2019 Apr 29

Marie Kondo with Hacker Emblem

Photo by Web Summit (modified) / CC BY 2.0

Like I said before I’m documenting and sharing some of the organizational tips that have personally helped me save time, reduce stress, and be more productive and effective as an infosec professional. Even if you don’t work in security (or even in IT) this post and my advice could still help you improve your orderliness and realize the benefits that follow. This is particularly true if you have a lot of digital files, multiple devices, many online accounts, or if you need to strictly observe very different security contexts (e.g. work vs personal life).

This post is in no way authoritative. One shouldn’t dogmatically or uncritically accept it. These are simply tips that have personally worked for me and my situation. Your mileage may vary. I still have clutter, and that’s okay. I’m not claiming to be the ‘most organized’ person or anything. Making a conscious, deliberate effort to organize my personal information has served to prevent clutter from getting in the way of my success, but this objective is very different from the goal of eradicating all personal clutter. I recommend the former, and this post does not suggest the latter.

My approach has worked quite well for me so far, and I hope it can help someone else, too. Here are the general ideas:

  1. Handle Physical Items
  2. Handle Digital Items
  3. Distrust & Isolate Systems
  4. Optimize for Common Tasks
  5. Don’t Screw Yourself Over

A prerequisite for taking effective action on these suggestions is having a solid grasp of the fundamentals of information security. Specifically, you’ll need to be able to evaluate your personal security needs (in terms of your confidentiality, integrity, and availability interests) for each item you consider at the very least. If that idea is new to you check out my previous post on that very subject before proceeding.

Handle Physical Items

Before organizing your digital information you first need to decide how to handle all your real-world, physical items like paper documents, books, personal devices, and any other tangible property in your life. Why?

  1. Your time is limited. Repeatedly searching through clutter for your belongings wastes your time.
  2. Your space is limited. Let go of what you can. Make room for what you need. Find usable surfaces.
  3. Your ability to focus is limited. Clutter is visually distracting. Rid your workspace of ‘visual noise’.

It’s really helpful to evaluate and handle physical items first, because this concertizes the evaluation and organizing experience and familiarizes you to the process. You really want to know what you’re doing before your efforts shift to non-physical information and you have to deal with the added obstacles arising from its intangibility.

Secure Destruction

In my experience, most of the physical items containing sensitive information that I’ve opted to destroy can be handled with something as commonplace as a typical paper shredder. Practically everyone can afford a decent, cross-cut shredder capable of destroying multiple papers at once that also shreds other objects like plastic cards, discs, and more. Just be disciplined about using it regularly instead of letting a bunch of sensitive papers and the like pile up. Letting your papers lie around in the open might create a confidentiality hazard if you don’t shred them in a timely fashion. But it’s also annoying to have to spend more than a few minutes shredding dozens and dozens of papers all in one sitting, so just routinely use your shredder and avoid these issues.

Burning papers

Review the items you’ve decided to discard. Some may not need to be securely destroyed. For example, product packaging, junk mail with no PII, opened envelopes with no markings, and papers with no confidential information can probably just be simply discarded. That’s it. Put them in the trashcan and move on. Generally, if you have no confidentiality or availability interest in an item then there’s no problem simply discarding it.

Physical Storage & Handling

What about the items you’ve decided to keep? In a sense, your decision conveys your personal availability interest (whether implicit or explicit) in the item by virtue of your conclusion that you need to keep the thing. It’s useful to recognize availability as a crucial component of security, and to acknowledge that all long-term or indefinite storage should be ‘secure storage’ in this respect. If it isn’t obvious you should choose methods of storage that eliminate hazards like loss, theft, or destruction. Choose a storage solution that generally reduces availability risks.

Confidential items require more work. Not only do you have associated availability needs, but you also need to ensure the information the item represents doesn’t get disclosed to unauthorized parties. In the context of physical items this can include your written correspondence, paper documents with PII (e.g. bank statements), your house keys, the physical storage media upon which digital items are stored (devices, discs, hard drives, etc.) and more.

