Joe Siegrist, CEO & Co-founder, LastPass
As the past year has shown, the evolution of technology has created a tidal wave of new security risks and concerns for businesses. Every day, more companies are seeing their names in the headlines after a breach in security. Aside from bad press, businesses that suffer from a data breach lose money and customer trust.
Don’t let the media hype deceive you. Many companies that recently suffered data breaches could have avoided the crisis if they had taken preventative steps to secure their business. Here are five tips to help lock down your organization and avoid becoming the next data breach victim.
1. Take your passwords seriously
Your employees’ bad password habits need to be broken immediately. Your employees unknowingly create a serious risk to your business when they write passwords down on Sticky Notes or in a Word document, reuse passwords across multiple accounts, share passwords liberally, or simply create weak, easily cracked passwords.
Put a system in place to promote best practices and help employees to create and use strong passwords. Consider mandating the use of a password manager that will store each employee’s passwords and generate unique, strong ones for every account. The company can then have oversight over employee password behaviors. Even if you have deployed Single Sign-On, it’s likely that not all the tools and services your staff uses are covered by federated SSO, and password management addresses that gap.
Using password managers also allows employees to grant their colleagues access to an account when necessary without having to send the password in an email. Additionally, using a password manager throughout your organization gives IT a simple process to change passwords when employees leave and a kill switch to deactivate their accounts.
2. Beef up your email security
Email is often the portal to everything else, so protecting it must be taken seriously. Almost any account recovery is sent via email, so a compromised email account could mean the compromise of many other critical accounts.
If your company’s email service offers two-factor authentication, encourage your employees to set it up. Two-factor authentication requires you to have your password as well as a second piece of information in order to log in to the account. If one of your employee’s passwords is compromised, a hacker would still need access to the second piece of information, generally a code that is sent to a phone or generated by an app.
You should also take the time to educate your employees about phishing scams – what they are, how to identify them and how to report suspicious emails. Phishing scam emails often appear to come from a trusted source, like a bank or service provider, but may include threats or dire warnings to get employees to reveal information on an impulse.
3. Remember smartphone security
In the BYOD workplace, a hacker accessing your employee’s phone could be just as bad as a hacker accessing a company laptop. Employees should always lock their phone, at a minimum with the 4-digit PIN or pattern that most phones allow, and ideally with a full passcode, which is more secure. Once the pin is in place, employees should set a timer so that the user is prompted to enter the PIN or passcode after a period of inactivity. This will make it less likely that someone will be able to access the data on a lost or stolen phone.
If your employees use their smartphone as one of their primary means of communication, they should also be aware of the dangers of open Wi-Fi. While you may not be able to avoid open Wi-Fi all the time, especially if you are traveling, at the very least avoid doing anything sensitive while connected to open Wi-Fi, like accessing the company cloud.
4. Utilize local disk encryption
Laptops are frequently lost or stolen, so take steps in advance to protect the data on them to prevent them from being a data breach risk. To keep data safe from prying eyes, install a full disk encryption tool on employee computers and laptops.
As the name suggests, disk encryption tools are designed to protect data by encrypting a system’s entire hard drive, including all the applications and data stored on it. The user is prompted for the encryption key when the system is started, and information is only decrypted once the user has successfully logged in. Full disk encryption options include Microsoft BitLocker on Windows or Apple’s FileVault on OS X.
However, it’s still important to educate employees that once they sent a file via email or copy it to a USB thumb drive, that data is no longer protected by that encryption.
5. Lock employee computers
Locking a computer after an employee walks away from their desk may sound simple, but this basic step is critical to your security. Ensure computers are set to automatically lock when employees are away from their desk, and that they’re secured by good passwords. That means employees should not use passwords like “password” or “admin” or “letmein” to lock their computer, but rather unique passphrases. Also be sure to check their workstations for any passwords hidden under keyboards or monitors and educate them on why those passwords should not be stored around their workstation.
If you follow the above recommendations, your organization will be well on its way to improved security. And remember – a secure business is a successful business.
About the Author
Joe Siegrist is a founding developer at LastPass and has more than a decade of experience in developing and running Internet applications. An innovative software architect and entrepreneur, he is the named inventor of five key software patents. Previously, he was the Chief Technology Officer at eStara Inc., which he and his team built and ran from scratch. eStara was acquired by ATG Inc. in 2006 for $50 million. Joe holds a B.S. in Computer Science from the University of Maryland.