Digital Security
Key considerations and guidelines to effectively manage and maintain a high level of digital security.
Authors: David Hecker
Created: 12 Oct 2024 Last updated: 03 Jun 2025
Managing your digital security is of utmost importance. As we often work on high profile projects for international brands, as well as highly sensitive projects for financial institutions, it is mandatory to ensure you are following best practices when it comes to security.
Hardware Access
- Ensure there is a decently secure password set for access to your work computer
- Do not put the actual password in the password hint box!
- Make sure to automatically enable the login screen after a set period of inactivity
- Always lock your computer when stepping away from your desk
- If your computer is ever stolen, you need to reset all of your passwords immediately
Password Policies
- Do not allow your browsers to remember passwords
- Passwords should never be re-used
- Especially do not re-use passwords from your social media accounts for work accounts!
- Passwords should always be as strong as possible
- Ideally should be at least 9 characters long
- A strong password should contain a variation of character, including:
- upper case letters (A-Z)
- lower case letters (a-z)
- numbers (0-9)
- special characters (! @ # $ % ^ & * ( _ - + = { } | \ : ; " ' < , . > / ? ~ `)
- It should never be only a single word spelled correctly
- Choose words that are not very common
- Passwords should never contain any of your personal information - especially your real name, username or your company name
- Avoid using passwords that could be easily guessed based on social engineering, e.g. using your pet's name - even if you add a ! or 123 at the end
- Avoid using methods that could easily be turned into a pattern, eg capitalise first word only and add an exclamation mark at the end
- Doing standard 'leetspeek' replacements is not secure (e.g. replacing i, e and o with 1, 3 and 0 respectively) as it is an easy pattern to follow
- Password structures that are acceptable:
- Random strings are always great (e.g.
!@6weT1gH8*&) - Multiple random words can also be very good (e.g.
Windows-5-couch-Cat-screen) - Multiple related words can be easier to remember for a particular login (e.g.
Camera-8-tripod-Lens-filmfor a photography website) - Memorable phrases and sentences are a good option too (e.g.
I love watching 2 series on Netflix!)
- Random strings are always great (e.g.
Password Management
- It's highly recommended to use a secure password manager to keep track of your passwords and Two Factor Authentication (2FA) or Multi-Factor Authentication (MFA) credentials.
- The following are not secure options:
- A text file on your desktop
- In your email
- On a Post-It note attached to your screen/laptop
- The following are not secure options:
- 2FA is mandatory on all company-linked accounts where it is available, e.g. GitHub and your work email
- Do not use Google Authenticator for 2FA as it's tied to a single device, so if your phone goes missing, you will not be able to get into your 2FA-linked accounts
- App-based 2FA is preferred over SMS, partly as an SMS can be delayed, but also if you travel for an install you might have a local SIM card and be unable to receive an SMS on your linked number
- SIM cards can also be cloned, so someone can gain access to your SMS authentication without you knowing about it
- Use one of these for your password management. Most have a free option, but this is a service well worth paying for:
- 1Password
- Best for Mac and iOS users, but works great on Windows too
- Includes a Watchtower service to alert you to breached sites where your details may have been compromised
- Bitwarden
- Open source
- Dashlane
- Keeper
- ~~LastPass~~ (No longer recommended due to multiple security breaches and customer data being compromised)
- 1Password
Checking Compromised Accounts
- If you suspect an account has been compromised, change your password immediately!
- Go to https://haveibeenpwned.com/ and check if your email address shows up in any results. If it does, make sure you’re not using that password anywhere else and change any that are shared (which they shouldn’t be!)
Hardware Encryption
It is strongly advised that you back up any encryption recovery keys for your devices.
Windows BitLocker
- From within Windows, your recovery key can be accessed and backed up from here: Back up your BitLocker recovery key - Microsoft Support
- If you are already locked out of Windows, you should be able to access your recovery key from a browser: Finding your BitLocker recovery key in Windows - Microsoft Support
macOS FileVault
- If your recovery key is lost and you have no backup, you are out of luck.
- If you have stored your recovery key on iCloud, then these are the recovery steps: How to find your FileVault recovery key in macOS
- You can turn off FileVault and re-enable it again to generate a new recovery key, which you can then safely store Use FileVault to encrypt your Mac startup disk - Apple Support