If it’s not physically secure, it’s not secure.
That’s a phrase I’ve used in several articles on security, but with the recent emphasis on privacy as well, I’ve decided it deserves its own dedicated discussion.
You can have the best security software. You can be the greatest at identifying and avoiding phishing and other attempts to trick you into downloading malware. You can have the greatest, strongest passwords, doubly secured with two-factor authentication….
… and it’s all for naught the moment someone else gets their hands on your machine.
The friends and family plan
This scenario is all too familiar.
You feel safe at home, so you don’t bother locking your computer or taking other security precautions. It’s just you and the people you trust, right? Be it a spouse, roommate, or a good friend over for dinner, there doesn’t seem to be a reason to take special precautions.
That’s exactly how I roll. If you walk into my home, there’s a good chance you can walk into my office and start typing away at my desktop computer.
But I often hear from folks who shouldn’t have felt quite so secure in their surroundings. Be it a friend pulling a prank by taking a photo with your phone, or a soon-to-be ex taking revenge on your online accounts, or a child just wanting to play with your shiny toy, unlimited access to the technology you have lying around isn’t always the safest or most secure approach to take.
I’m fortunate in that I feel appropriately secure for my situation. What matters most is that I’ve thought about it on more than one occasion, rather than just assuming I’m safe or not giving it any thought at all. Usually folks who run into problems fall into that latter camp, having given little or no thought to whether they consider their home (or workplace) “safe”.
I’ll just be a second
I began writing this article in a local Starbucks – a place most folks consider anything but a “secure” location. Using the coffee shop’s Wi-Fi through a VPN, I secured my internet connection, and my laptop never left my sight.
The gentleman next to me, on the other hand, was working on something and then … left. I didn’t check to see if he was just picking up a refill or making room for more, the fact was he walked away from his open and running laptop (and a few other belongings). He returned after a couple of minutes and resumed his work.
I know if you hang out at your local coffeeshop or Wi-Fi-enabled eatery often enough, it can start to feel like home. But it’s not. You might assume that the other mobile techie nearby is a “friend” who’ll keep an eye on your things for a few seconds, but that’s a very bad assumption. You might assume that as long as it’s within eyesight, nothing bad will happen.
There are so many ways this can go wrong.
The most common result is theft. But walking away, even for a few seconds, opens the door to everything that unfettered access to your device allows.
Recent news has included a troubling privacy scenario many people don’t foresee: inspection when crossing international borders.
Depending on where you live, where you’re going, and the current political climate, any devices you take with you may be subject to inspection. That inspection could require you to provide full access to the contents of the device.
This is actually quite controversial, particularly in the U.S., and there are arguments and assumptions on both sides of the issue. What’s important here is to realize that:
- This could happen
- It involves full access
- It’s subject to the laws of the country you are travellng to, which may be radically different than what you’re used to.
It may be something most people needn’t be too concerned about, but it’s important to be aware of and consider this possibility before traveling.
Thieves? Yeah, but…
Many people consider theft to be the biggest thing to worry about.
If your data isn’t backed up and would disappear along with your computer, that might be true. But if you’ve been backing up appropriately, theft is generally an inconvenience and not actually a disaster.
It’s my belief that the majority of burglary and opportunistic theft is all about the hardware – not the data stored on it. Most thieves simply aren’t that technically savvy, and are more interested in turning a quick profit by selling the hardware. Unless you’ve been specifically targeted for some reason, your data is probably not that interesting, and will likely never be noticed.
Of course, “likely” isn’t never. You should still take precautions. When someone steals your equipment, they have everything on it. Depending on their level of expertise (or that of the person they sell it to), and the preparations you’ve made (or haven’t), they could once again have access to everything.
I do take steps, some of which I’ll outline below, and should anything ever be stolen, I’ll be changing passwords, of course. It’s just not the first thing I think of when securing my equipment.
Steps to take
When it comes to physical security, there are a variety of steps you can take, but the most important is simply to keep it mind.
Encrypt, encrypt, encrypt
In recent years, I’ve become a big fan of whole-disk encryption. I use it not only on any laptops I travel with, but also on my desktop computer.
Think of whole-disk encryption as password-protecting everything. Without the correct password (be it a real password, or your system log-in credentials) the information on your hard disk is simply inaccessible. As long as the machine is not running, or has been logged off, whoever has physical access to it simply can’t get at anything. Period.
Particularly if you’re in a situation where theft is a real concern, such as travel, whole-disk encryption is the first step to keeping your information secure. Similarly, make sure to enable encryption on any mobile devices that support it.
Important: remember that if, for some reason, you can’t log in to your own machine (or forget the password) you, too, will be unable to access the data contained on the disk. It’s critical you have a separate backup, kept secure in some other fashion. Make sure also to take advantage of any backup options, like a recovery key, offered by the encryption technology you use.
Yes, having to log in to your machine is an inconvenience. But by not having a login, you’ve made it a trivial matter for anyone to walk up to your computer at any time and access its contents, running or not.
Minimally, make sure a password is required to access your computer, and use a screen saver that also requires a password be specified to regain access after some period of inactivity.
Similarly, make sure your mobile device has a PIN code1. Configure an appropriate time-out, after which the device requires the code to access the device’s contents.
For bonus points, consider getting into the habit of locking your computer or device when you walk away (keyboard shortcut: Windows key + L).
Take your laptop when you pee
I’ll be blunt: if I’m at the coffee shop and need to use the restroom, my laptop comes with me. I do not trust it away from my sight. Honestly, even walking a couple of dozen feet away to get sweetener for my coffee makes me uncomfortable, even though the device is within eyesight.
This is true for any public place you take and use your devices, including airports, libraries, and schools. It even applies when at the home of your latest new acquaintance or friend-of-a-friend. At a minimum, make sure the device is locked if you do walk away.
Lock the doors
I hear fairly regularly from individuals who’ve had their information compromised by their roommates or roommates’ friends. In situations like this, one of the most common solutions is to lock your device.
Not with software (though that’s good too) – with hardware.
Get a lock for the room containing your computer, or find some other form of physical security to prevent access or theft.
Make travel plans
Travel can be complex, depending on where you’re going and what you need to take with you.
At one extreme, the Electronic Frontier Foundation has some ideas for individuals traveling internationally that could include traveling with only pristine devices that contain no sensitive data whatsoever, and relying on cloud access for the information you need.
At a more practical level, the single most important thing you can do is plan for your device(s) to be lost. Not only is losing a device when traveling frighteningly common, preparing for the possibility also readies you for theft. Encrypting, backing up, logging out, and simply making a habit of all the items I’ve discussed above are key to traveling safely and keeping our digital lives secure.
There are times – intentionally or otherwise – where our devices will be out of our control and potentially even in someone else’s hands. It’s at those times it’s important to remember the most basic rule of all:
If it’s not physically secure, it’s not secure.