Organizations face the ever-increasing challenge of securing/protecting their IT data and systems from cyber threats. To meet this challenge, many organizations end up with dozens of security point-products that don’t communicate with each other and are often incompletely/improperly configured. This results in the reduced effectiveness of cybersecurity controls and increased risk to the organization. To help prevent this, organizations should perform a periodic security checkup to assess their current overall cybersecurity health and the effectiveness of their cybersecurity controls.
Train employees on good security practices
An organization’s employees are one of the biggest risks to its cybersecurity. In fact, human error is considered the leading cause of data breaches. By holding regular trainings to explain how an attacker could infiltrate your company, you will increase employee awareness and thus minimize the chance of them falling prey to common pitfalls. Some things to cover include phishing emails, and the dangers of USB drives and email attachments.
Lock computers when not in use
Your office may be secured, but cleaning crews and engineering and maintenance teams likely have access to your personal space when you're not there. Anyone with physical access to an employee computer can do a lot of harm in a very short amount of time, so locking all computers when you're away for even a short time is a great habit.
Do not share user accounts
Sharing a user account makes it hard to understand who is using the service or to identify who has performed a given action. Many actions in SOVA are logged with teh user who performed them, so during an audit, it's easy to determine who changed data and when. When people share user accounts, we lose this visibility. Sharing accounts also makes it much harder to recognize when an account has been taken over by an outside party. It also makes it harder to remove access to an account when employees leave the company, opening that account up to potential abuse.
Your HR department probably handles onboarding to ensure new employees have a good understanding of the security culture that exists at your company. But what about when an employee is terminated? Are their access privileges stripped to prevent access to your company network? Again, the answer is probably yes. But what about access to SOVA? Do you check user accounts regularly and deactivate those that are taking a leave of absence, or delete accounts for employees that have been termed?
Require 2FA for your admins
Your admins should all be using 2-factor authentication when logging into SOVA, and this is recommended for property users as well. What is 2FA? You may have logged into secure websites like your bank or brokerage accounts and have been asked to verify a code that has been sent via SMS to your mobile phone, or you may have an app on your phone like
Google Authenticator where you receive a code that rotates every few seconds that you enter into one of your secure websites. By adding 2FA in your SOVA account, you add an extra layer of security. With 2FA enabled on your accounts, if a user password gets stolen and an attacker attempts to login to your account using these stolen credentials, they would need to provide a code that is only visible on a users personal mobile device linked to their account. So unless an attacker steals your login information to SOVA,
and also steals your phone, they would not be able to gain access to your account. As the onsite SOVA admin, your can help make sure everyone complies with this rule. Currently SOVA only supports software keys for 2FA via apps like Google Authenticator. We will add the option to use purpose-built hardware-based 2FA, like Yubikeys in the coming year.
Read more:
- https://en.wikipedia.org/wiki/Multi-factor_authentication
- https://support.google.com/a/answer/184711
- https://slack.com/help/articles/212221668-Mandatory-workspace-two-factor-authentication-
- https://www.yubico.com/why-yubico/how-yubikey-works/
Enforce a strong password policy
Passwords are a first line of protection against any unauthorized access into your SOVA portal. The stronger the password, the higher level of protection your computer has from malicious software and hackers.
To be able to create a strong password, you should be aware of the criteria to create make one. These criteria basically include the following:
- A strong password must be at least 8 characters long.
- It should not contain any of your personal information—specifically your real name, user name, or even your company name.
- It must be unique from your previously used passwords.
- It should not contain any word spelled completely.
- It should contain characters from the four primary categories: uppercase letters, lowercase letters, numbers, and characters.
Read more:
- https://www.digicert.com/blog/creating-password-policy-best-practices/
Maintain a list of active mobile devices
You may have two or up to 50 SOVA devices in use at your business. Over the course of several years, devices break, they get lost, or are no longer used as new devices come on board. You should maintain a list of active devices and let us know when a device is lost or is otherwise removed from service by opening a ticket. When we receive your ticket, we will promptly decommission devices per your request.
Consider enrolling devices in an MDM
A Mobile Device Management (MDM) system is an important tool to have in your arsenal as it allows you to track devices, limit changes in a device (like changing backgrounds, keyboards, etc), allows limiting what apps can be downloaded and run on a device, and other features. Likely, your company already has an MDM in place for other company-owned IT assets like laptops, tablets, etc. Discuss with your IT department. Alternatively, SOVA offers an MDM for those wishing to secure their devices. Give us a call and we can get your onboard for a nominal per-device fee.
