A lot has changed in the last ten years about the ways that we manage information. Here are some examples:
|Our data resides on a shared drive of a server in a closet at our main office.
||Our data lives on servers in the cloud (or should).
|I have about three passwords to keep track of.
||I have about 300 passwords to keep track of.
|Scam emails are easy to recognize.
||Scam emails look like they came from my boss.
These are just a few big changes that have critical impacts on security and productivity, and we’re all playing catchup trying to adjust to them. Following are three key things that you can do to be more secure and productive by 2020.
1. Install Multi-Factor Authentication for Basic Security in the Cloud
In the old days, your critical and confidential documents and data were kept securely on servers, behind locked doors in your office. Today we store documents using cloud services like Dropbox, Box, Office 365, and Google Drive. We store sensitive constituent data in Salesforce, Mailchimp, and Classy. There’s no one key that’s going to lock the door on all of it, so instead of securing that data by protecting its location, we secure it by restricting who can access it.
As we’ll discuss below, with the sophistication of password cracking tools, passwords alone don’t protect you. They need to be supplemented with an additional identity check. Google and Microsoft both include Multi-Factor Authentication (MFA) as an option with their products, and there are options available for Dropbox, Box, and other online document storage services. Put simply, by sending you a secondary text, email, or phone call, MFA verifies that you are the person typing in your login info, and not some hacker in another town or country. It is a highly effective safety protocol.
2. Adopt Pass Phrases. It’s Time to Pass on Words
The old-school thinking on passwords was that they should be impossible to remember and changed frequently. In the last few years, the major experts on information security have changed their minds about that. They now recommend that people use relatively easy to remember pass-phrases (like “Mary had a little cow” or “Lucy in the ocean”) that are at least 15 characters in length. The new guidelines also point out that passwords need to be changed when data breaches occur; having an “every three month” policy doesn’t protect you if the breach occurs two days into the quarter.
For now, you should probably continue to comply with the old-fashioned C0nfU$1ng password rules, as many of the security standards that we are subject to (HIPAA, PCI, etc.) have not updated their requirements. But you will still be safer if you make your password longer and change it when you’re alerted to an issue.
More importantly, the time has come to use password management applications to remember those 300 passwords for you. It’s not safe to get around the issue of too many passwords by using the same one for Facebook that you use for your bank, and it’s equally insecure to save them all in unencrypted word documents or spreadsheets. LastPass and Dashlane offer popular personal and corporate products.
3. The Best Protection is Education
The tools recommended above offer a large layer of protection, but nothing will keep you 100% safe. Regardless of how many precautions you have in place, it is still very difficult to avoid a targeted and sophisticated scam. Scammers have gotten much more adept at disguising their emails and pop-ups as legitimate messages. At a minimum, you should hold semi-annual security training for all staff so that they know how to recognize phishing attempts and related scams, as this is how cyber-criminals install ransomware or redirect wire transfers to their accounts.
To help with this, a new class of software called Security Awareness Training has arisen. Applications like KnowBe4, Phishme, and Wombat do two primary things: test your users on their susceptibility to phishing scams and provide targeted training on cyber-security. The pricing of these solutions for nonprofits is very economical and typically less than any lost monies released by your organization as the result of a scam.
Today’s data is secured by longer passwords, password management tools, multiple authentication methods, and your good, educated judgment. These are some of the basic security tools for the 2020s. Next time we will dive a little deeper and talk about mobile security and policies.
As with any general statement or recommendations on IT security, they are subject to change. This article is meant to discuss general guidelines. You should verify whatever protocols you put in place with your IT team or consultant.
This blog was reprinted with permission by Marcum LLP.