This short post was partly created from our new staff security briefing, which provides new starters with the basics for protecting themselves and the information they transmit and process.
We work in one of the most exciting and fast-moving sectors, but it’s also a sector that’s highly susceptible to security breaches. As technology advances, so do the threats. For a majority of companies, protection against attacks is administered by automated infrastructure and monitoring services. However, there are basic precautions that everyone can take to help protect and mitigate risk.
Sharing sensitive data
As per Morrisons, Whirlpool and various sections of the UK Government, we use Google for Business. Gmail is our email client – it’s extremely versatile and integrates as part of our Google for Business ecosystem. Messages between staff are covered by Google’s TLS encryption, but messages between our staff and other providers are not. If these emails were to be intercepted, the attacker would be able to access the contents.
So what happens if we intend to share sensitive information, such as financial data, with a customer via email? Well, the new release of Gmail (currently in Beta) covers this with the ‘Confidential‘ feature, but at the time of writing, it’s not been released.
So, in the past, we would manually encrypt files using Apple’s Terminal command line. That’s fine if your tech-savvy, but we need something that is accessible by the entire company. So, we’ve taken this forward by adding the FlowCrypt extension to our company Gmail account. It’s simple and straightforward to set up and uses the PGP protocol for encryption. This PGP (Pretty Good Privacy) article provides more information on how PGP encryption works.
If you use Gmail as an email client then you can try it yourself by following the FlowCrypt instructions, once it’s authorised you will be able to send encrypted emails and attachments. But, be advised that the recipient will require your ‘passphrase’ to decrypt your email. In order to share the passphrase, you will need to ensure the recipient is using a peer-to-peer service such as Whatsapp, or Telegram as a separate messaging service. If this is not possible then you can use the One Time Secret service to send a passphrase (with the deletion set to 5 minutes). As a last resort, you can use a phone to call the recipient. And don’t forget, under no circumstances use email to transit the passphrase.
Routine malware cleansing
Malware such as a keylogger can unknowingly be installed on your device through a variety of passive attacks such as downloading an unknown email attachment. You should use a routine malware cleansing application to help protect the data you process, you can do this by installing an application such as MalwareBytes. This software will automatically scan your device every 24 hours (you can customise the frequency) for security threats and will notify you if malware has been found and quarantined. This What is Malware article provides more information on how malware works.
In addition to this, be aware of zero-day vulnerabilities. In layman’s terms, this means penetrable weaknesses in software that have not been discovered by the provider and therefore can be exploited. The only action you can take to mitigate against this is to update your software as often as possible. If you’re a MacOS user, this How to automatically update all your Mac apps article provides more information on how to automatically update your entire software suite. If you’re a Windows user this How to keep your Windows computer up-to-date article provides more information on updating your software suite.
Using open Wifi
Your device and data can be breached when you connect your device to an open WiFi network using tactics such as the ‘man in the middle’. This Harvard Business School article provides more information on the dangers of using open WiFi.
As per other companies who take their security seriously, we stipulate that if you need to connect to an open WiFi network using a company device or application – then staff must use the company VPN service (virtual private network). The VPN service will mask the IP, but more importantly, it will encrypt the data that transits between your device and the VPN server, greatly enhancing security.
There are plenty of consumer and enterprise VPN providers available; one of the most popular is ExpressVPN. It can be run on any device by installing the application on each of your devices, and once you have completed the installation process you simply need to log in. This How does a VPN work article provides more information.
In addition to the above, if you have the ability to connect to your own personal hotspot via your mobile phone 3G or 4G network then this is the suggested option. There are vulnerabilities to this: devices such as an IMSI Catcher (or commonly referred to as a Stingray) can provide would-be attackers with another form of ‘man in the middle’ attack. However, the probability of this risk is considerably lower. This Guide to How IMSI Catchers Work article provides more information on how Stingrays work.
Passwords and management
Passwords and the management of them can become untenable, so how do you maintain usability and security in a company with multiple users? For us a password manager application is the answer, it allows admin users to create permissions and isolate individual repositories with separate encryption and passphrases. There are a number of options available such as LastPass to store your sensitive information. If you do choose to initiate a password manager, it’s worth noting that you can (and should) create one under a pseudonym email to add yet another layer of confusion to any would-be attacker. This article titled ‘Password managers and why you should use them‘ provides more information on the benefits.
Additionally, we conduct regular training sessions with the team to ensure they are able to recognize and report phishing email attacks, which usually seek to eleicit password or login information from their target. Here’s a case study of our last live training exercise.
One last point to note, if you do have an extra five mins spare, this article titled Realistic Password Strength may change your approach to password creation.