Store and handle these physical items in accordance with the relevant hazards and threats (if any) you face. Your methods should be derived from the nature of the risks and the security tools you can use. It’s possible that secure physical storage could be achieved by simply locking the doors and windows of your house or using a safe or lockbox for smaller personal items within your home.

Large open bank vault door

Photo by Jonathunder / CC BY-SA 3.0

Day-to-day handling of your physical items (as distinct from merely storing them) in a secure fashion also relies on your identification of the hazards and threats at play. Some examples of secure handling of physical items include never leaving your keys unattended in public places, keeping your electronic devices within your direct control and observation, and concealing valuables you leave in a parked vehicle.

All things considered I recommend buying a fire-retardant safe or lockbox for storing important valuables while they’re not in use. If you can, get a professional to install it, and have them bolt it to a concrete floor in your home.

Multiple Devices

Personal electronic devices are a special case to consider. I recommend reducing the number you own to an absolute minimum. If you work for an organization that issued you a laptop, phone, or other device (and they 100% require you to keep it) then you should probably do so, but either way, it’s crucial to the later stages of this process to limit the devices you personally own to a maximum of three (any unique needs or use cases notwithstanding). For the purposes of this step I extend the definition of ‘device’ to also include indefinite, personal-use cloud infrastructure.

A disorganized pile of personal electronic devices

“Device pile” by Jeremy Keith / CC BY 2.0

Do yourself a favor by only keeping the absolute minimum number of devices you truly need. Why?

  1. Uptime requires work. How long until it needs repairs? How’s the battery life? Where’s your cable?
  2. Security requires work. OS updated? Apps? Antivirus? Where is that device? What’s the passcode?
  3. Compatibility woes are real. Can this OS write to that file system? Can this app open that file type?
  4. Data governance requires work. Is your data unnecessarily duplicated? Did you make/test a backup?
  5. Multiple devices, multiplied work. Which has the latest version of the file? In the cloud? Which one?

Minimize the amount of unproductive (yet draining) work you create for yourself when you keep multiple devices. I can’t recommend this enough. Like other physical items, you should evaluate if a given device is supporting or hindering your success. Don’t just think in terms of a device’s infinite possibilities or selling points, but be detailed about exactly how you’re currently using that specific device, how you’ll likely use it in the future, and if that device has any unique capabilities that you definitely can’t do without.


As you go through your physical items you’ll probably realize that, for some or many of them, you care about securing their informational content but you don’t necessarily care about retaining the information in physical form. Of course, some items must be physically stored and kept in their original condition (passports, licenses, birth certificates, legal documents, etc.) but most personal information can be exclusively stored in digital form without issue.

Digitizing your information brings you a ton of benefits. The immediately noticeable one is that you better conserve limited, physical storage space and remove visual distractions from your workspace. Next, digital information has an availability advantage in that you can easily (and inexpensively) create backup copies. You can also access digital data on demand from practically anywhere using the internet. Another benefit is that, generally, digital information can be searched and utilized more quickly and efficiently with the use of software applications that often significantly outperform manual human efforts.

A stack of file folders containing paper documents

Investing time and effort into digitizing your information necessarily takes your focus away from other tasks, so you’ll have to make the call on whether or not digitizing lots of your items all at once is the best use of your time. Personally, I’ve found that digitizing as much of my personal information as I possibly can (and doing it regularly instead of in batches) is absolutely worth the effort, because doing so has allowed me to ultimately simplify my life, improve my overall organizational posture, and save time in the long term.

The rest of this post presents ideas as if all of your personal information that can be digitized has been and as if there are no unnecessary physical copies of your digital information.

Handle Digital Items

Digital information is more convenient to work with, but it requires more planning from the beginning to keep it organized. It’s very easy to accidentally create unwanted duplicates, get your files out-of-sync, accidentally delete data permanently, and honestly forget that you even have various digital items sometimes.

