How safe are your files? How can you keep your data secure? Graham Cluley shares the story of a woman who deliberately deleted thousands of files from a firm’s Dropbox account.
Bulley has been successfully prosecuted under the UK’s Computer Misuse Act after deleting thousands of important files from a company that went on to collapse.
It’s not hard to imagine how a company could overlook or not consider the issue of who has access to which accounts. A disgruntled employee leaves, a company forgets to remove access, and the consequences can be severe.
How can you keep your data secure?
When people leave your company, whether on good terms or bad, you should have an off-boarding procedure in place to prevent any unauthorized access to your accounts or files.
We use a checklist to make sure we don’t forget anything when someone moves on. Make a list of all the services you use, who has access, and remove access when required. You might think about your website admin area, Dropbox account, Gsuite or Google accounts, Outlook or other email accounts, web hosting accounts, FTP access, domain nameserver accounts, and any other services you use online.
Best data security access practices
When people are active in your company:
You should be operating on a least privileges principle. This means granting the fewest number of people the lowest amount of account access required to get the job done. The more people you give access to, and the higher access levels they have access to, the greater the risk to your accounts and your data. By limiting access, you limit the possible attack surface area and potential entry points.
Don’t share accounts or passwords.
Each user should have his or her own password to a service the person needs to access. This facilitates access auditing and makes it easier to simply remove the user once the access is no longer required.
Consider how to use a password manager.
You may want to use a company-wide password manager, or each employee may use his own. Think about what makes sense in your business so you can remove access as required.
Use 2 Factor Authentication.
Many services offer 2FA, requiring the user to authenticate through a text code or a token. Enabling this can enhance security on your accounts.
Use delegated or technical contact access points.
Some accounts allows you to authorize a user with a lower level access. For instance, you could grant your web developer access as a technical contact, allowing her the access she requires, but not permitting her to view your main account or billing information. This fits with the “least privilege” principle, and allows the technical contact to successfully log into the account using his or her own 2FA codes rather than bothering you each time. And of course, it allows you to remove the user when the person no longer requires access to the account.
Audit your accounts.
On a regular basis – every six months, or every year at the very least – perform an audit. What accounts do you have on which services, and who has access? Do these people still require access? Could they have a more restricted access level?
Remember that the weakest link in security is often the human element. Take the time to think about how you can make your data as secure as possible.
What steps do you take to keep your company’s data and accounts secure? Let us know!