Stolen data from the Democratic National Committee was carefully timed to be leaked during the Convention last month and consequently shared the media stage with the candidates. This latest data breach sent a chill down the spines of many organizations as they question their own information security policies.
While there is no one silver bullet to manage data security, there are several steps your organization can take to help mitigate the risk:
1. Create and Manage Strong Passwords
The most secure passwords are long, include special characters, do not repeat between accounts, and are changed often.
Here are some tips for generating secure passwords:
Generate a different and secure password for each online account
Make a random 2 to 4 word paraphrase that does not include any elements from your name, organization, address or any information associated with you
When generating your own password, it should contain upper and lowercase letters, punctuation, a number and be a minimum of 14 characters long
Change your passwords every 3-6 months and don’t reuse them
Do not store your password list in the cloud, such as on Google Docs or Dropbox
There are several password management solutions that can help you both generate and manage secure passwords for your online accounts. Lastpass offers free and premium password generation and management services. With Lastpass you only need to remember one master password to access the other passwords it encrypts and stores for you. A good, free tool is xkpasswd which can help generate strong passwords.
2. Review Your Password-Protected Systems
Keep track of which systems require passwords and who has access to them. Review system security regularly and remove any unused accounts. Reset those passwords at least once a year – more often if you have high employee turnover.
3. Reduce Risk by Removing Unused Technology
Eliminate any Business Solutions which are no longer used. You should export data to a permanent storage solution, like a DVD, and shut down the unused system. We don’t recommend keeping technology around “just in case,” because it is another data security risk.
4. Integrate Authentication
Try to integrate the authentication of as many of your systems as possible. Several systems now support ‘Single Sign On’ where one system will let you in if you have already authenticated to another one. Explore these possibilities with your IT team to reduce the number of passwords you need to enter. The less passwords you have the more willing you will be to make your passwords “strong” and it will shrink your data security risk profile.
5. Online Transactions
Never use your debit card at a place you don’t trust completely, use a credit card instead because your credit card has limited liability while your debit card does not. The data security protocols for online commerce vary greatly, and it’s important to shop from trusted sites.
6. Recognize Phishing
While most of us are now aware of the most popular phishing scams (someone you know is stuck in a European country and has lost all their credit cards), it’s becoming harder to tell a spam email from a legitimate one. Here are a few tips to help you recognize a hacker that might be phishing for your data:
If you receive an email from what looks like a trusted company (especially your bank), avoid clicking on the link. Instead, type the URL of that company directly in the browser. Banks don’t ask for personal information to be given by general URL or by email.
If a company sends you an email asking you to call them, look up their contact information online. Don’t use the phone number in the email. If it’s a criminal, you’ll be calling them and not your trusted company representative.
Review the email reply address. Once you click “reply,” you can see the email address in your reply field. If it looks suspicious, it probably isn’t safe to communicate. Phishers often cloak the email address when they email you, hoping you won’t look deeper to discover it’s a phony email.
7. Instant Messaging
Instant messaging (IM) has become a common means to communicate, even in the workplace. When you IM with friends or colleagues, do not give out critical information through IM because it is impossible to know whether the other computer is secure.
8. Use Two-Factor Authentication
Two-factor authentication (2FA) is an extra layer of security that is known as "multi factor authentication" that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately at hand. Many solutions request this, some require it. Whenever it is available, take the time to provide a second credential, such as your mobile phone number or an alternative email account for the added protection.
9. Limit Local Administrator Rights
IT best practices dictate that employees not be given local administrative rights. With local administrative rights, the security controls used to protect a company’s systems including password controls, anti-malware software, and similar tools, can be shut off. Unapproved software could also be installed, breaking business-critical applications and causing disruption and downtime. A company can also be exposed to malware, including a number of different phishing scams that can deliberately run code on systems with full permissions if someone inadvertently clicks on a malicious link or opens infected email content.
If you have any questions about the security of your technology, give us a call and we would be happy to tell you about the Sinu Solution and how we keep your data safe.