Digital data can be stored on all sorts of media, and you don’t really know it’s there until you’re interfacing with that media by using a computer or some other electronic device. Make sure you’ve gathered every single piece of digital storage media you own so you don’t forget some of your data and fail to organize it.

As you amass these storage media items (computers, discs, hard drives, smart phones, etc.) think about the most efficient way you can work on all your files at once. You may want to move all your files to a single computer’s hard drive. Or maybe you can simply plug in various media to the computer and graphically interact with all the files on all internal and external storage devices. The types and numbers of storage units you have (and how your information is currently spread amongst them) will determine the best approach. But focus on creating for yourself a singular, useful interface to see and work with as many of your files at once as possible.

Secure Erasure

You probably have digital files that contain information you consider confidential, but when you no longer need to retain these files, you must use an erasure method that completely and irrecoverably destroys that information. The standard file deletion functions in mainstream operating systems do not actually delete files. Instead you’ll need to use ‘secure erase’ utility programs that actually overwrite the data on your hard disks.

Even then, secure erasure is difficult to guarantee. For example, solid state drive (SSD) firmware can make sections of their flash storage chips inaccessible to your operating system (without notice!) thereby calling the completeness of any deletion operations into question. I highly recommend full-disk (or at least file system level) encryption schemes, because they make unauthorized data recovery impossible (without knowing the encryption key) even if the erasure process was incomplete or faulty. Personally, I consider full-disk encryption to be mandatory when using SSDs to store confidential files.

A hard drive connected to a forensic write blocker

“Disk Imaging via Tableau Write Blocker” by Jon Crel / CC BY-ND 2.0

Lastly, this may seem obvious, but when it comes to cloud storage services there’s no way to guarantee the files you upload are ever truly, fully, and securely removed from the service provider’s storage media. In general, you shouldn’t upload confidential files to these services (without encryption anyway) and, if you do, you shouldn’t have any expectations that your file deletion actions are secure or permanent.

Data Duplication

To prevent future disorganization (i.e. the undoing of all your present-day efforts) you should only keep duplicate copies of your files when those duplicates are made via a data backup solution. Having multiple, unintentional copies of the same file wastes storage space, but more importantly, it can actually induce human errors which in turn cause data integrity and availability problems. Just avoid it. This is where keeping the number of devices you own to a minimum really helps.

It’s challenging to always know which files you have unnecessarily duplicated. Once you’re working with all of your files from a single interface, you can more readily find these duplicates by noticing files and folders with the same name. But that may not cut it for discovering every unwanted duplicate if your files are really disorganized. In general, simply viewing the contents of the file is enough to spot an undesired copy, but if it’s a more serious problem for you, then you should think about using speciality de-duplication software that can find the duplicates for you.

Olympic swimmers

Photo by Rafael Brais / CC BY 3.0

You really should have a thoughtful plan to back up your files. Data backup is incredibly simple, and there are so many programs, tools, and solutions that can make it practically effortless. To prevent a disk failure from resulting in permanent data loss a good rule of thumb is to always have at least two instances of every file, and make sure they aren’t stored on the same exact media. Cloud storage can be used for this, but each provider only counts as one ‘media’. Don’t rely on a service provider’s assertions regarding their infrastructure’s redundancy and fault tolerance.

Formats & Compatibility

From an availability standpoint, there are a bunch of puzzle pieces that have to fit together before access to digital data is possible. The physical storage media has to function properly, the computer or electronic device you’re using must successfully interface with the storage either physically (e.g. a SATA or USB cable) or logically (internet connection to cloud provider), your operating system has to provide you a navigable interface and a functioning execution environment for software applications, and those applications have to run reliably and be capable of processing your files in their given format.

