I have a simple, yet comprehensive, cybersecurity strategy for my daily use of electronic equipment. It relies heavily on the “security through obscurity” approach, in which I avoid drawing unwanted attention to myself from potential attackers. My approach assumes that a security breach will occur (not if), with a strong emphasis on recoverability. While some of my decisions may appear foolhardy and lazy, they are balanced by other decisions that are quite strong and bordering on excessive. When taken as a whole, I believe that my cybersecurity strategy is quite effective. It is based on three primary objectives:
- Avoid being “interesting” to potential attackers
- Don’t be an early adopter in anything. Always “wait and see”
- Mitigate risk by using multiple devices, each with a specific purpose
An “interesting” target is one that a malicious actor may find attractive. I believe that attackers create detailed profiles of potential targets and then search out individuals who fit that profile. For example, suppose the ideal target is a high-wealth individual with weak computer skills. This type of person is also the ideal customer for personal security services, for example, LifeLock. If an attacker obtains the customer list from LifeLock, they have just obtained a curated list of potential high-value targets. Therefore, as part of my strategy to avoid being “interesting,” I avoid using third-party security services as much as possible. I am also reluctant to use password managers (although I don’t disregard their value). While these managers enable the use of extremely strong passwords for various accounts, if an attacker should obtain the master password to the manager itself, the entire digital identity is compromised. As of now, I accept the risk of using presumably weaker passwords, in order to avoid the risk of keeping all my passwords in a centralized manager.
The second objective to my strategy is to avoid being an early adopter of new technologies and services, and I subscribe to the “wait and see” approach as much as possible. I refuse to purchase cool new devices such as Alexa until the technology has been thoroughly vetted in the marketplace. Also, when a security event occurs, such as the Equifax breach, I will not react immediately. It is all too easy to fall prey to malicious actors pretending to be technical support. I will sit quietly, closely monitor the situation, and take action only after others have paved the trail ahead of me.
The final objective to my strategy is to mitigate risk by using multiple devices, each with a specific purpose. Here’s where things may seem excessive: I have three computers. One is dedicated exclusively for work and productivity, one computer is for gaming, and the third is a lightweight Chromebook for general-purpose surfing and streaming. Each device has a specific purpose, and these purposes do not cross over. For example, if I use my gaming computer to download a game that contains malware, it will only affect that computer and not the others (it is also on a separate network router). If my productivity computer should become infected with ransomware, I can wipe the hard disk and restore all my important files from my copious offline and cloud-based backups. If that same computer becomes infected with a keylogger, the attacker would not learn my passwords to my various online accounts such as Netflix, because I only use a Chromebook for those services. Also, if I intend to work in a public place such as the library, I take my Chromebook because its data is 100% recoverable in the event of theft or damage. I cannot imagine relying on one single laptop for all online activity, as many people do. The level of vulnerability is mind-boggling.
While my plan may seem expensive and resource-intensive at first glance—three computers!—it incorporates significant cost savings in other areas. For example, I do not purchase virus protection software, instead, I rely on the free (and notable) security features available in Windows 10 and ChromeOS. If a computer does get infected, I don’t bother investing time and energy cleaning it. Nor do I pay for a tech support service such as the Best Buy Geek Squad. I simply wipe the hard drive (or purchase a new drive—decent ones are less than $100 these days) and reinstall everything. I have learned—the hard way—this approach is far easier than the laborious, emotionally draining, and potentially expensive task of troubleshooting and repairing an infected computer.
By applying these three principles, my personal cybersecurity strategy has proven to be effective. Although it may seem expensive to use multiple computers, I don’t believe it is unreasonable because of the cost savings in other areas. My strategy enables me to avoid common security pitfalls, and, when an incident does occur, I can recover with minimal time and expense.
Note: If you actually read this far, you are likely profiling me for a phishing attack. Well, just so you know, some of the details revealed above might be slightly tweaked in reality. I wouldn’t make it that easy for you now, would I?