It’s not a secret that nowadays some of our most valuable assets are online, it can be in the form of a service that stores all your precious files, from family memories of a digital nomad who is always traveling or delicate documents for your small business or it can be our social media accounts, which nowadays act as our window to communicate with others across the globe on this massive social media platforms.
What most people don’t realize is the importance of following properly up-to-date digital security protocols and practices, this can make the difference between never having to worry about any of your digital assets and potentially losing priceless photos, videos, files, accounts, or assets for your business.
How to avoid getting hacked?
In this guide, we are going to learn the fundamentals of how to secure your digital assets and accounts. There are several areas and topics around digital security, but we are going to focus on practices that improve security around the following
How to secure local files
How to secure cloud storage
How to secure your Google Account
How to secure your social media accounts
How to secure your company accounts
But before we dig deeper into the necessary steps and practices it’s important we take a moment to understand the basics of, what are we trying to protect ourselves from.
How can you get hacked?
There are countless ways to steal information and accounts from unwilling and unsuspecting subjects. But let’s review some of the most common ways in which people are losing their social media accounts, work accounts, and more.
The hacker replicates or impersonates a service (website, person, etc) in order to steal personal information or an account. For example, you get an email from Meta or Facebook saying there is an issue with your account and you must take immediate action or your account will be deleted, you click on it and it takes you to a website that looks identical to Facebook but it's actually an elaborate copy, the victim signs in with the username and password and now the hackers have their credentials.
2. Malware and Virus
Malware is any program or code that is designed with the intention of harming, stealing, or controlling your devices without your consent. There are countless ways to get infected but some of the most typical are:
Files (emails, messages, flash storage) from an infected source, remember it’s possible to hide malware under any normal file that you would regularly open (photos, invoices, documents, etc)
Websites can also use some exploits to inject malware into your devices
Juice Jacking, is another technique that has become popular recently, attackers will use a public charging port, like the ones that you may find at an airport, airplanes, trains, etc to charge your phone, it’s possible to install hardware that will inject malware into your devices while you charge them. The best practice here, don’t ever charge your phone on a public charger, getting a good battery bank would keep you safe and give you all the additional charge you may need. (also some older and lower quality chargers can damage your devices, this is often the case with many public chargers with bad voltage regulators that can damage your phone or any other device).
A good practice when it comes to malware is to use a reputable Anti-virus on your computer, depending on your operative system and other needs the best solution for you may vary, but we recommend doing a quick research and reading reviews to find out what works best for your devices and needs.
3. Cookie Theft or Cookie Hijack
Cookies are small pieces of text sent to your browser by a website you visit. They can hold things like your credentials (when you log in on a website) or any other data related to your browsing activities. On cookie theft (also known as cookie hijacking) an attacker steals critical cookies that could allow them to gain access to your accounts by impersonating you. For example, an attacker can steal the cookies that validate your Google account and therefore gain complete access to your account without ever having to enter your password or any credentials. This type of attack often requires the use of malware that would allow the attacker to steal the cookies from your devices, for example, a piece of malware could be hidden in a PDF or a fake invoice sent to your email.
A good practice here is to avoid opening files from unknown sources, having a good anti-virus can help (but remember even the best anti-virus programs are not perfect and methods of attack change all the time), for the ultimate level of security (for companies and business owners) a good practice is to own multiple devices and completely isolate any chance of an attack, in other words, let’s say you own a well-established brand with a good amount of followers on social media (YouTube, Twitter, X, Instagram, Facebook, etc) but you also need to constantly check files and documents from third party vendors and new contacts online, what you can do is make sure that all the accounts that are owners or admins are logged into a device (or devices) that will never be exposed to any media outside your organization if you have a work phone that has the owners account for your YouTube channel you only use that phone to review and manage your accounts but avoid checking any external emails or received any type of file on it, and the devices that constantly are exposed to external files (emails, documents, etc) should have accounts that don’t have access to any critical assets or with very limited/controlled access. If this sounds a bit confusing we always recommend hiring an expert that will audit your personal needs and guide you on the necessary steps to secure your digital assets.
This is also a type of malware that focuses on capturing all the keystrokes on a computer, so they record everything you type. This allows the attacker to steal any private information that you may type on your devices, from usernames and passwords to sensitive private documents or conversations.