Colorful file icons of many types

Even if you make progress organizing your existing digital information you’ll still need to handle the creation of new digital files. When creating and saving new files, whenever the choice arises, use an open or well-known file format. Think like an archaeologist or a digital forensic analyst. Choose formats from which you can expect the longest-term accessibility. Reduce or eliminate your dependence on speciality, poorly-documented, or closed-source software whenever possible. Take notice of software applications or operating systems that are no longer being developed or maintained. Consider file formats that work with multiple different applications and select human-readable file formats whenever you can.

Digital Storage & Handling

Use encryption whenever the contents of a confidential file could be exposed to unauthorized parties, such as during upload/download via untrusted networks (i.e. the internet) and when ‘at rest’ on storage media that isn’t under your constant supervision. Use encryption where you control the keys AND the encryption/decryption processes. Only use well-documented and thoroughly tested encryption algorithms (DO NOT ‘roll your own’ crypto), and only use well-documented and thoroughly tested implementations of those algorithms. Only perform decryption, and only handle plaintext, confidential data on trustworthy hardware.

You have an integrity interest in files that must not be corrupted or experience tampering. This is especially true for files that are exposed to third parties (i.e. uploaded to cloud providers) which will be parsed, processed, or executed on hardware that you trust with your confidential data. Use an incremental backup solution so you can restore multiple versions of your files. Employ mandatory authentication and authorization mechanisms before file modification can be performed at all. Consider using cryptographic signatures created by programs like gpg for critical files.

Close up of a hard disk drive

Photo by Christiaan Colen / CC BY-SA 2.0

Did I already mention backups? Yes. I did. Back up your files. Use multiple backups. Have an on-site and off-site backup. Use cloud storage if you want. Use multiple, local storage devices like hard drives or even optical media. You can (and probably should) automate your backup creation processes, but be sure to periodically test your backups so you know that they’re working as intended. Also consider using an additional offline backup that’s disconnected from any computer most of the time.

Distrust & Isolate Systems

So far I’ve mentioned so-called ‘trusted networks’ and ‘trusted hardware’, but what does that mean? Your trust in a given piece of hardware, software, process, service, individual, or organizational entity need not be absolute. It’s more useful to think of trust (in an infosec context) in terms of your own individual confidentiality, integrity, and availability requirements. There’s no substitute for using your own mind to judge (based on facts, evidence, and sound logic; not fear, uncertainly, doubt, or arbitrary claims) the trustworthiness of the components or entities upon which your security relies.

You should reduce the degree to which you trust the various components that make your information usable, and you should also use isolation to prevent less-trusted processes from affecting the security of more highly-trusted processes. Isolation is a fantastic security measure for both preventing security issues and containing their damage.

Trusting Third Parties

Can you rely on your computer hardware to not violate your confidentiality, intentionally or otherwise? Does your hardware present any hazards regarding unauthorized disclosure of your files? What about the integrity of those files? Can you rely on your hardware to not itself improperly modify your data? Clearly, there are availability hazards surrounding hardware that, at any point in time, could malfunction or break.

Don’t limit your line of questioning to your hardware alone. Questions like this are fundamental to even begin evaluating trustworthiness. Ask yourself these same questions in regards to the computer’s manufacturer, your operating system and its creators, the applications you use and the developers, your cloud services and the providers, and more.

A white van with red painted words "FREE CANDY"

Photo by Ron Frazier / CC BY 2.0

Finding the answers could require independent research, testing, and asking other people who know enough to be of help. Ultimately, you’ll have to decide what and who you trust, so it’s vital that you know your personal standards of trustworthiness. What does trustworthy look like to you? What details are red flags? Which are deal-breakers? Only you can decide for yourself. Think critically about which details (be they technical, legal, interpersonal, geopolitical, etc.) are necessary for you to know to reach a determination, too.

Metadata & Confidentiality

This post is all about organizing your informational items, but there’s a blurred line between merely accessing your digital data and interacting with outside parties and processes. The topic wouldn’t be adequately explored if I omitted this detail.

