanding threats to our interests, and
3. Making informed decisions about what risks we are comfortable taking and what steps we may want to take to reduce risk.

To people unfamiliar with this approach--it may sound like a lot of angst. For us it is the opposite of angst. It is the path to peace-of-mind. As consumers of connected technology, we find these simple tools of risk management very useful. We have no noticeable angst using technology and are very comfortable enjoying technology to the full extent of our interests in it.

So.. in the scope of our use of connected technology--what do we care about?

Priorities

1. Catastrophic mis-use of a financial account, i.e., unauthorized emptying of a bank/brokerage account.,
2. Loss off access to our digital data and services exceeding 7 days. I have highly leveraged connected technology for administering most everything in our lives. It'd be a big deal to lose access.,
3. A gross invasion of our privacy. This is probably the most complicated and most challenging risk to manage.,
4. Being used as a vector to attack friends and family, e.g., being impersonated to take advantage of the trust of others,
5. Less than catastrophic financial frauds, e.g., unauthorized charges., and
6. Outages shorter than those of #2 above. We'd prefer that our kit just works.

So yeah, that's about it. We have no concerns about connected technology directly impacting our physical health and safety. Your circumstances may, of course, vary. You need to take ownership of your own priorities.

Threats

What are the threats to these things we care about?

• Criminals who will try to gain unauthorized access to our private digital resources--systems and/or data.,
• People or entities collecting data about us without our consent, including biographic facts and patterns of behavior.,
• Loss of physical equipment containing private data or having it stolen.,
• Malware and spyware generally.,
• Equipment failure., and
• Mistakes/misconfigurations.

TL;DR Our approach is to apply simplified risk management. First step for everyone--take ownership of your priorities. Then consider the threats to these priorities.

Core principles

Our peace-of-mind while using technology is built on adoption of these core principles:

1. Systems: Use only trusted systems,
2. Authentication: Follow authentication best-practices,
3. Encryption: Encrypt any private data that may leave our home,
4. Availability: Consider failure an option , and
5. Obfuscate: transitive verb, To make so confused or opaque as to be difficult to perceive or understand.

These first three principles are absolute. There are right ways to do each of them. If you're not aligned with these, you're doing it wrong. If you take ownership and build some competency in these first three principles--you should be able to go about your digital life with the confidence you are managing your risk well.

The fourth principle applies to most people to one degree or another but there is a broad range of solutions and some won't need this as much as others. I share what we do, but our practices will be a perfect fit for very few of you. You need to do what feels right for you here.

Our fifth principle relates to privacy and is not an absolute. Some people simply do not care about privacy and this is their right. If you're one of these people you can safely disregard principle 5. It is an important part of our list because Privacy is priority #3 to me. Again, I will share what we do, but our practices will be a perfect fit for very few.

TL;DR There is no shortcut here. At this point you need to start paying attention :)