Most recently updated:
This article is posted free of charge to help artists evaluate their business risks and take reasonable mitigation steps. Additionally, I am available for one-on-one consulting at very deep discounts not available to my traditional corporate clients. Send email to artists@ on this domain for details.
Risk. noun. a situation involving exposure to danger.
Compared to creating masterpieces with ink or watercolours, Risk is probably one of your least favourite things. Just get it over with. You have to do it about once per year and not think much about it the rest of the time. Write up a simple Risk document. It only needs to be a page or two.
Description: Important incoming transactions to your account fail. Credit cards are lost.
Keep track of how to contact every financial institution you depend on without being able to access their websites. Write down contact names, phone numbers and your customer data.
Description: A service you love and depend on for your income radically changes their business model or terms due to new legislation or new management.
For every service you depend on, write down a list of alternative ways to achieve the same result. It could be another hosting provider, another communication method, another streaming platform. Make sure you export your data regularly and include the that data in your backup routines.
Strong recommendation: Control your own brand in the form of your own domain name and a generic hosting provider. This way you can easily switch if your business requires it. Avoid companies that provide hosting/shop/payment all in one. It’s a form of vendor lock-in. It could take you months of full time effort to switch.
Description: Someone steals copies of your work and posts it as their own.
Description: Your local environment is struck by a disaster. It can be your entire area or just your home that falls to flooding, fire, lightning strike or other damages. Maybe your ISP has a major outage.
Describe how you can continue or restore your business in these circumstances. Can you work from somewhere else? Would a secondary mobile data connection be enough to deliver critical material to clients? Do you have off-site backups? Do you have good insurance that pays for your home, inventory and loss of income? Keep all relevant contact and your customer details in the risk document.
Description: One or more of your online accounts are banned by mistake or taken over by malicious actors. The datacenter that hosts your website burns to the ground. Malware destroys large parts of your work.
Authentication is the act of proving who you are. You are used to doing this with PIN, passwords or maybe even authentication apps.
If an attacker guesses or otherwise gets ahold of your password, they can pretend to be you. They will usually do this for monetary gain. We must chose our authentication methods to keep dirty filthy attackers out.
The most secure option for authentication is currently hardware security tokens supporting Universal Two-Factor (U2F). When you log into a site with U2F support, you must type (or auto-fill) your password. Then plug the security token into your computer and press it once. If you were somehow tricked into visiting a fake site, the U2F protocol prevents an attacker from using your username and password to log into the real site as you.
My preferred security token is a Yubikey 5. I recommend you buy two so you are not locked out of your accounts if you lose the first one.
Authentication apps such as Duo, Authy, etc are the second most secure option currently available. When you have attached an authentication app, you will be prompted for your password AND a one-time code.
The major weakness with this system is that if you are tricked into visiting a fake site, the password and one-time code you enter, can easily be relayed in real time to the real site and thus take over your account.
No matter which strong two-factor method you use, you must store recovery codes or another secondary login method in a safe place. This can be with trusted friends or family, or a small bank vault.
Humans are terrible at picking passwords and if you are a human, you should not be picking your own passwords. You must use a password manager. This is not a request.
A good password manager will generate secure, unique passwords and keep them safe. Not all password manager are any good. One worthwhile password manager is Bitwarden. Bitwarden supports the Yubikey I mentioned earlier, providing very strong protection for your passwords.
Other popular managers, such as Lastpass or 1st Password have had various technical problems and/or made silly business decisions that are not in the interest of us consumers.
If you use Apple devices, Safari can generate and securely sync passwords to your Mac, iPad and iPhone. Recent versions will also notify you if one of the passwords you have stored have been compromised. Simply go and change that one compromised password to a new one.
The Chrome browser has the ability to generate strong passwords for you, and remember them. It can also sync to Google’s servers if you are comfortable with them.
If you truly make use of a unique, strong password for each and every site you visit, passwords can be fairly safe.
There is no reason to change your password on a regular basis unless you suspect it has been compromised.
The worst option for user authentication is text messages. The mobile phone network is full of technical security holes and no telecoms compete on end-user security. There is an absurd number of documented cases where insiders stole (or poor helpdesk staff were tricked into handing out) SIM cards to the wrong people. Anyone with a copy of your SIM card can pretend to be you.
Whenever possible, don’t give your phone number to services. Many services will essentially let you log in using your password OR do a password recovery via text message. In those cases, it is much better to simply use a very strong password rather than giving potential attackers yet another way to get in.
If you have your own internet domain, which I strongly recommend from a business identity and marketing perspective, a domain registrar grants you the right to a domain as long as you are in good standing.
A DNS provider tells the rest of the world where your website and email servers are.
In theory, backups are easy. In reality, good backups are very very hard to get right. All it takes is forgetting to include one important folder in the backup routine, and two years later you will be crying, or paying large amounts of money in damages to a client.
Different scenarios call for different levels of backup. You must determine your own level based on this input:
Clumsy: You accidentally delete a file from your harddrive. Restoring from another local backup drive could be enough.
Ransomware: You were tricked into running malicious software, and all your important files are now unavailable. Any devices connected to your PC/network are also unavailable. Offline or off-site backups are your savior in this case.
Local disaster: Your home is struck by lightning, flooding, fire or a burglary. In all these cases, you must be able to replace your devices and have internet and authentication access to restore your data remotely. If your living depends on this gear being available, extra insurance will be worth it. Make sure you practice this before you need it. It can take weeks to restore large volumes of data over slow internet connections.
I recommend a three tier backup system.
Extra storage in your primary device can be used to store copies of important data, so it takes more than a single HDD failure or clumsy action to cause real trouble.
Some form of local network storage (NAS) can read your data from your devices and store it safely. Make sure the backup function pulls the data, so malware on your primary system can’t easily destroy your backup whenever it wants.
Offline backups with a reliable provider. My preferred provider here is rsync.net. They are not resellers but have their own datacenters all over the world.
No matter your required level, you must practice restoring your business every year, at least. Pretend your iPad or main PC died. Which steps do you need to go through?
Your email account is probably your most critical asset. Every other of your accounts use it for billing notifications, account changes and password recovery. If your email account is not secure, nothing is.
I strongly recommend you deliberately seek out an email provider that lets you use U2F security tokens. These are my currently recommended email providers in terms of privacy and security:
Fastmail.com - 6USD per account per month
Hey.com - 12USD per account per month
Go to Settings -> Password & Security. This screen allows you to enable Two-Step Verification. You have the option between using an Authenticator App or a U2F security key.
Strongly recommend you do not provide a phone number for account recovery, but instead stick to the recovery codes.
Protecting your Discord account with two-factor codes, involves these steps:
In Settings -> My Account you can change your password to a unique, strong password managed by your password manager.
Remove your phone number if you entered it earlier by mistake. The reason for this is explained in Authentication.
Click Enable Two-factor Authentication
Scan the barcode with your two-factor app
Enter the six digit verification code
Do NOT add a phone number when prompted
Save the Backup Codes and store them somewhere safe
Unfortunately, Discord does not support U2F at this time.
Protecting your Twitch account involves these steps:
In Settings -> Security and Privacy, you can change your password to a unique, strong password managed by your password manager.
Twitch does not support just two-factor apps or U2F at this time. Strongly recommend you do NOT enable SMS Authentication.
In More -> Setting and privacy -> Your account -> Change password you can change your password to a unique, strong password managed by your password manager.
In More -> Settings and privacy -> Security and account access -> Security you can add two-factor apps or a security token to your account.
Save the backup codes somewhere safe. Strongly recommend you do not enable Text message authentication.