Keeping Your Data and Information Safe
It is unfortunate, but we live in a world where data and security breaches have become more common than we would like. It seems that every couple of months there is news about a large retail chain that has been hacked and is now asking their users to log in and reset their passwords. If one is lucky, a simple reset is where it all ends and you move on with life. For those unfortunate folks who may have had important information taken and possibly been the victim of identity theft, this is just the beginning of a rough road ahead.
When it comes to keeping donor information safe, all precautions need to be taken to minimize the potential of a data breach. Although it may seem like a daunting task to secure all your accounts and data, your donors will appreciate that you have a roadmap of protection in place to keep their information safe. In this article, we will go over some basic tips that can help minimize the risks of a security and/or data breach, on both a personal and organizational level.
Access to Information
One of the first questions a data administrator needs to ask themselves is, “How many people absolutely need access to this information?” The more people with access, the higher the risk. It is always best for management to assess each situation in terms of data security. When talking about donor data, only individuals in roles where it is essential to have access to this information should be given this privilege. To reduce risk and number of individuals with access, it may be best to consider moving smaller tasks to individuals already with donor data access.
It is extremely important to encourage the use of strong secure passwords that usually include a mix of capital and lower-case letters, numbers and a special character or two. The more complex and obscure the password, the better security it will have. To alleviate having to remember a password, most internet browsers will prompt a user to save their login credentials. If this feature is enabled, strong physical security on these devices is strongly encouraged to avoid unauthorized access.
Secondly, using a different password combination for every account in the cloud is recommended. If this practice has not already been in place it can be gradually implemented over time. One way of producing different passwords for each account is to produce a pattern-based method based on the strong secure principles previously discussed. What is the rationale for having different passwords for every account?
When a large data breach occurs and you experience the panic of rushing to reset your account with a fresh new secure password, there is some initial relief. However, shortly after that, the panic can settle back in with the realization that you may have used that same email and breached password combination across all or some of your other accounts. Some accounts you may recall and be able to update right away. Others you may not remember ever being created and could potentially be breached. In addition to strong password combinations having security benefits, maintaining different passwords saves you the time and headache of having to update every account you have.
Two-factor authentication is another way of ensuring accounts are safer than just using a strong password. This method of authentication requires a user to provide two different factors or pieces of evidence to prove they are a valid user of the account. In most cases, the user would set this up in their cloud account by providing a cell phone number as a second factor. After successfully providing a password during the login, a text message is sent to the user’s cell phone with an authentication code. The website will then prompt to enter the code received on the cell phone. Once entered correctly, user is granted access to the account.
If a cell phone is not preferred as an authentication factor, there are apps like Google’s Authenticator that can be used instead. It is a similar concept but instead of receiving a text message with a code, the user can simply open up the app and a code will be automatically generated that can by typed into the site.
Two-factor authentication can be required for every instance users log into their account, or most websites provide a way to remember the device or computer used to log in. On first log in after two-factor authentication, there is a check box with the wording “remember this computer” or similar that will need to be checked. The user will be asked to double authenticate the first time only, after that only the password will need to be entered.
Protect Your Primary Email
Your primary email is like the key to your home. You should have all the available protections enabled on this account as it holds the keys to all other accounts. If your primary email address were ever breached, it could lead to identify theft as well as possible financial loss, should this email be linked to your bank account.
The protection of a strong password and two-factor authentication as discussed in this article would be our recommended minimum level of security. Using a unique password combination separate from combinations used for other accounts, and updated at least once per year if not more, is an extra step towards protecting your accounts from a data breach. Email providers often have additional recovery options, such as a second email address or secondary cell phone as well.
Password Manager Apps
Enforcing the use of strong password combinations for accounts can be a lot to keep track of. You may want to consider using a password manager app which can be installed onto your smartphone. Password manager apps allow you to keep track of the various usernames and passwords used for your different accounts, while keeping the information secure. There are a variety of reputable companies that have created such apps to keep your information safe and encrypted.
We have become dependent on technology and the security features of these new devices. If you plan to use apps like a password manager app previously discussed, it becomes even more important to use the security measures provided by your smartphone. Along with using a passcode, most smartphones have biometrics such as fingerprint scan or face recognition on newer devices. When using a passcode, consider using the longer 6-digit code if possible and enable the biometric features.
We have all received emails that looked like they were sent from a legitimate company you may have an account with. However, after taking a closer look at the email there seems to be something that just is not right. After a closer inspection something about the email triggers you to realize that the email is not only not from the company you thought it came from but rather a spam email that is trying to get you to log into that account using a different website to steal your login information. These kinds of emails are called “phishing emails” and are becoming more common and sophisticated these days.
For example, you have been going back and forth with a client via email and the client says they will email you some files later. Moments later an email comes in from this person asking you to log in to your Google account to download the files that were just sent to you. Some of us would click on the link and login without hesitation. The website that this email is linked to may even look and act exactly the same as the real site. Instead it takes your credentials and ships them off to the wrong hands.
Phishing emails are becoming so sophisticated and sometimes timely that they can fool even the best of us. Most of the time if an email is asking you to click on a link and provide some kind of login credentials, it will be a phishing email. If it is from a known source and looks to be legitimate, rather than click on the link, go directly to the website and login through their portal to address the situation the email is referring to.
Along with the data security measures listed above, the following are additional measures that can be taken to improve both data and physical security:
- Every time you step away from your desk, lock your machine.
- If you have an office, lock the door when you are away for an extended period, such as lunch or end of day.
- Do not share your login information with others.
- Shut down your machine at the end of each day.
- Set up your PC to automatically lock after a short period of inactivity.
- Try not to log into any account using a public computer. If you must, make sure to log out at the end of your session.
- Make sure you have firewall, anti-virus and malware protection installed on your devices before using public WiFi.
We at the Crescendo IT team like to use the term “onion layers” to describe how we protect our information. The more layers of protection you have, the better your chances are of fending off an attack. A single layer on its own will not protect you from a breach, but one of the many you have protecting you may be the one that was successful in thwarting the attack. It never hurts to add an extra layer of protection but there is always a caution to making sure you can adequately manage and maintain all your layers to ensure your data is safe.
This layer approach can be considered for all different kind of applications whether it is your network, your desktop PC or laptop and any other type of phone or tablet device. Firewalls, anti-virus and malware software, authentication methods and physical security at your office or building are all examples of layers of protection. Each one of those layers should constantly be examined and monitored for potential holes and vulnerabilities of breaches. Just as hard as one is working to protect one’s vulnerabilities, there are a lot of people out there trying to expose them.
Hope this has been a helpful article. We look forward to hearing any comments or ideas you can share on keeping your data safe.