security what is the single most useful bit of advice you could give me
I was talking to a colleague earlier today about writing an article that was a high value, "how to" article as part of an experiment that we are doing with Neil Simpson. Without hesitation the response was the title of this article and so here is my "how to" secure your data, be it on or off line. But first, let's give this some context ...
People still use the same password for everything and don't implement strong passwords, e.g. password123 and was something I touched on in a recent blog: "how to remember secure passwords". Imagine having a single master key that opens all the locks in your office, home, car, locker at the gym etc., Now imagine someone getting hold of your keys ..... Having the same password to access your bank account and using the same one to unlock the next level of Angry Birds would be insane, wouldn't it?
We often get clients asking us to change system passwords to enable them to create user accounts using their favoured password and we have to say "no" and then explain why. We've even had clients demanding it and whilst a few years ago we might have given in, we no longer do.
So, how do you go about setting up and implementing a secure system for protecting your personal data; I'm not talking about GDPR or the Data Protection Bill that will be read in the autumn ... I'm talking about you taking responsibility for your own protection. So put away all the excuses, we've heard the all!
Risk assess your data and set-up protection that is appropriate, if someone managed to breach your security. When I worked for the Home Office in the early nineties I was involved in accessing risk associated with software applications we were rolling out. The "security expert" asked what would happen if the Sun (newspaper) got hold of data we held .... after some thought I surmised that could topple a government. Obviously this required some serious protection!
1. Categorise where data is held: on / off line and then determine of data held off line is still vulnerable. OK, so you have important contract document on your laptop and it's off line ... or is it? You are connecting to public Wi-Fi hotspots that are easily hacked, so is it really off line? These days nearly everything is accessible via a third party via an internet connection, blue-tooth, etc.
2. Implement a password policy that is robust. This means that you should not use the same password for any two sources; passwords should be a minimum of 16 characters that contain a mixture of upper and lower case letters, numbers and symbols. Work out a way to remember these - see article about how to remember passwords - and then change them every ninety days.
3. Protect off on-line content using an encryption application like Pretty Good Privacy (PGP) - see http://openpgp.org/ - to keep off line files safe and secure.
Consider reviewing your business by signing up to Cyber Essentials.
Lastly, remember that most hackers still view you as the weakest link! Social hacking is still one of the main courses of data breaches and I am constantly reminded of a story I heard years ago. An ethical hacker walked into a major banks headquarters and placed a box beside the main reception to the building with a simple message:
Write down your user name and password; the best password wins a case of champagne!
Within eight hours over 1,000 employees had entered the completion!