Sign up to save your podcasts
Or
Share The One Security Setting That Doesn’t Cost You Anything (AC-11)
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The One Security Setting That Doesn’t Cost You Anything (AC-11)
We’ve wrapped up the Incident Response controls, and now we’re moving into Access Control—the part that focuses on preventing the wrong people from getting into your accounts and devices in the first place.
Most security controls ask you to choose: convenience or protection.
Longer passwords are more secure but harder to remember. Two-factor authentication adds friction. VPNs slow things down.
Device lock doesn’t work like that.
It costs you three seconds to unlock your device, dozens of times a day.
What you get: protection against someone gaining physical access to your unlocked screen.
What Device Lock Is (AC-11)
Your device locks after a set period of inactivity. You need a password, PIN, or biometric to unlock it. That’s it.
In NIST 800-53, this is AC-11—the first Access Control we’re covering in this series. Incident response (IR) was about what to do when things go wrong.
Access control (AC) is about preventing unauthorized access in the first place.
The Actual Concern
This isn’t about sophisticated attacks.
Device lock protects against opportunistic access—someone shoulder-surfing your screen at a coffee shop, a colleague glancing at your open laptop during a meeting, someone picking up your phone from a table.
This happens when someone has physical proximity to your device and you’re not actively guarding it.
The barrier doesn’t need to be sophisticated. It just needs to exist.
What People Get Wrong
The most common mistake isn’t refusing to use device lock—it’s using it inconsistently.
Phone locked at 2 minutes, laptop set to 30 minutes or never. Locked at work, disabled at home.
The inconsistency is the vulnerability.
Set It Up Now
Phone: Settings → Auto-Lock → 2-5 minutes
Laptop: System Settings → Lock Screen → 5-10 minutes
The exact number matters less than having it enabled everywhere.
Why This Matters
If you’re going to implement one control from this series, pick this one.
Not because the threat is catastrophic, but because the effort-to-protection ratio is unmatched.
Thirty seconds of setup, minimal friction, real protection against common access scenarios.
For more information: cyberberri.substack.com
This podcast is also available on AppleSpotifyYouTube
For Cyberberri, check out: YouTube
Coming soon: Instagram
Audio generated from the text using NotebookLM.
This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit cyberberri.substack.com
View all episodes
By Linda Martin - Cybersecurity SimplifiedWe’ve wrapped up the Incident Response controls, and now we’re moving into Access Control—the part that focuses on preventing the wrong people from getting into your accounts and devices in the first place.
Most security controls ask you to choose: convenience or protection.
Longer passwords are more secure but harder to remember. Two-factor authentication adds friction. VPNs slow things down.
Device lock doesn’t work like that.
It costs you three seconds to unlock your device, dozens of times a day.
What you get: protection against someone gaining physical access to your unlocked screen.
What Device Lock Is (AC-11)
Your device locks after a set period of inactivity. You need a password, PIN, or biometric to unlock it. That’s it.
In NIST 800-53, this is AC-11—the first Access Control we’re covering in this series. Incident response (IR) was about what to do when things go wrong.
Access control (AC) is about preventing unauthorized access in the first place.
The Actual Concern
This isn’t about sophisticated attacks.
Device lock protects against opportunistic access—someone shoulder-surfing your screen at a coffee shop, a colleague glancing at your open laptop during a meeting, someone picking up your phone from a table.
This happens when someone has physical proximity to your device and you’re not actively guarding it.
The barrier doesn’t need to be sophisticated. It just needs to exist.
What People Get Wrong
The most common mistake isn’t refusing to use device lock—it’s using it inconsistently.
Phone locked at 2 minutes, laptop set to 30 minutes or never. Locked at work, disabled at home.
The inconsistency is the vulnerability.
Set It Up Now
Phone: Settings → Auto-Lock → 2-5 minutes
Laptop: System Settings → Lock Screen → 5-10 minutes
The exact number matters less than having it enabled everywhere.
Why This Matters
If you’re going to implement one control from this series, pick this one.
Not because the threat is catastrophic, but because the effort-to-protection ratio is unmatched.
Thirty seconds of setup, minimal friction, real protection against common access scenarios.
For more information: cyberberri.substack.com
This podcast is also available on AppleSpotifyYouTube
For Cyberberri, check out: YouTube
Coming soon: Instagram
Audio generated from the text using NotebookLM.
This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit cyberberri.substack.com