How strong is the password to your email? What about your computer? Where do you keep your passwords?
We don’t mean to interrogate you, but these are important questions! Security is imperative whether you’re browsing the Internet, managing passwords, or connecting to a wi-fi network.
Have you given consideration to how you and your organization can improve your security online? This checklist offers helpful pointers.
Snag the Checklist below and prevent future sleepless nights. Go through these five areas where many data breaches can happen and you’ll be on your way!
1 – Increase your password security
Nearly everyone needs better passwords and password management. For a more secure approach:
- Move your organization onto a password manager such as LastPass. It’s better at generating and storing secure passwords than your users are.
- Use something other than “admin” as a username (whether for websites or other organizational resources)
- Employ “Least privileged” setup. Always set up user accounts with the least amount of privileges the users will need on an ongoing basis. Have as few “administrator” accounts as you need.
Additional Password Tips to share with your organization’s users:
- Using your password manager to copy and paste is inherently more secure: it means passwords cannot be collected by malware that records what users type.
- Make sure your users have the LastPass browser extension on their computers and phones as well, and set it to log them out at least daily.
- For fun (and security!), take the LastPass challenge to check your security ratings and make the corrections they suggest!
2 – Clarify your device policy
Every physical device with an on/off switch (such as phones, routers, laptops, desktops, and tablets) that contains your organization’s information or accesses your data network needs to be subject to a clear security policy. (As an added bonus: the same is true of USB drives with organizational data on it). For a more secure approach:
- Set the “BYOD” (bring your own device) policy at your organization. Idealware has great tips on what to consider for a BYOD policy.
- Encrypt all devices that store organizational data. (If not, passwords can be defeated by simply removing the drive and plugging it into a new interface.)
- Only use backup services that encrypt backups and require a password to access backup files.
Additional Device Tips to share with your organization’s users:
- Every account on the devices they use regularly needs to have a secure password.
- Users can make a list of physical devices they own that access work information and review the security status of that device.
- What would happen if you left your work laptop at a restaurant? Or your personal laptop? Draft a plan for what users need to do if they lose control of a device.
3 – Move to HTTPS and look for HTTPS
The Internet is moving towards a preference for secure browsing (https:// instead of http://). For your organization’s security, that means securing your website presence as well as teaching your users how to spot insecure websites while browsing.
HTTPS indicates three important things about the page a user is browsing:
- The page can’t be altered before the user sees it. (The page is secure.)
- The interaction between the user and the site cannot be observed by another party. (The page interaction is private.)
- The page is what you think it is. (The identity of the page owner has been confirmed.)
For a more secure approach for your organization:
- Your organization’s website needs to use HTTPS. Your host will sell you a certificate, or you can get one directly from a certificate authority. Installing it is fairly fast.
- Your site login pages and any forms where you collect data from site users need to be on fully secured pages.
Additional Browser security for your users:
- Your staff should get used to checking the address bar for a lock symbol and/or “https://” before the URL.
- Staff can be trained to avoid visiting sites with insecure connections, especially when on unsecured networks. Visiting those sites from within your network can make your organization more susceptible to phishing and malware.
4 – Use Two-Factor Authentication (2FA)
An increasing number of cloud-based accounts are using 2-factor authentication (2FA). This requires not only entering a password, but a second interaction to confirm that you are in fact, the person you say you are. This level of security, for example, can ensure that if a hacker gets your password, they still cannot access your account from an unknown device. 2FA is essential for email and file sharing accounts.
There are some things to be aware of when setting up 2FA for your organization’s accounts:
- When setting up 2FA, use an authenticator app whenever possible. Although many services offer text (SMS) as the second layer of security, SMS can be intercepted by third parties. Google has an authenticator app, as does LastPass.
- In many circumstances you can download backup codes for account access. A backup code can be used once to confirm your identity. You can save backup codes to LastPass so that you can access the account that way.
- Sometimes you have to set up 2FA for shared accounts (such as a web hosting account) where multiple people have to access the account. Don’t set up SMS use your own cell number, which isn’t accessible to others on your team. Set up an email address such as [email protected] or [email protected] and create a protocol stored in your LastPass account so that others know how to access the verification information when it comes.
5 – Give your staff guidelines about how they access the Internet
Hopefully your organization’s networks for accessing the web are secure. But these days, many workers have to access your organization’s work from outside your office. How they connect to the Internet can have implications for keeping your data secure and private.
For your organization’s users:
- When connecting to the Internet from a café, don’t just jump onto public wifi. Consider tethering by creating a wifi network using your phone, then connect your computer to that network.
- For workers who work frequently in coffee shops or public areas, consider setting up a Virtual Private Network (VPN). Then any connection or transmission will be secure.
- Treat public wi-fi as a last resort. If you need to need to be on public wifi and aren’t using a VPN, do not logon to sites unless you see “https://” in your address bar.
- Remove “known” insecure networks from your devices’ network connection history so that you don’t use an insecure network from the past.
What will be your follow-up security steps? Tell us by tweeting to @fissionstrategy! Let us know if your organization needs help with online security planning and implementation.
Kathleen Pequeño @kpequeno is Senior Account Manager at Fission. Written with Adriana Dakin @apdakin, Senior Vice President of Digital Strategy and Research.