For example, you likely have a confidentiality interest in the content of your files. For organizational and availability reasons, you may choose to store these files in cloud-hosted storage, but you also encrypt the files before uploading them. Similarly, you may need your email conversations to remain confidential, so you choose to type your outgoing messages in a text editor, encrypt the text using the recipient’s PGP key, and copy/paste the ciphertext into a new email message that you compose via your email service provider’s web interface.

In either case the involved informational content might be protected from unauthorized disclosure, but your use of the cloud storage and email services leaks other notable information. Some examples of what gets disclosed when using these types of services include your IP address, your web browser and operating system details, dates and times of access, filenames, file size, the recipient’s email address, the size of the encrypted email text, and more.

World map with green route lines

Photo by Jpatokal / CC BY-SA 3.0

Metadata disclosure will betray your confidentiality needs if you misjudge or fail to identify what your security solutions actually protect (and from what threats) and what they do not protect. Metadata disclosure would be a confidentiality hazard in these examples if you expected your identity to remain a secret. The point here is to have a crystal-clear understanding of all of your security needs and to be aware that your confidentiality interests can extend beyond the content of the digital items you own.

Security by Isolation

As I said before, applying the concept of isolation to security design can prevent security issues and contain their damage if and when they do occur. The most extreme instance of seeking security through isolation is employing an ‘air gap’ where computer systems are incapable of mutual bidirectional communication, incapable of processing foreign inputs, or are incapable of transmitting any outputs to less-trusted computers.

Air gaps, when properly implemented, provide very effective protection from entire classes of cyberattacks. For the average individual, though, using an air gap is inconvenient, expensive, difficult to maintain, and prone to inducing self-defeating, human errors. If you have multiple, trusted computers and enough skill and personal discipline, then by all means try it out. I personally use an air-gapped computer for sensitive, cryptographic operations, but I also use another computer (one that I use to connect to untrusted networks) for interacting with most of my digital items. Nowadays, one can use software technologies like virtualization or containers to create ‘enough’ isolation without the inconveniences of physical air gaps, but know that software vulnerabilities do exist in these technologies.

Soldiers constructing a security checkpoint

Photo by The U.S. Army / CC BY 2.0

Regardless of your chosen isolation method I recommend examining the various categories, subjects, or ‘domains’ of digital information in your life. For example, you might have personal info in digital form, but you could also have digital info related to your work. The personal category can probably be subdivided further. It may make sense to isolate various bits of personal info in categories based on activity like ‘banking’, ‘shopping’, ‘medical’, and so on.

Once you’ve decided on the categories or ‘domains’ that best correspond to your life you can then implement them with some isolation method. One option could be using VMware or Virtualbox to create one virtual machine (VM) for each domain and then only performing related actions in the appropriate VM. For example, you would only login to your bank’s website or read your financial statement files using your ‘banking VM’. Causal web browsing, personal email, and other hazardous activities would only be performed in a separate, isolated VM. Moreover, using virtualization technologies like VM snapshots could prevent a malware infection from persisting and causing you longer-term security harm.

Stack of multicolored shipping containers

“Multicolored Containers” by Håkan Dahlström / CC BY 2.0

Specifics aside, the isolation itself (when properly observed) will generally contain security harm to the domain in which it occurs. If you open a malicious email attachment in your ‘work’ domain, and spyware gets installed there, the confidentiality of your ‘banking’ domain’s files will remain in tact. Or if you catch a ransomware infection in your ‘shopping’ domain there’s much less risk that the contents of your ‘personal’ domain will be encrypted and held for ransom.

Isolation alone isn’t foolproof. You’ll likely want or need to allow domains to make contact with one another in some respect, but this increases the risk of the isolation being defeated. If you’re serious about employing isolation as a security measure, then you should be aware of the direction in which digital data enters and exits your domains, and the trustworthiness of that data and its sources. To truly use the isolation for cybersecurity benefits you must never allow untrusted inputs to be handled by processes in trusted domains. Likewise, once data from a high-trust domain enters a low-trust one, then it becomes difficult and sometimes impossible for that data to be processed in a trustworthy way in the future.