Read more:
- https://en.wikipedia.org/wiki/Mobile_device_management
Encrypt your devices
Encryption stores your phone’s data in an unreadable, seemingly scrambled form. When you enter your PIN, password, or pattern on the lock screen, your phone decrypts the data, making it understandable. If someone doesn’t know the encryption PIN or password, they can’t access your data. You may think you don’t have sensitive data on your SOVA phone, but you do! If your phone is stolen, a thief can access any photos you have taken on your device for incidents you were investigating. If you have stored the admin password for SOVA in your device, your thief can review your security tours to know where your checkpoints are located.
Most newer Android phones ship with encryption already turned on by default. If this is the case for your phone, there is no way to disable encryption. But if you’re using an older device that doesn’t have encryption enabled out of the box, enabling it could cause a device slowdown. If you decide to encrypt, then realize the device is running too slow and you want to undo the process, your only choice is to perform a factory device reset.
Read more:
- https://source.android.com/security/encryption
Data management and privacy
Most organizations collect, store and process a great deal of sensitive information. This includes employee data, incident reports, tour and other activity data; photos of persons of interest, lost and found items, incident media and more. If any of this data is publicly exposed or accessible to a cybercriminal, the negative impact could be significant.
GDPR Data. In SOVA we make it easy to remove sensitive information collected on persons living in the EU. This could impact you, even if you are a US based company and use our lost and found solution. When shipping lost packages back to your customers living in various European Countries, you, or they, enter their shipping address. An address, in conjunction with other pieces of information can be used to positively identify a person so therefore should be removed from SOVA as soon as it's no longer needed (i.e. a lost item shipment has been delivered). To clean up and remove this potentially sensitive information, head over to the settings menu. Once there, choose 'Lost & Found Privacy' and any data that falls under the GDPR guidelines will be presented so you can remove the sensitive data. If your company makes use of the lost & found module in SOVA, it is your responsibility to check this page regularly and remove data promptly to maintain compliance.
Personal information. You may be tempted to capture an image of a driver license for a person involved in an incident. In some states, this is illegal, and in every US state it is a criminal offense to capture an image of a military ID. You are responsible for your data, and SOVA does not monitor for images you choose to upload to your web portal. Consider what data you really need to capture, and for what specific purpose this data is being captured. Can you hold your thumb over portions of the driver license to mask certain bits of information you really don't need? Here are some guidelines for capturing images of lost and found items:
- Driver licenses. Mask information that is not needed. Likely, most of the data on a driver license is not needed, so it's best to not save these images in SOVA. If you need a picture of the person, grab a screen capture from your CCTV system. Why? because those images are captured in a public space and generally, with some exceptions, it's okay to capture pictures of people in public spaces. Having a full driver license image in SOVA is opening up your company to a claim of identity theft, if someone gets a hold of that image and uses it for nefarious purposes.
- Prescription bottles. Mask the name, at least. Even better to mask the name of the patient as well as the name of the medication. If you are only wanting an image of a prescription bottle to prove you have it, the size, color and shape should be enough for a person to recognize it. No need to identify a person along with their medical condition for all the world to see (or the would-be criminal that hacks into your data).
- Documents. Business documents can contain sensitive business data of a proprietary nature. Why expose that? A picture of a stack of business papers should be taken with a sheet of paper over the top of any text, drawings, etc. to hide sensitive data. Don't copy, fold, or change the order of business papers. You can place in a plain, manila envelope for safekeeping and store flat in a cool, dry place. Documents are generally considered valuable items, and as such, your retention period is generally longer for these types of items.
- Images. The best practice for images is the same for documents. Don't take a picture of a picture, since that image when taken was not accessible to the public (as is the case when considering CCTV camera images in your place of business).
General guidelines for storing data in SOVA
Data that cannot be stored in SOVA without consent include:
- Driver license data (i.e. number, address, barcode, full name, image)
- Face images, unless image is captured in an area considered available to the public
Data that cannot be stored in SOVA due to HIPAA reasons include:
- Images of prescription bottles, unless label data (i.e. name, what prescription is used to treat, etc.) is obscured
- Images of bodily injuries, if face is visible in the camera shot
- Social security numbers
- Images of doctor notes, X-rays, or treatment plan/diagnoses that you add to an IR narrative
- Specifics surrounding assault of a sexual nature. If in doubt, raise the ICC classification to prevent distribution/viewing
- Mental health condition or diagnosis
Other data that should never be stored in SOVA include:
- Full credit card numbers (images or written as text - last 4 is fine)
- Images of military ID's (this is a federal offense in the US)
- Images of minors
- Images depicting nudity
- Images of insurance cards for persons involved in a vehicle accident (identity theft)
- Images of business paperwork left behind in lost and found (could be proprietary)