The most secure methods for protecting personal and sensitive information are constantly evolving as industry practices and bad actors continue to push each other to the next level.
However, there are several best practices to follow that minimize your risks and, by extension, the risk of any organizations that you belong to. Below we outline a few starting points which protect both individuals and businesses.
- Basic Best Practices
- Browsing and Usage Habits
- Organizational / Company Security
Basic Best Practices:
Find out whether your data has already leaked:
If you’ve been active online for a while, there’s a good chance that you’ve already been involved in some sort of data leak. A cool website built by Troy Hunt, https://haveibeenpwned.com, scrapes a variety of public sources to provide a database of compromised emails and accounts associated with breaches.
You can subscribe for notification if your email is discovered in any future breaches, hopefully giving you a better chance of mitigating any fallout.
If nothing else, check out this site to get a sense of how common data breaches are and get inspired to put in a little extra effort.
The best place to start in securing yourself and your organization is your passwords. For the points steps below, a password manager such as Last Pass is a great option that allows you to quickly create, update and manage your passwords.
If you’re an organization for which security has to be absolutely airtight, you may want to manage your passwords internally. However, in most cases, the security gained from a dedicated third party manager is greater than the risks of having all your passwords in one location.
Password Makeup: The obvious starting point for security is to ensure that your passwords are making use of as many characters as possible.
If you’ve tried to use your old go-to password from 2005 (e.g. myDogsName) you’ll notice that most sites won’t accept a simple string of letters anymore. However, simply substituting a 0 for an o and adding a “!” isn’t much of an upgrade. Massive databases of common substitutions and punctuation placements makes the password myD0gsName! only marginally more secure than the original.
Modern browser versions as well as password managers will auto generate and store complex passwords for you. When using an application like this, there’s no reason not to make your passwords as long as possible, making them exponentially more difficult to crack.
When storage of an auto-generated password isn’t an option (e.g. your password for your password manager), a good method is to create a “passphrase.” For example, YouknowmybirthdayisonJuly2(woohoo)butyoustillwon’tcrackthis!
Password Diversity: Making use of unique passwords for different accounts means that, when a breach occurs on one account, the remainder of your accounts don’t immediately become available to whoever gives it a shot.
Password Frequency: Similar to above, changing your passwords at regular intervals reduces the chances of being affected even if your account information has been compromised. If you’re working with software like we do, you can often set passwords to expire at set intervals.
Two Factor Authentication (2FA)
Wherever possible, use 2 factor authentication. Despite hackers finding sophisticated ways around 2FA, it’s still an extremely important component of online security
Nearly all major companies now support some form of two factor authentication through apps such as Google Authenticator and Authy or direct SMS.
If you can’t be bothered to use 2FA for all of your accounts, be sure to have it in place for the most crucial ones such as your email and your password manager (any accounts that share access and information with other websites and services).
If you manage an organization or network, we’d suggest making 2 factor authentication mandatory for all users.
Browsing and Usage Habits (Operational Security)
Confirm SSL Certificates
There’s really no excuse for websites that store any personal information (not to mention accept payments) to be without an SSL certificate. Up-to-date browsers are increasingly forceful about alerting you to being on websites that have insecure elements but you can ensure the connection with a browser extension such as HTTPS Everywhere by the EFF.
Skepticism of Email Links and Requests
The most common way for your accounts to be hacked is not through a superspy remotely hijacking your computer but rather through simple emails that trick you into forking over the keys to the kingdom.
When you receive an email with any request for you to login or provide information, take an extra moment to verify the domain of the sender and the domain of the link provided. Not seeing a green HTTPS padlock on any login page is a significant red flag.
Any company that takes security seriously will not ask you to provide your password via email or phone call.
In the event of any suspicion, look up publicly listed information and contact them directly.
Furthermore, look out for unusual requests from contacts within your organization or contacts list. Maybe you have a great password, but your friend doesn’t – use another channel to confirm that the request really came from your friend or coworker.
Keep Operating Systems and Applications Up-to-Date
Easily skipped over inconvenient interruptions, the updates to your browsers, software and operating system often include crucial security patches.
For most smaller organizations and businesses, the best first step is to enforce the points outlined above at at an organizational level: have minimum password requirements, use an organization-wide password manager and require 2FA for any accounts connected with your business. Wherever possible, enforce enforce enforce! It’s easy for all of us to get complacent so, wherever it’s an option, enforce these measures through software or platform settings (microsoft, G Suite).
Again, these tips are a supplement rather than a substitute for a comprehensive internet/information security plan.
Larger businesses should have systems in place for a hierarchical information access. However, it’s important to implement for smaller businesses as well, even if it’s not an explicit policy – the basic concept is to segment access so that individuals (and networks) are only interacting with the information that’s necessary for their work.
At smaller businesses and startups where one individual can wear a lot of hats, it’s rarely so black and white. However, it’s still important to take basic steps to audit access at scheduled intervals.
Don’t Share Access
This may sound obvious, but, particularly in smaller organizations, it’s very easy to make “exceptions” in the interest of expediency, particularly when clients are involved as they our in our daily workflow. In those situations, it’s helpful to be able to fall back on “I’m sorry, we’re unable to do that due to an internal policy,” as it draws a line on the conversation, even if someone thinks they have a compelling argument for sharing.
When an employee moves on, it’s an absolute must to change their passwords and review access immediately. Make sure that someone is responsible for a full audit of their access to primary and related company accounts. The more organized your password and SOPs for access management, the easier this is.
Clean Desk Policy:
For offices with access to sensitive information, communicate an explicit policy against any written passwords or credentials being left on desks where passers-by can see them.
Document and Educate
The fact is that we’re all busy and security can easily become an abstract concept that takes a back seat to the immediate task at hand. The more that your security measures are documented and communicated, the less likely they are to be considered “suggestions” by employees and coworkers.
Implementing a regular audit of password security, 2FA and access and communicating best practices for operational security in writing makes security more tangible. Making it clear that these steps are for each individual’s security can be more effective than a dry document about company assets.
The modern business needs to be alert to more than just cyber threats; ninja’s are out there and you need to take actions to defend against them.
After you’ve dug your moat, we’d recommend investing in robot alligators – regular alligators just eat bad ninjas, cyborg alligators laser them and eat them simultaneously. Any serious security professional will tell you that this is just good sense.
Ok, just kidding… get regular alligators