Sometimes when you read about a website or service that has been compromised, there is the presumption that they have been hacked. However, sometimes it may be the case that a weak link in how you handle your data and passwords could have simply given a virtual ‘open door' opportunity to let a stranger into your digital life.
You may feel that as long as you have a nice strong password for your login to your website, social media or email services, then you are all set to be safe and secure. This may be mostly fine when it's just you, but in a company or office environment, it will take a lot more on-going effort and training to ensure online security standards are kept up to scratch.
Do you have someone who is in charge of managing your sensitive logins and passwords or a system in place where only authorised people are allowed to know them?
Over the years of dealing with all types of customers and companies, the most common password related issues I've come across include:
- Multiple staff members in the office all seem to know or have access to login details.
- Passwords remain the same even after previous staff members leave the company.
- Login details are emailed through while cc-ing random people.
- Accidentally leaving password details in email reply threads while emailing people who shouldn't need them.
- Never following up after work is complete to see if we have finished needing password access.
- Never being called for confirmation of who we are before sending requested passwords to us via email.
… do any of these points sound familiar? If so, it may be time to review your internal systems for handling sensitive data.
Do you keep track of who has access to which services and more importantly, a system in place to revoke access when someone no longer needs it?
For cases where you are sending login details to someone to do some work on your website, instead of sharing your personal login details, it's better for security to set them up with their own account. That way their access can be easily deleted afterwards without affecting your main login details.
Check with any service or website you log in to whether they have an optional 2-factor authentication option. These authenticators usually send a code to your phone or email so that even if someone managed to find out your username and password, they still wouldn't be able to log in unless they had access to your phone as well.
How often do you do an audit on who has access to your passwords and data? (monthly/quarterly/annually/never?)
This is actually a trick question – This is something that should be practised on an on-going process.
Start off with one really big detailed audit to find out where all your data and passwords are, and who has access to them. When someone new needs access in the future, organise with them how long they will need access for and set a future calendar note to check if you can revoke access after an agreed amount of time has passed.
If someone requires regular on-going access to a service, look into options for giving them their own login details instead of sharing yours so that if there were any security issues, it would be logged on the server to let you know which account needs their access revoked.
How often do you change your passwords? (monthly/quarterly/annually/never?)
Another trick question! If in doubt, change it. Don't use the same password forever and don't use the same password for multiple services. If you've shared your password and that person or company no longer needs it then change it. There are many password manager programs available, so changing your password is a breeze.
This guide is just a small tip of the iceberg when it comes to being fully secure, and sometimes things happen that are just out of your control, but just exercising caution on these main areas will reduce your online security risk drastically.
Mark provides website technical support for Green Umbrella