Secrets Management

How long is the longest password you’ve memorized? How random do you think it is? Chances are, because it’s likely based on a human-meaningful concept (a word or phrase), that it’s relatively less random than a value produced by a computer.

Cryptographic operations are foundational to ensuring both confidentiality and authentication of digital content, but these require random (or at least unpredictable) values that remain a secret to unauthorized parties. To achieve secrecy nothing beats keeping these values exclusively within your mind. But it’s obviously more challenging to remember perfectly random values of lengths sufficient for secure cryptographic use.

For online accounts, I recommend against trying to memorize passwords. Use a password manager, whether it’s a cloud-hosted service or an offline solution. Just ensure each account gets its own unique password, and that it’s as long and random as possible. Good password managers can generate these for you. If you opt for an offline, file-based password manager, you can still store the file in your cloud storage after encrypting it using either a key or a memorized-only ‘master password’.

Screenshot of a randomized password being generated

Generally, I recommend using computer-generated encryption keys (AES, RSA, etc.) for file-related crypto operations like encryption and creating digital signatures. Keeping those keys confidential is vital, of course, and generally it’s wise to in turn encrypt them with a strong (read: sufficiently long and random) passphrase. If you can memorize it, then that’s the best approach. Otherwise, you should generate the passphrase and store it how your other passwords are stored.

You should plan how you’ll create and use of all your keys and passwords as early as possible. You may want more than one password database to keep them isolated in their own domains. You need to pay attention to which passwords unlock which secrets, though. Aim to minimize the number of passwords you have to memorize to reduce the likelihood that you forget it and permanently lock yourself out of your encrypted secrets. By the same token, losing a key could have the same effect, so ensure you have a high-integrity and high-availability storage solution in place first.

Securing Humans Like You

We’ve established that isolation can greatly improve security, but social engineering attacks and human error can still defeat our efforts. The best advice I have is to know how social engineering attacks work, how isolation-defeating human errors could manifest, and how you can avoid shooting yourself in the foot in either case.

One approach is to harness the powers of convenience and inconvenience to help enforce your isolation-based security model on yourself. Start out by taking the time to properly make and configure your containers, VMs, or whatever constitutes your ‘domains’ beforehand. For example, you could use VMware to create some VMs, configure each with its own shared folder on your host OS’s file system, and place the right files in the appropriate domain’s folder. You could also place your secrets (e.g. SSH keys, password databases, etc.) in the appropriate folder too, but create and use different passwords to unlock each domain’s secrets. Alternatively, you could use a physical air gap for isolation instead of software. Either way, focus on making your domains as convenient for you to use as possible, but ensure your files and secrets are placed in the correct domains.

In either example each domain requires a unique password to unlock its contents. Entering a password in the wrong domain won’t unlock your secrets, and this could alert you to your mistake (and reduce the likelihood of future errors) but only after the password had been entered. Master passwords are critical secrets, but they won’t stay confidential if the secrecy of your keystrokes is compromised. Good isolation will stop a compromised domain from logging the keystrokes in another, but nothing will prevent you from typing a domain’s master password into the wrong domain. For example, nothing would prevent someone from entering his or her master ‘banking’ password into the ‘personal’ domain.

A keyboard with red glowing "CAUTION" text

In the absence of specialized solutions, you should focus on making yourself explicitly aware of the domain into which you’re entering your master passwords BEFORE you enter them. In a virtual setup, use descriptive container names, different VM wallpapers, or similar. If you have a physical air gap, make sure you can clearly distinguish which piece of hardware represents which domain by using labels, colors, or other distinctive markings. It’s VITAL that you only enter passwords using hardware that you trust with the entirety of the plaintext content those passwords would unlock. There’s no alternative to paying attention. All you can do it design your setup so that your awareness is consistent.