The best practice here is the same as with any other malware. Beware that keylogger can also be installed on smartphones.
5. Database Leaks / Database Breaches
When a website gets hacked, attackers often target their databases (collection of data and information), especially if they can steal and decrypt all the usernames and passwords, and the main reason is a lot of people only use one password for everything! So once they have your email, username, and password they know there is a good chance that you may have an account (or any other service) that uses the exact same credentials, making it easier to gain access to other accounts. When some of these databases get hacked the whole set may get sold online or in some cases they may even dump the whole thing online for free, and there are countless archives of these online.
The best practice here is never to use the same password twice, ideally, we recommend using a good password manager that will allow you to create complex passwords (ideally with a mix of upper-case and lower-case letters, numbers, and symbols).
Good practices to improve digital security
What is 2FA?
2FA stands for Two-Factor-Authentication
The idea is to have two or multiple authentication factors to verify your identity. This can be anything from a confirmation code sent you your phone, like an SMS message with a verification code or a physical digital key. Some are safer than others but what it’s important is that this provides an additional security barrier that could potentially stop an attack from stealing your identity or assets.
What is MFA?
MFA stands for Multiple-Factor-Authentication.
It allows you to have multiple ways to authenticate your identity. Unlike 2FA where the key is to have two or more factors to validate your identity in MFA, you may have multiple ways to choose from to verify your identity, but you may not necessarily need to enter two or more to validate who you are.
Different types of 2FA
Passwords. It can be an additional password or code made of text and symbols
Security Key. It’s a physical digital key (often in the shape of a small USB device but can also be wireless). We will explain the keys in greater detail later on. But provide an additional layer of protection by requiring the user to physically have the key to validate their identity, in the same way, that you may need a physical key to open a lock these keys before a critical step to validating who you are online.
Security Tokens. There are many variations of these, but in general, they are physical devices that will be required during the authentication. This can come in the form of a small device that displays 6-9 digits that change every minute, some may have a small keyword to enter some digits, and others can be a contactless card or NFC that you need to tap on your phone or card reader.
Biometrics. They validate who you are based on the physical characteristics of your body such as face, iris (eyes), fingerprints, veins, voice, etc.
Also known as connected tokens are some of the best ways to protect your digital assets. There are multiple formats and protocols for these types of keys, our recommendation is to check the requirement for your specific needs, since each platform may accept only a certain type of keys or protocols.
When it comes to using the keys there are different versions available USB-C, USB Type-B, Lighting (iPhones), Wireless Bluetooth, NFC (contactless), and more.
One important detail to keep in mind is that in some platforms once you set a security key as your 2FA you will need a key to authenticate, so you definitely want to have at least one backup key, because you could permanently lose access to your account if you loose (or can’t use) you security key.
A good practice is to have at least one backup key, ideally off-site in a safe location. You can also have 3 copies, your daily driver key, a backup at your home or office, and a third off-site backup. The idea of an offsite backup is that in the case of any natural disaster or anything that may destroy your keys, you will always have a safe fail-safe to recover your access, a good option may include leaving a copy with a trusted family member or friend.
What key should I get?
Google offers a very affordable option called the Titan Security Key, they come in a set of two (so you will already have a backup), the exact version varies depending on your region but they usually include two different security keys, they are compatible with NFC and USB-C (which is a great option for authenticating on your mobile phone). These keys support FIDO which is one of the most used security protocols. You should be able to use this key across all major platforms (we will recommend to double check compatibility with your specific needs).
The price is usually around $30 for the set of two keys. (for reference well-known brands will often costs around $30-70 per key)
Another good and reliable solution comes from Yubico, they are one of the most well know brands when it comes to security keys. They offer a wide range of models that vary depending on the format and needs. The prices usually range from $30 to $70 for the consumer models.
A password manager is a service or tool that will help you keep track of and organize all your passwords. There are multiple options out there with different features, but in general, the most helpful features are the ability to keep track of all your usernames, passwords, and any other form of credentials that you have, they also often have a password generator that you can use to generate long and complex passwords. Most of them will also have some form of mobile app that will allow you to switch between devices without much trouble.
Why is it important
First of all, they keep track of all your accounts in one safe place and unless you are capable of remembering and keeping track of dozens or hundreds of very complex passwords this is the easiest way to organize your credentials. Keep in mind that all of the best solutions out there require a paid subscription and you get what you pay for.
