People are, unfortunately, often one of the biggest security vulnerabilities a business can have. Burdening them with locked down computers and super-firewalled networks might be one way to “fix” it, but will lead to reduced productivity. Or worse, people will subvert the rules and work around them to get stuff done.

Staying secure involves constant learning, keeping vigilant, and thinking like a hacker. At Revert we work hard to keep your data secure by fostering that attitude of security-conscious thinking. But establishing a baseline of practical tips can be really helpful for new employees.

Here’s what we’ve come up with so far:

Authentication

  • Use a Password Manager, like 1Password. Use unique and strong passwords for every website you visit.
  • Use Two Factor Auth everywhere possible: Github, Google Apps, AWS, Dropbox, Revert, etc. We use Authy for the Revert website. Keep your recovery codes secure – a fireproof safe at home? Don’t use Authy’s browser plugin. This takes the second factor out of two factor (although it’s not technically 2FA to begin with, it’s 2SV, but I digress…)
  • Turn off iMessage on your laptop – otherwise the 2FA code can be SMSd to the laptop, again taking the 2F out of 2FA.

Software

Browser

  • Install an ad blocker. uBlock and Ghostery are my combo on Chrome. This will help prevent sites from tricking you into clicking ads instead of download links, tracking, etc. Whitelist sites you trust and want to support through advertisement.
  • Make plugins click-to-play. This might be overkill, but it means no potentially malicious plugins will be loaded secretly without your approval. Whitelist sites you visit regularly.
  • Use the HTTPS Everywhere extension. Some sites offer HTTPS but don’t yet default to it. This will redirect you to their HTTPS site, making your connection more secure.

Antivirus

I use ClamXav on my Mac and have it set up to watch the Downloads folder. I don’t plug in dodgy USBs and I try not to download dodgy stuff, but if there’s something fishy ClamXav will net it. There are other free or paid antivirus/malware software.

Mac Security Settings

  • Turn the firewall ON. System Preferences > Security & Privacy > Firewall
  • Enable Stealth Mode in Firewall Options. This stops your computer from responding to “knocking at the door”.
  • Turn off all the sharing options. System Preferences > Sharing. Enable them again when you need them.
  • Turn off bluetooth when you don’t need it.
  • Make your screensaver turn on after 1 minute, or as quickly as you can bear. System Preferences > Energy Saver
  • Require the password immediately after the screensaver. System Preferences > Security & Privacy > General.
  • Enable the guest account when someone wants to use your laptop. Set up dedicated, non admin, accounts for people who might use it more regularly (family, etc). Ideally, only you ever use your laptop.
  • Avoid using Public / Free wifi. Public wifi is insecure, even with a password, even at (perhaps especially at) conferences.
  • Tether via USB or use a strong WIFI hotspot password.

Mobile Phone

  • Use a passcode (or pattern, touchID, etc).
  • Autolock your phone ASAP, e.g. after 1 minute.
  • Turn off bluetooth until you need it, and turn it off again ASAP.
  • Turn off WIFI when venturing somewhere scary, and turn on Ask to Join Networks. Otherwise your phone might auto connect to a router spoofing an SSID you’ve used before, which would be bad.
  • Find My Phone – up to you. The security risks go both ways. Personally, I use it as I’d rather be able to nuke my device if it’s lost. That means if my iCloud is hacked, my device could be wiped from under me, which Not Great.

Well, those are my practical tips. Stay safe!

How do you encourage secure practices in your organization?