Physical device access through loss or theft
To prevent physical compromise, it is essential to keep your devices physically secure. In short, do not make it easy for an adversary to steal or even temporarily take your device from you. Keep devices locked away if left at home or in an office. Or if you think it is safer, keep them on your person. This of course means that part of device security is the physical security of your workspaces (whether in an office setting or at home). You will need to install strong locks, security cameras, or other monitoring systems - especially if your organization is at high risk. Remind staff to treat devices the same way they would treat a large stack of cash - do not leave them lying around unattended or unprotected.
What if a device is stolen?
To limit the impact if someone does manage to steal a device – or even if they just gain access to it for a short period of time – be sure to mandate the use of strong passwords or passcodes on everyone’s computers and phones. The same password tips from the Passwords section of this Handbook apply to a good password for a computer or laptop. When it comes to locking your phone, use codes that are at least six to eight digits, and avoid using “swipe patterns” to unlock the screen. For additional tips on screen locks, check out Tactical Tech’s Data Detox Kit. Using good device passwords makes it much harder for an adversary to quickly access information on your device in the case of theft or confiscation. With a strong passcode in place, activating Face ID or fingerprint unlock can be fine, but be sure to deactivate it (while leaving your strong passcode in place) before any high-risk activities such as protests or border crossings if you and your staff are concerned about device confiscation from authorities.
If any devices issued by the organization have a "Find my Device" feature, such as iPhone’s Find My iPhone and Android’s Find My Device, consider requiring staff to activate it. Encourage staff to use these features on personal devices as well. With these features turned on, the device owner (or a trusted contact) can locate the device or remotely wipe its contents should it be stolen, lost, or confiscated. For iPhones, you can also configure the device to auto-wipe after several failed login attempts. Such device management features become critically important for an organization when a device with sensitive information is lost or gets into the wrong hands.
What about device encryption?
It is important to use encryption, scrambling data so that it is unreadable and unusable, on all devices, especially computers and smartphones. You should set up all devices across your organization with something called full-disk encryption if possible. Full-disk encryption means that the entirety of a device is encrypted so that an adversary, if they were to physically steal it, would be unable to extract a device’s contents without knowing the password or key you used to encrypt it.
Many modern smartphones and computers offer full-disk encryption. Apple devices like iPhones and iPads, quite conveniently, turn on full-disk encryption when you set a normal device passcode. Apple computers using macOS provide a feature called FileVault that you can turn on for full-disk encryption.
Windows computers running pro, enterprise, or education licenses offer a feature called BitLocker that you can turn on for full-disk encryption. You can turn on BitLocker by following these instructions from Microsoft, which may have to first be enabled by your organization’s administrator. If staff only have a home license for their Windows computers, BitLocker is not available. However, they can still turn on full-disk encryption by going to ‘Update & Security’ > ‘Device encryption’ under the Windows OS settings.
Android devices, as of version 9.0 and later, ship with file-based encryption turned on by default. Android’s file-based encryption operates differently from full-disk encryption but still provides strong security. If you are using a relatively new Android phone and have set a passcode, file-based encryption should be enabled. However, it is a good idea to check your settings just to make sure, especially if your phone is more than a couple of years old. To check, go to Settings > Security on your Android device. Within the security settings, you should see a subsection for “encryption” or “encryption and credentials”, which will indicate if your phone is encrypted and, if not, allow you to turn encryption on.
For computers (whether Windows or Mac), it is particularly important to store any encryption keys (referred to as recovery keys) in a safe place. These “recovery keys” are, in most cases, essentially long passwords or passphrases. In case you forget your normal device password or something unexpected happens (such as device failure), recovery keys are the only way to recover your encrypted data and, if necessary, move it to a new device. Therefore, when turning on full-disk encryption, be sure to save these keys or passwords in a safe place, like a secured cloud account or your organization’s password manager.
Remote device access – also known as hacking
In addition to keeping devices physically secure, it is important to keep them free from malware. Tactical Tech’s Security-in-a-Box gives a helpful description of what malware is and why it is important to avoid, which is adapted slightly in the rest of this section.
Understanding and avoiding malware
There are many ways to classify malware (which is a term meaning malicious software). Viruses, spyware, worms, trojans, rootkits, ransomware and cryptojackers are all types of malware. Some types of malware spread over the internet through email, text messages, malicious web pages, and other means. Some spread through devices like USB memory sticks that are used to exchange and steal data. And, while some malware requires an unsuspecting target to make a mistake, others can silently infect vulnerable systems without you doing anything wrong at all.
In addition to general malware, which is released widely and aimed at the general public, targeted malware is typically used to interfere with or spy on a particular individual, organization, or network. Regular criminals use these techniques, but so do military and intelligence services, terrorists, online harassers, abusive spouses, and shady political actors.
Whatever they are called, however they are distributed, malware can ruin computers, steal and destroy data, bankrupt organizations, invade privacy, and put users at risk. In short, malware is really dangerous. However, there are some simple steps that your organization can take to protect itself against this common threat.
Will an anti-malware tool protect us?
Anti-malware tools are unfortunately not a complete solution. However, it is a very good idea to use some basic, free tools as a baseline. Malware changes so quickly, with new risks in the real world so frequently, that relying on any such tool cannot be your only defense.
If you are using Windows, you should have a look at the built-in Windows Defender. Macs and Linux computers do not come with built-in anti-malware software, nor do Android and iOS devices. You can install a reputable, free-to-use tool like Bitdefender or Malwarebytes for those devices (and Windows computers as well). But do not rely on that as your only line of defense as they will certainly miss some of the most targeted, dangerous new attacks.
Additionally, be very careful to only download reputable anti-malware or anti-virus tools from legitimate sources (such as the websites linked above). Unfortunately, many fake or compromised versions of anti-malware tools exist that do much more harm than good.
To the extent that you do use Bitdefender or another anti-malware tool across your organization, be sure not to run two of them at the same time. Many of them will identify the behavior of another anti-malware program as suspicious and stop it from running, leaving both malfunctioning. Bitdefender or other reputable anti-malware programs can be updated for free, and the built-in Windows Defender receives updates along with your computer. Ensure that your anti-malware software updates itself regularly (some trial versions of commercial software that ship with a computer will be disabled after the trial period expires, leaving it more dangerous than helpful.) New malware is written and distributed every day, and your computer will quickly become even more vulnerable if you do not keep up with new malware definitions and anti-malware techniques. If possible, you should configure your software to install updates automatically. If your anti-malware tool has an optional "always on" feature, you should enable it, and consider occasionally scanning all of the files on your computer.
Keep devices up to date
Updates are essential. Use the latest version of whatever operating system runs on a device (Windows, Mac, Android, iOS, etc), and keep that operating system up to date. Keep other software, browser, and any browser plugins up to date as well. Install updates as soon as they become available, ideally by turning on automatic updates. The more up to date a device’s operating system, the less vulnerabilities you have. Think of updates kind of like putting a band-aid on an open cut: it seals up a vulnerability and greatly reduces the chance that you will get infected. Also uninstall software that you no longer use. Outdated software often has security issues, and you may have installed a tool that is no longer being updated by the developer, leaving it more vulnerable to hackers.