Devices, Updates & Data Protection
The unglamorous habits — patching, backups, encryption — that quietly save you when everything else fails.
01 Patch or Perish
Software has bugs. Some bugs are security holes, and when one is discovered it is assigned a CVE (Common Vulnerabilities and Exposures) identifier and, ideally, a patch. Updating is not busywork — it is closing doors that attackers are actively trying to walk through.
The scariest flaws are zero-days: vulnerabilities exploited before the vendor has a fix, so defenders have "zero days" of warning. But here is the underappreciated truth — the vast majority of real-world breaches exploit known vulnerabilities for which a patch already existed. Attackers don't need a zero-day when so many systems are months behind on updates.
History drives it home. EternalBlue (patched by Microsoft as MS17-010) fueled the WannaCry and NotPetya outbreaks by hitting machines whose owners had not applied a fix Microsoft had already shipped. In December 2021, Log4Shell (CVE-2021-44228) — a flaw in the ubiquitous Log4j Java library rated a maximum 10.0 severity — let attackers run code on countless servers worldwide with a single crafted string, and organizations scrambled for weeks to find and patch every affected system.
02 The 3-2-1 Backup Rule
Backups are the ultimate safety net: against ransomware, hardware failure, theft, fire, and your own mistakes. But a backup you never tested, or one sitting on a drive that ransomware also encrypted, is no backup at all. The durable standard is the 3-2-1 rule:
- 3 copies of your data (the original plus two backups).
- 2 different types of media or storage.
- 1 copy kept offsite (and ideally offline or immutable).
The "offsite and offline" part is what specifically defeats ransomware. Modern ransomware deliberately hunts for and encrypts connected backups and network shares. A copy that is physically disconnected or stored as immutable (write-once) cannot be encrypted by an attacker who owns your live systems. This is the difference between a bad week and a catastrophe.
For most individuals, the practical setup is: your device, an automatic cloud backup, and an occasional local copy to an external drive that you disconnect afterward. Three copies, two media, one off the machine.
03 Encryption at Rest
Encryption at rest protects the data physically stored on a device, so that if the hardware is lost or stolen, the contents are unreadable gibberish without your key. It is the difference between losing a laptop and losing everything on it.
The good news: strong full-disk encryption is built in and largely free. On Windows it is BitLocker; on macOS, FileVault; on Linux, LUKS. All use the battle-tested AES cipher, typically with 128- or 256-bit keys. Modern smartphones encrypt by default — iPhones tie encryption to the hardware Secure Enclave, and Android uses file-based encryption — with your PIN, password, or biometric unlocking the key.
The critical nuance: encryption at rest protects a device that is off or locked. Once you have logged in and the disk is unlocked, files are readable — so encryption is not a substitute for a strong lock screen, malware protection, or careful handling of an already-running machine. It is one layer, aimed squarely at the "someone has my physical device" threat.
04 When Devices Walk Away
Devices get lost and stolen constantly — left in taxis, lifted from bags, forgotten in cafes. A lost phone or laptop is a data breach on legs, because it holds your logged-in sessions, saved passwords, messages, photos, and email. Preparing before it happens is what limits the damage.
Layer these defenses:
- A strong lock screen on every device — a real PIN or password plus biometrics — is the first wall. Auto-lock after a short idle time.
- Encryption at rest (from the previous section) ensures a thief can't just pull the drive and read it.
- Remote location and wipe: Apple's Find My, Google's Find My Device, and Microsoft's equivalents let you locate, lock, and remotely erase a lost device. Enable them now — you cannot turn them on after it's gone.
If a device does vanish: lock or wipe it remotely, then change the passwords for the important accounts that were logged in on it, prioritizing your primary email (the reset hub for everything else). Report theft to the police and, if it's a work device, to your employer immediately.
05 IoT, Mobile, and the Long Goodbye
Your attack surface now includes things that were never "computers": doorbells, cameras, TVs, thermostats, light bulbs. Many IoT (Internet of Things) devices ship with weak default passwords, rarely receive security updates, and quietly connect to the internet from inside your home network.
The Mirai botnet showed the stakes. In 2016 it infected hundreds of thousands of IoT devices — mostly cameras and routers — simply by trying a short list of factory-default passwords. The resulting flood took down the DNS provider Dyn, knocking Twitter, Netflix, Reddit, and Spotify offline across much of the US. Mundane gadgets with default credentials became a weapon of mass disruption.
Mobile deserves its own care: install apps only from official stores, scrutinize the permissions an app requests (why does a flashlight want your contacts and location?), and keep the OS updated. On smartphones, permission hygiene is much of the battle.
⌘ Field Glossary
- Zero-day
- A vulnerability exploited before the vendor has released a fix, giving defenders zero days of warning. Rarer than exploited known bugs, but harder to defend against.
- CVE
- Common Vulnerabilities and Exposures: a standardized identifier (e.g. CVE-2021-44228) assigned to a publicly known security flaw.
- Patch
- A software update that fixes bugs or security vulnerabilities. Applying patches promptly closes holes attackers actively exploit.
- 3-2-1 backup rule
- Keep 3 copies of data on 2 types of media with 1 copy offsite (ideally offline or immutable), so no single failure or ransomware event destroys everything.
- Encryption at rest
- Encrypting stored data (e.g. via BitLocker, FileVault, or LUKS with AES) so a lost or stolen device is unreadable without the key.
- Remote wipe
- The ability to erase a lost or stolen device over the network, via services like Apple's Find My or Google's Find My Device, provided it was enabled beforehand.
- IoT (Internet of Things)
- Everyday internet-connected devices — cameras, thermostats, doorbells — that often ship with weak defaults and rarely receive updates, expanding your attack surface.
Knowledge Check
Field Assessment
01 What is a 'zero-day' vulnerability?
02 In the 3-2-1 backup rule, why does the offsite (and offline or immutable) copy matter most against ransomware?
03 What should you do before selling or recycling an old phone or laptop?