Skip to main content

Device Hygiene

Device hygiene is the routine maintenance that keeps laptops, phones, tablets, routers, and workstations harder to compromise and easier to recover. A single unhealthy device can expose passwords, session cookies, code repositories, cloud tokens, and private documents. This page focuses on practical controls that reduce everyday risk.

Software Updates and Patch Management

Software updates fix known vulnerabilities. Once a vendor releases a patch, attackers can reverse-engineer it and build exploits for people who delay. This dangerous window is called the patch gap.

Update Priorities

PriorityUpdate quicklyWhy
1Operating system and browserMost exposed to internet content and local privilege escalation
2Password manager and security toolsProtect credentials and detection capability
3Messaging, email, office, PDF, and archive toolsCommon phishing attachment targets
4Router and IoT firmwareOften exposed and forgotten
5Developer tools, package managers, and extensionsPowerful access to code, terminals, and credentials

Patch Management Best Practices

1

Enable automatic security updates

Use automatic updates for operating systems, browsers, mobile apps, and security tools whenever practical.
2

Restart promptly

Many patches do not fully apply until restart. Do not postpone critical restarts for days.
3

Prioritize exploited vulnerabilities

If a vendor or security team says a vulnerability is actively exploited, treat it as urgent.
4

Review high-risk tools

For developer tools and extensions, update deliberately through trusted sources, and remove tools you no longer need.
Updates are usually protective, but recent supply chain attacks show that high-privilege extensions and developer tools need governance. Individuals should install fewer tools. Organizations should maintain allowlists, staged rollout, and monitoring.

Extension and App Inventory

You cannot secure what you do not know exists. Inventory is a basic but powerful habit.

Quarterly Review Checklist

  • Browser extensions
  • VS Code or IDE extensions
  • Password manager integrations
  • VPN profiles
  • Remote access tools
  • Cloud sync clients
  • Developer CLIs and package managers
  • Mobile apps with access to email, files, or work accounts
  • OAuth apps connected to Google, Microsoft, GitHub, Slack, or other identity providers
For each item, ask:
  • Do I still use it?
  • Do I trust the publisher?
  • Does it request broad permissions?
  • Does it run automatically?
  • Would compromise of this app expose sensitive accounts or files?

Endpoint Protection

Endpoint protection helps detect malware, suspicious processes, malicious scripts, and unsafe behavior on devices. For individuals:
  • Keep built-in protection enabled, such as Microsoft Defender, macOS XProtect, and mobile platform protections.
  • Do not disable security tools to run cracked software or unknown scripts.
  • Run a full scan if you suspect compromise.
For organizations:
  • Use EDR or XDR where possible.
  • Collect endpoint logs from developer machines.
  • Alert on unusual child processes from browsers, office apps, terminals, and IDEs.
  • Monitor for mass repository cloning, unusual token use, and unexpected outbound connections.

Public Wi-Fi Risks

Public Wi-Fi networks in airports, hotels, cafes, schools, and conferences are shared environments. You do not control the router, other users, or monitoring on the network.

Common Attack Scenarios

AttackHow it worksImpact
Evil twinAttacker creates a fake Wi-Fi network with a familiar nameTraffic can route through the attacker
Man-in-the-middleAttacker intercepts or modifies trafficCredentials and sessions may be exposed if protection is weak
Captive portal phishingFake login page asks for email, password, or payment detailsAccount or payment theft
Network discoveryOther devices scan the local networkExposed file sharing or services may be targeted

Safer Public Wi-Fi Habits

  1. Use your phone hotspot for sensitive work when practical.
  2. Verify the exact network name with staff.
  3. Avoid open networks with no password.
  4. Use a reputable VPN when you do not trust the network.
  5. Disable auto-join for public networks.
  6. Keep file sharing and AirDrop-style sharing restricted.

Backups and Recovery

Backups are not only for hardware failure. They are also your best recovery option after ransomware, accidental deletion, cloud sync mistakes, or device theft.

The 3-2-1 Backup Rule

  • 3 copies of important data
  • 2 different storage types
  • 1 copy off-site

Backup Best Practices

  • Automate backups: Manual backups get forgotten.
  • Use versioning: You need to restore files from before corruption or ransomware.
  • Test restores: A backup is only useful if it can be restored.
  • Encrypt backup drives: A stolen backup drive should not expose data.
  • Protect cloud backups: Secure cloud accounts with strong MFA and recovery planning.
  • Keep at least one offline or immutable copy: Ransomware can encrypt synced files.
Organizations should also test continuity plans. If a SaaS vendor, learning platform, or cloud provider becomes unavailable, teams need a documented fallback for critical work.

USB and Peripheral Risks

USB devices bypass many network defenses because they interact directly with hardware and the operating system.

Risky Devices

  • Found USB drives
  • Unknown charging cables
  • Public charging stations
  • Keyboard-emulating devices
  • Conference giveaway storage devices
  • External drives from unknown sources

Safer Habits

  • Never plug in unknown USB storage.
  • Use charge-only cables or data blockers at public charging stations.
  • Disable auto-run where possible.
  • In organizations, use device control policies for USB storage.
  • Scan external drives before opening files.

Full-Disk Encryption

Full-disk encryption protects data at rest if a device is lost or stolen.
PlatformBuilt-in option
WindowsBitLocker or Device Encryption
macOSFileVault
LinuxLUKS or distro-specific disk encryption
iOSEnabled when a passcode is set
AndroidEnabled by default on modern devices when a screen lock is set
Encryption protects a locked or powered-off device. Once you unlock and use the device, malware running as your user may still access files and sessions. Encryption does not replace malware prevention.

Physical Security

Physical access can bypass many digital controls.
  • Lock your screen every time you step away.
  • Use a short auto-lock timeout.
  • Do not leave laptops unattended in public places.
  • Use privacy screens when handling sensitive data in public.
  • Enable device location, remote lock, and remote wipe features.
  • Keep recovery keys and backup codes in a secure place.

Key Takeaways

  1. Patch high-risk software quickly.
  2. Keep fewer extensions and apps.
  3. Inventory tools that can access files, credentials, code, or cloud accounts.
  4. Use backups with versioning and tested restores.
  5. Encrypt devices and lock screens.
  6. Treat developer workstations as high-value targets.