10 best practices to protect your users’ data
(and why they’re still not sufficient)
Over the last ten years, data breaches have become both more damaging and frequent. Massive leaks regularly make the headlines and hackers target businesses of every size, in every field. As former FBI Director Robert Mueller said, “There are only two types of companies: those that have been hacked, and those that will be”.
If you own any kind of online business, you’re probably collecting user data, which is valuable to both your company and your users. In its most simple form, it can only be an email address and a password, and even such basic data can have a significant impact if leaked or stolen.
However, hackers don’t stop at passwords: credit card numbers, personal information, email addresses, business data, everything has some value, and the business impacts of such breaches can be catastrophic. To protect your users’ data, and therefore your business, here are the ten security best practices that you should follow.
Make data theft more difficult
1- Use a firewall and a VPN to protect company data
Perhaps the most obvious of security practices: protect your internal network from external access. Set up a firewall to protect access to your data and a VPN to secure remote access.
2- Have an elaborate password policy
Up to 80% of people reuse their passwords, use personal passwords for work or use very poor passwords, with “123456” and “password” still being the most used passwords in 2018¹. Having an elaborate internal password policy is critical in preventing unwanted access.
Use a password manager² and enable two-factor authentication³ wherever possible. All passwords should also periodically be changed.
3- Backup your data regularly to avoid ransomware attacks
The latest trend in cyber criminality is to get access to your business data, encrypt it and extort money from your company to get that data back. This is called a ransomware attack⁴, and it can easily be mitigated by having frequently updated backups. These backups should be encrypted and stored in protected locations.
4- Build a cybersecurity culture
With remote work and BYOD practices becoming more prevalent, more stress than ever is put on employees’ security awareness. It’s crucial to educate all your employees on security risks and issues and have well-documented security policies for them to follow.
Phishing or social engineering are common methods used by hackers to gain access to data or information. Your employees should know how to detect and react to them.
Secure your website or application
5- Use relevant development practices
Releasing a bugged website or app containing a security flaw can lead to pretty disastrous attacks: cross-site scripting, SQL injections, account theft⁵…
Using relevant development practices can reduce the risk of having such vulnerabilities. You should make sure all code pushed to production is reviewed and tested. Dependencies should be kept up to date and checked for vulnerabilities. Use tools⁶ to automatically detect potential vulnerabilities.
6- Perform third-party security audits
While it remains necessary to check and test your app’s code yourself, you should not only rely on your team to ensure your app is secure. Hire an external security company to perform security audits of your code and infrastructure on a regular basis (at least once a year).
Limit the impact of unauthorized data access
7- Don’t store plain text passwords
Storing user passwords is not an easy task. Too many companies store passwords as is, or use weak/out of date hashing algorithms. Plain text passwords are gold for any hacker, and would severely hinder your users’ trust.
Hash any password you store using a secure hash algorithm such as Argon2⁷, or use a third party authentication provider.
8- Manage employees’ permissions
While it might be tempting to grant all access to every employee, it creates a gaping hole in your security. Allowing employees to access sensitive data they don’t necessarily need increases the risk of both insider threats and external hackers.
Employees should be granted access only to information and resources that are necessary for accomplishing their jobs. This is called the principle of least privilege⁸.
9- Monitor network and actions
If someone is stealing your data, you should be able to detect it. You should monitor your network traffic and set up automatic alerts.
User action monitoring solutions are designed to record every action taken by your employees and immediately detect and investigate suspicious user activity.
10- Use at-rest encryption
Any data you collect should be stored encrypted. Any cloud storage provider should have an option to automatically encrypt all data. Check that it’s turned on. If you have your own database, use a Key Management Service⁹ to secure all your data.
This will prevent any hacker who obtained this data from exploiting it without also gaining access to the master key (which should, hopefully, be extremely difficult).
Go further
If you have implemented all of the above, congratulations! You are among the best in class on data security and privacy.
However, all these countermeasures only make breaches and leaks more difficult to pull off. Insider jobs and elaborate hacks are still possible, and an attacker gaining access to the right admin account could still siphon all user data stored in your database.
All hope is not lost though, as there is a way to guarantee your users’ security and privacy: give them back the ownership of their data. By using end-to-end encryption directly on each user’s device to secure data, you can guarantee that no one can access it except its rightful owner. This is in-app privacy.
At Tanker, we’ve spent the last two years creating an open-source privacy solution that integrates into your web or mobile app and secures user data at the source.
You can sign up for free and try it here: https://tanker.io.
References
¹ https://www.teamsid.com/splashdatas-top-100-worst-passwords-of-2018
² https://dashlane.com, https://lastpass.com, https://1password.com
³ https://en.wikipedia.org/wiki/Multi-factor_authentication
⁴ https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
⁵ https://www.owasp.org/index.php/Top_10-2017_Top_10
⁶ https://www.sqreen.io
⁷ https://en.wikipedia.org/wiki/Argon2
⁸ https://en.wikipedia.org/wiki/Principle_of_least_privilege
⁹ https://cloud.google.com/kms, https://aws.amazon.com/kms
