Digital security in a company

What does 2018 have in store when it comes to security? Nothing very promising. The year has just begun and we already have some major security issues affecting Intel and AMD processors. The trend begins with WannaCry in 2017, latest issues with macOS and a whole bunch of different security breaches. And it will continue to persist as our society evolves and becomes more and more digital.

This can be scary, especially for any Black Mirror fan like I am. Fortunately, we already had a chance to learn something about security last year. When Shadow Brokers claim to have breached spy tools of the elite NSA-linked operation, when Netflix, Uber, and Apple spend billions on security and cannot protect their customer data enough, the understanding comes: there is no system that cannot be compromised. This begs the question: “How can we better secure ourselves?”

Add a company to the equation…

and you will get even more potential issues. A company is a place where multiple people work with sensitive data. Obvious, right!? However, when considering security, this becomes increasingly evident.

When we want to ensure security we are trying to eliminate “entrance points” into the system and also make each possible point protected. The more people work in the company — the more “entrance points” you have. Obviously, not all of the employees will follow the best security practices. So here we go, boom! We have a potential security breach in place and ready to be exploited.

With that in mind, we have created an Atwix Security Doctrine and started to enforce it inside the company. What is great about it, is that it is applicable to many businesses. It also can be used by everyone to increase personal digital security. Below we will share some principles that you can start implementing. It’s better to act proactively rather than reactively. As you know, we do not think about quitting to smoke before actually facing some major health issues.

Where to start?

Hardware

Start with hardware. Remember, the best thing you can do to improve your security in 60 seconds is to stick a piece of tape over your laptop camera. That is pretty simple but not doing this may cost you some sensitive data leaks, which you surely would like to avoid. If you want to be fancy, go to Amazon, choose a special patch that you like and protect yourself.

Passwords

Always protect your computer with a password. The more secure password you use, the better. Surely, your laptop password is something you use a lot, and it probably should not be a set of some random symbols. Try using something you can easily memorize and recall if needed. Some set of numbers taken from your credit card number, your car plate number or something else. Improvise, but make sure you use a password at first place. It may save your data when your laptop is stolen or you simply forget it somewhere. In any case, you’d better not let anybody else use it without your supervision.

For all other password (except one) I recommend using a password manager. 1Password or LastPass are great options with mobile support.

Atwix has developed Password.io – an open source password manager that is perfect for managing passwords inside a company. This password manager will also help you create secure passwords and make sure you (well, not exactly you) memorize them. And yes, as for the one more password that you need to memorize — a master password that unlocks the manager.

Important: make sure you NEVER use the same password twice. This is the most common way of compromising people’s accounts. You get compromised once, you use the same password, boom! – your other accounts are hacked.

Two-Factor Authorization.

Two-factor authorization is still one of the most effective ways to keep any account secure. Please, enable it wherever possible and keep it like that. Forever.
We enforce the usage of two-factor authorization at Atwix by making it required for all our Google accounts. Go check how you can get this done.

Side note: a security question is also a form of a two-factor authorization. However, they should not be used as this method is proved to be an entry point to your data through social engineering. In simple words — someone may find out the name of your dog on Instagram – yours or somebody else’s.

Social Engineering

This is a very broad topic worth a separate discussion. What you need to know is that there is a risk of getting compromised through social engineering. The more public you are, or your company gets, the higher the risk is. Watch out! Enter your passwords privately, do not work with sensitive data in public places like cafes or airports — they have webcams all around. Also, remember that your friends and loved ones did not sign an NDA with your company – you did.

Mobile

A shout-out to Apple for creating Touch ID and making it an industry standard back in 2013 (with iPhone 5S). We are now more secure on mobile than it has ever been before. But still, your phone or tablet is another entry point to your work email. Remember it and apply all the same principles to your phone as you do to your computers.

Summing up

There are simple recommendations that you and your company can follow. But what we are really trying to achieve is to deliver the value of security to our employees. This way they can not only apply security rules but also be proactive and contribute with new ideas about making our company safer.

Some links to explore

Here you can check whether your account has ever been compromised.
Best password managers by Lifehacker.com.
Best passwords practices from Lifehacker.com.