At the same time, design your file storage so that violating the isolation is as inconvenient for you as possible. If you’re using virtual machines, consider disabling inter-VM file transfer and turning off inter-VM copy/pasting functions. Now, in order for you to break your own rules, you’d have to modify the settings of multiple VMs (inconvenient) or knowingly and explicitly mishandle files by, for example, manually decrypting and copying (inconvenient) a file from a folder titled ‘medical’ to a folder titled ‘shopping’.

Optimize for Common Tasks

Organizing your items like an infosec pro isn’t all about OPSEC. Setting yourself up for success is as much about streamlining your use of informational assets as it is securing them. Going beyond the security merits of isolation, systemic disaggregation of your digital data and processes can make your daily routines and workflow more resilient to unexpected component changes or failures (broken hardware, updates to software, discontinued services, etc.) and more flexible for your environment and ever-evolving life needs. You can also save time performing repetitive data management tasks if you plan your storage system’s design with automation in mind from the beginning.

Systemic Disaggregation

If you handle your digital information in a monolithic fashion, requiring that you use one specific computer and OS, one specific set of software applications, and one specific storage system to handle your files, then that makes for a particularly fault-prone and brittle system. A change to any single component could require hours of work just to restore your interface to working order and to return to your desired level of productivity. Unfortunately, changes to these components (particularly software and services) commonly occur outside one’s control or prior awareness. Like it or not, the act of keeping all these components interdependent results in your whole system itself becoming a single point of failure. So what can you do about it?

Separate your operating system from your hardware by using technologies like virtualization, live boot media, or cloud hosted infrastructure. Separate your software applications from the specific operating system instances on which they’re installed by purchasing the right licenses, choosing programs that are easy to reinstall, or by using cross-platform apps. Separate your files from the software you use to manipulate them by choosing open file formats. Store your files ‘outside’ of any operating system in particular so you can use them from any system on demand. If you disentangle all of these components then a change or failure in one won’t mean major problems for another.

macOS Finder window containing multiple blue folder icons

Not only should you aim to make your files independent from any particular OS or file system, but there’s a special class of digital info that you should also keep separated from the rest: secrets. I’m not talking yet again about the security merits of isolation, but instead I’m pointing out the organizational and productivity benefits of separating these items into their own storage location. Here are some examples of digital secrets you should extract from the rest of your data files:

Consider keeping these security-critical files separate from the rest of your personal information, and focus on ensuring they remain confidential, but also, nearly effortless for you to use. You could save yourself a lot of time, effort, and anxiety by keeping them ready to use at a moment’s notice.


I’m not going to bore you too much with the obvious benefits of automation. In an organizing-your-stuff context, categorizing, labeling, and storing your digital files is typically done best when those decisions create the most clarity of meaning and straightforwardness of use. Still, designing only for present-day uses in those ways won’t save you from wasting time on repetitive, file-oriented tasks, though.

Be thoughtful and plan for future task automation even if you don’t intend on writing any workflow-automating code today. Use developer-friendly systems, software, and services that make programming a small effort that has a profoundly life-improving impact. Avoid black-box products lacking customer-accessible documentation. Choose components for your organizational system as if your life could depend on knowing how they work.

Factory robots unloading float glass

Photo by ICAPlants / CC BY-SA 3.0

For example, you may have chosen to centrally store all your files (after they’re locally encrypted) outside of your computer’s file system by using a cloud storage service. By thinking ahead about automation, you can select a service provider that publishes API and developer documentation. With those available, you’d be able to learn how to upload and download your files to and from the service programmatically with only a few lines of code. If you then decided to write that code you’d no longer have to manually drag-and-drop files to and from your hard drive every time you change your encryption key. Something this simple could save you hours of repetitive, draining, and unproductive work over the course of even a few weeks.

If you plan ahead and choose the right products and services then your workflow efficiency is only limited by your appetite for writing code and your creative problem-solving skills.

Don’t Screw Yourself Over

Maybe I’ve convinced you of the benefits of organizing your information in the above ways, but I’d be a liar if I said doing so is uncomplicated, and the more complex you make your organizational systems and processes the more likely you’ll make a mistake that could impact your security. In this section I’ll mention three general approaches to reducing the likelihood of complexity-related errors.

