This post is part of a series. Practical email security guide » Understanding public WiFi networks and encryption
When you log on to a public WiFi network, the information between your computer or phone and the network antennas around you is unencrypted. Meaning it’s as freely available in the air to “overhear” as if you were conversing at normal volume to someone a few feet away from you at Starbucks. You wouldn’t loudly talk about that skin rash or your date last night with a complete stranger within earshot of you. Instead, you’d whisper or go someplace else to talk.
The same logic should apply when connecting to public WiFi networks. Except online, you wouldn’t Google personal medical questions or send those spicy emails to your friend if you knew someone could “overhear” you in the room.
That’s why you should make sure your connection is secure. You need encrypted traffic using a VPN. ExpressVPN, NordVPN, and ProtonVPN are all top contenders in this space. They do cost money because bandwidth costs are a real cost for these companies.
A VPN, which stands for “Virtual Private Networking”, is common in large workplaces where you have to connect to the company VPN before you can connect to company servers, files, and databases.
When you connect to a VPN, it’s like you’re physically locating yourself behind the walls of your office or another secure location. From that point on, the traffic your device generates with the internet is encrtyped in transit—like if everyone small group in the Starbucks spoke their own language. Other people can “hear” you, but they can’t understand you. The same goes for the VPN which scrambles the data in transit from your device to the public WiFi routers you’re around.
You might think your local coffee shop is fine, or the local library. But is it? How do you know?
The truth is you don’t know, just as you wouldn’t know if someone’s parked outside monitoring for passwords you’re typing in or intercepting a copy of texts and emails. That’s why you can also use VPNs for personal security.
If you don’t have a VPN, you can be a little more secure connecting your laptop to your phone’s hotspot. That hotspot-enabled WiFi connection is usually encrypted between your PC or Mac and the phone. Likewise, most Internet traffic over a cellular network is harder to intercept (though not impossible.) Interception occurs using a “man in the middle” attack, which involves setting up fake cellular antennas. It sounds like something out of a James Bond film, but it’s quite simple, used by agencies all over the world, and Man in the Middle attacks date back to 1568 and the attempted assassination of Queen Elizabeth I. Seriously!
Encrypt your devices for additional security
In addition to encrypting the data traffic your devices are using, you should also encrypt the data on your hardware.
The most likely scenario surrounding data theft for most people is the theft of the device itself. You left your laptop in the car, ran inside real quick, and came back to find the window smashed out and the laptop is gone.
Or even more likely, you left your laptop open at home and someone like a babysitter, child, or a friend-of-a-friend comes by and starts looking around.
You should encrypt your devices since copies of your emails, texts, and more are likely available on your device’s local disk.
Most modern devices have some capability to enable encryption but it isn’t always turned on by default. The reason being encryption can slow file access down because your computer has to process the encryption keys each time you open a file. But any computer or device made in the last five or so years is likely fast enough the difference is imperceptible.
If you’ve ever seen a movie where the detectives conduct forensics on a hard drive to get at copies of the files, that’s a process that is very real. But encryption is a mathematical “binding” that wraps around each file that makes it impossible to actually see or read the files should someone get access to them. Because of the variations in the mathematical “binding”, in this metaphor, it would take the world’s largest supercomputers as much as 75 years to “try and guess” the strings required to unlock even one file.
Enable encryption on your iPhone in iOS 15
To enable iPhone encryption, open Settings > Face ID & Passcode > and make sure passcode is enabled.
Then scroll down. Data protection is at the bottom of the Face ID & Passcode screen and should be toggled “on”.
Note that an iPhone’s data encryption does not prevent authorities from accessing your backup on Apple’s servers, just the data stored locally on the phone. As of early 2022, most of your data backed up in iCloud is not encrypted. This includes photos and even iMessages (which are encrypted on your device, but not in the cloud backup). This will likely change over the next few years.
Enable encryption on your Android device
Go to Settings > Security > Encryption > Screen lock. Select the PIN option and enter a PIN. Then go into Settings > Security > Encryption > Encrypt tablet or Encrypt phone.
Enable encryption on your Windows 10 or 11 PC
Microsoft calls encryption using “BitLocker”. You can find it under Start > Settings > Update & Security > Device encryption.
If Device encryption doesn’t appear, it isn’t available. You may be able to turn on standard BitLocker encryption instead. If device encryption is turned off, select Turn on. More guidance is available from Microsoft since variations in Windows 11 are coming.
Enable encryption on your Mac
Apple calls encryption “FileVault” and it’s been built into Macs for years, but is usually not enabled by default.
- Choose Apple menu > System Preferences, > Security & Privacy
- Click the FileVault tab.
- Click, then enter an administrator name and password (you may have to click the lock icon in the bottom left of the settings window.)
- Turn On FileVault.
Want more? Check out the rest of this email security series.
Does your team need some cybersecurity help?
VPC can conduct onsite, interactive, tabletop, and virtual cybersecurity training and audits that go beyond email security.
We’ve worked with the Midwest’s largest governments, enterprises, and healthcare providers to audit, protect, and train organizations to react and respond to malware, ransomware, cybersecurity, and more.