Why we’re worried about security and what we’re doing about it
From Cloudbleed to the WikiLeaks dump of the CIA’s cyber attack arsenal to WannaCry — 2017’s been a busy year for cyber security. Thanks to a slew of high profile political and news events (you know, elections and emails and hacking and stuff) and ongoing privacy concerns, cyber security is something even ‘normal’ people (read: people who don’t work in or know much about tech) are thinking about.
As a tech company creating software that people around the world use, security is naturally something we’re concerned about. But we’re growing increasingly worried so we’re tightening our security.
What we’re doing
We do a number of things to help keep our company and customer data secure. We’ve used some of these security measures for a while but some are new additions (like our VPN). Combined, the below make up D4 Software’s ‘security stack’.
Using a VPN helps keep our communications private when we’re connected to networks that are public or otherwise not our own. With remote workers it makes a lot of sense to have a VPN for them to connect to and thus help reduce the risks of ‘packet sniffing’ or ‘man in the middle’ attacks.
When possible, we also suggest people connect over personal mobile hotspots rather than connecting via public wifi such as shared wifi in coffee shops.
With personal and shared spaces, a password manager is the best way to share sensitive information for us as team. We have a single shared vault (LastPass) for company-wide accounts (e.g. social media) while we all have our own personal vaults to keep our individual accounts (e.g. email) safe.
Secrets, sensitive material, and passwords shouldn’t be in Wikis, tracking systems, or email/chat. A password manager can act as a virtual safe to hold sensitive information, not just passwords and we use it as such. For example we keep database details, secure notes, wifi passwords, and the code to our office building in our password manager.
2-step authentication is mandatory for all company email and password manager accounts. It’s not bulletproof but it’s another layer any would-be attackers need to get through.
Automated offline and offsite backups
We carry out on-site, full-disk-encrypted external hard disk backups on a regular basis. We also have off-site, encrypted-at-rest server-based backups of all our data. Nothing special but having backups means we’re less beholden to others, such as ransomware attackers.
Backups are useless if they don’t work so we also regularly check their validity.
Passwords and hard drive encryption as mandatory on all laptops, even if your own
Every laptop you’ll ever use for work purposes needs to have a firmware password and hard drive encryption. If you accidentally leave your laptop on a train then it’ll be harder to extract the data from it with a password and encrypted hard drive.
Updates happen for a reason. They’re annoying but it doesn’t take much to keep your software current. WannaCry was only possible because Windows XP machines were no longer updating and were vulnerable. That’s why our server setup guidelines stipulate that our servers automatically download and install security patches without manual input.
Take the time to update your software — but make sure you take backups of your files and database first!
Internal security policy (includes no saved sign ins on your browser)
The above is outlined in an internal security policy. Everyone knows what’s expected of them when it comes to keeping data and information safe.
There is no such thing as 100% protection
There can be no 100% protection against cybersecurity threats but we can sure as hell minimise our “attack surface area”. The world is one big connected place and it’s becoming easier for nefarious actors to take advantage. But even thinking about security and taking proactive precautions means we’re ahead of many people out there. If you’re not thinking about online security, you definitely should be.