How to create good passwords
First of all, you want all your password to be unique, in other words, don’t use the same password twice. Second, you want to use as many characters as possible, although there is no need to go the maximum length if they support anything above 30-40 characters. But something that is important you want to use a mix of all the supported characters, including upper-case, lower-case, numbers, and symbols. Most password managers have an integrated password generator that would automatically generate a strong password for you, also be aware that some websites (especially some really outdated ones, may not allow some characters, for example, symbols on their passwords, in that case, you can change the settings on the password manager to accommodate this or just manually create one mixing the available characters as much as possible).
Recently more platforms and websites are integrating this feature into their systems and there are multiple ways to achieve a passwordless login.
Some methods for passwordless logging include:
Verification using your phone or a mobile app
Social media log in
Authentication through Google or any other 3rd party
Biometrics (fingerprint for example)
Other good practices:
For your Google accounts opt in for the Google Advance Protection Program. This is free of charge and will enable stronger security measures across your Google Account. You can learn more at the following link: https://landing.google.com/advancedprotection/
User a trusted Antivirus. Depending on your specific needs and type of devices the best solution for you will vary. So we recommend researching for good solutions that fit your specific needs, and if you are unsure it’s always a good call to hire a professional to audit and recommend the best solutions for your needs.
VPN Virtual-Private-Network. A VPN allows you to send your data encrypted to another location, there are many uses for this but in general, the most useful factor is this improves the safety of your connection, especially on any public wifi or network, ideally, you want to avoid public wifi and networks when possible but if it’s a must a VPN adds an additional level of protection that can save you from some attacks on this type of networks. The other common use for a VPN is to pretend to be in another location, this can be used in a variety of circumstances from streaming services to getting better deals on airline tickets, many websites often restrict or modify the content based on where you are. Bear in mind that in some circumstances (and in some countries) this could be against the law, we advise you to always check local laws and restrictions
Don’t install mobile apps from unknown sources. Keep an eye on the reviews and the developer of the app.
Create an Inactive Account plan. In the case of an emergency or death, what would happen to all your digital assets? Maybe you have files that you would like to pass along to your family or maybe your company may need access to some critical login that is owned by your accounts. Google offers an option to set up a plan for inactive accounts, where you can transfer your files and access to a select trusted contact after a period of time, other platforms have similar options. We recommend doing a review of all your digital assets and setting a plan according to your needs.
These are some of the basics when it comes to digital security for digital nomads and small businesses, there are quite a few more vulnerabilities and other factors to take into consideration, our last and most important advice is “stay up to date” digital security changes every minute and it’s critical to stay up to date with the best practices and methods, take a few minutes every now and then to read some articles and make any necessary updates to your assets and if you are not comfortable doing the research or any necessary changes please seek professional advice from a digital security consultant or send us a message to learn how Never Too Late Academy can help you.
About Esteban Mora
Esteban Mora is a seasoned professional with a wealth of experience in the realms of digital marketing and security. Drawing from his years at Red Bull and Hermès, he has honed his expertise in devising innovative strategies that seamlessly blend the worlds of technology, communication, and protection.
With a career that spans over a decade, Esteban's journey began at Alienware, HP, and later on at Red Bull, where he contributed significantly to their digital marketing efforts. His keen insights and creative thinking led to the development of impactful campaigns that resonated with audiences across diverse platforms. During his tenure, he not only demonstrated a deep understanding of digital marketing trends but also recognized the increasing significance of safeguarding digital assets in an interconnected world. He carried that expertise and passion into his role at Hermès Tokyo as COO.
The culmination of Esteban's experiences has positioned him as a leading expert in the intersection of digital marketing and security. His unique insights into the challenges and opportunities that digital landscapes present have driven him to share his knowledge with the world through the Never Too Late Academy. As Chief Marketing Officer at the Never Too Late Academy, Esteban is ramping up our digital presence as we seek to help people everywhere acquire the courage and tools to realize audacious dreams.
In a dynamic digital era, Esteban Mora stands as a beacon of expertise, leveraging his extensive background to navigate the intricate interplay of technology, communication, and security as we serve digital nomads who are looking to be financially independent.