I was going to email these security hygiene recommendations to a lawyer setting up a new office but I realized that others would benefit too. These recommendations are roughly in priority order. See my other blog entries for more detail on many of these.
- Password manager: You and your employees and contractors should (really, must) use one, e.g., LastPass or 1Password. For every important account, change its password to long (~30 chars) and random (and therefore unique) and store the password in the password manager. Never reuse passwords.
- Second factor authentication (2FA): Enable it on all accounts where it's available. The 6-digit Google Authenticator type (called TOTP) is better than SMS/text, but if only SMS/text is available, use it. Google Authenticator is OK but it's better to use Authy as it installs on all your devices and makes device recovery much easier. Enable 2FA on your password manager but read this first: Don't get locked out of your password manager.
- Security and privacy awareness training: Ensure that you and your employees and contractors are all very aware of: how social engineering in general, phishing, vishing, business email compromise, and other attacks work, and know how to be resistant; and privacy laws and their requirements for protecting and managing personal information. Roll this out in concert with the password manager and 2FA, as they may require user training anyway.
- Email account security: Ensure all email accounts are really secure (long, random password and 2FA): if any email account gets hacked, the attacker (using password recovery mechanisms) can take over all other accounts that are tied to it.
- Data backup: Ensure your data is backed up to the cloud -- e.g., CrashPlan, Sync.com (ensure your plan has at least 180-day retention), or Backblaze -- and also backed up to an external drive. Ensure the external drive has full disk encryption.
- Device hardening: Ensure all devices are recent enough that they are still getting regular security updates; stop using any devices that are too old. Put strong passwords/PINs on computers and mobile devices. For Windows, makes sure you have Windows 10 Pro and then turn on BitLocker, which is full disk encryption; for Macs, ensure File Vault 2 is encrypting your main drive. On computers use quality security extensions on all browsers (e.g., HTTPS Everywhere, Privacy Badger, and uBlock Origin) and set the OS firewall to block all incoming traffic. Don't plug in USB devices that have been out of your control.
- Cloud services: Be aware that most cloud services (Google Drive, OneDrive, Dropbox, iCloud, etc., many backup services, and almost all value-added services) store your data in such a way that if the service gets hacked, the attacked could get your data. But there are services that store your data more securely, using end-to-end encryption, e.g., Sync.com and CrashPlan.
- File transfer security: Email by itself is not a secure way to send personal information or sensitive information. Secure alternatives include encrypting files with 7-Zip (and AES encryption) before emailing them, using Sync.com to share folders (Team Shares) or files (set Enhanced Privacy and a password on the Link, and send the password some way other than email), or use an end-to-end encrypted messaging service like Signal.