Designing for Testing

Availability and integrity are major components of security. For your digital data to be secure you have to verify that the various safeguards you put into practice work as expected. I recommend having an incremental data backup solution that’s automated, but you should manually test your backups, too, by attempting the data restoration process as if the ‘working’ copy of your files was irrecoverably lost or corrupted. You need not spend a lot of time performing this ritual. Doing this two to four times each year is probably acceptable. I promise you that it’s not a waste of time. Backups fail all the time, and if your backup fails in a non-obvious way, you won’t know until it’s too late without regularly doing these tests.

A student performing CPR on a practice dummy

Photo by Airman 1st Class Rebecca Imwalle

Fortunately, you can automate some of the more boring parts of the testing process. You should always manually verify your data’s integrity, but the more testing legwork you can offload to your CPU the better. For example, you can write a small program that fetches a specified file from your backup storage media and compares the contents against some baseline. The more convenient the testing process, the more often you’ll perform it, and therefore the likelihood of backup failure going unnoticed is reduced. This ‘spot checking’ can partially validate a backup’s integrity and availability, but you should also perform an all-data recovery test from a ‘cold storage’ backup at least once a year. Just because it’s an ‘offline’ backup medium doesn’t mean you can’t use code to speed up this test, too. Put it on your calendar just once each year and simply get it done. It won’t kill you.


I like to think of writing documentation for your own creations as akin to leaving a note for your future self. This post is essentially guiding you how to create your own custom file management system, so do your future self a huge favor and write a note that clarifies the design decisions you make, lists where certain files can be found, and how the overall system is supposed to work. A pitfall of having all your information stored in digital form is that you can’t see it all at once. You’re likely to forget where you’ve placed something or that you even have a digital item. Go easy on your future self and prepare answers to the questions you think you’ll be asking in the future.

DeLorean with open gull-wing doors

Photo by Oto Godfrey & Justin Morton / CC BY-SA 4.0

Realize that we’re just creating a data management solution out of existing components like hardware, software, and services. You certainly don’t need an engineer’s level of understanding of all these parts to do that, but a single false assumption about how any of those components work could undermine your organizational and security efforts. Therefore, you should be using file formats, software programs, and APIs that you comprehend, that are well-understood by others, or are publicly documented or open source so you can learn their inner workings if you have to.

Keep Things Simple

Whenever you’re making a design decision ask yourself if there’s a simpler way to accomplish the objective at hand. Like I said before, complexity can be the antithesis of your security and orderliness. Only choose relatively more complex approaches (to your file storage, automation programming, etc.) when there’s absolutely no other way.

Don’t add features to your system that have little value just because you can. Every design choice should be arrived at by critically examining your personal, real-world needs. Not your wants. Your needs. What do you need to ensure the confidentiality, integrity, and availability of your information? What do you need to more conveniently work with your information? Does your idea for that new feature fulfill a real need? If it doesn’t then I’d advise against implementing it.

Bright yellow sticky notes

Photo by gdsteam / CC BY 2.0

Plenty of Room to Grow

I’ve personally implemented all of the ideas presented in this post (in some form or another) to better organize my physical items, personal devices, and digital information. Learning to use more robust processes and actually creating a more resilient system has changed my life for the better. With that said I still have many more ways I can improve my personal organization, and I’m always open to learning new strategies even if they’re radically different from what I’m doing today.

I hope these ideas can help you get more organized especially with ‘spring cleaning’ upon us. Feel free to let me know what you think, if you agree or disagree with a recommendation I made, if you’ve personally tried any of these tactics, or if you have your own organizational tips worth sharing. Thanks for reading!

Mike Iacovacci
Mike Iacovacci is an information security professional specializing in endpoint security, intrusion investigation, and security research. His efforts have prevented serious security incidents and continue to disrupt cybercrime operations and sophisticated threat actors.