What you can do to improve your security measures following Data Privacy Day

The 28^th January was Data Privacy Day – an annual event to raise awareness about personal data protection and privacy. Here at The Final Step, we’re starting off the year strong by reviewing what we do on a daily basis to keep our data private, and we’re passing on some tips to you.

In this article we’ll share some excellent pointers from our technical team about things that might be overdue a review. If you haven’t considered these in some time, this is your sign to make sure your data privacy measures are up to scratch and improve your cyber security.

Be aware

Awareness is the first step in keeping your data private. In a recent in-depth article, we covered the worrying rise of phone theft made more devastating by an act called shoulder surfing, where thieves watch your enter your passcode over your shoulder before stealing your phone, giving them near unlimited access to your private data.

Awareness is key in the fight against shoulder surfing and phone theft. A lot of the advice comes down to simple precautions that you might consider common sense, but are often overlooked whilst we go about our daily business.

Keep an eye on your surroundings, use biometric security measures where possible like Touch ID and Face ID, keep your phone in your pocket in crowded public areas, and off the table when you’re at the pub or the coffee shop. There are several other damage control features you can implement if your phone is stolen – learn more about staying safe and defending against this crime.

Emre, our Security Services Engineer, has emphasised the need to have a standalone password manager. We use Keeper at TFS, as our research shows it’s one of the most secure and customisable. We don’t recommend using built in password managers like Apple Keychain, as it can be accessed with the same code you use to unlock your phone – if a criminal sees you enter your phone password, this will give them access to all your account passwords too!

Keeper, or a free alternative like BitWarden or 1Password, allows you to store logins, payment cards, personal information like passport details, photos and much more. Keeper can generate new passwords or store existing ones, but just make sure when storing your existing passwords that they are all long, unique, and don’t contain any personal information like pet names, nicknames, or streets where you grew up. If they do, change them.

Emre also highlighted the ability to share passwords with your colleagues whenever you need to and create shared folders so verified individuals can share full access to relevant logins. Something else Emre mentioned is the danger of people sharing passwords via sticky notes of keeping their login information in close proximity to their laptop. If you’re someone who does this or you know someone who does, it’s time to stop. Use a password manager to do the hard work for you rather than being an easy target for criminals.

We’ve just released a handy video tip to show you how to create and store a unique password in Keeper, so make sure you check it out if you need a helping hand or are considering getting a password manager.

Be secure

Keeper and most other password managers are capable of also storing an MFA authentication code for each of your logins. If you don’t have MFA on all possible accounts, you should get it. If you don’t have it on your most important accounts, you must get it. Having MFA to further secure your accounts is not negotiable – hackers are getting smarter and working harder, having MFA puts in another substantial line of defence.

You can store MFA codes in your password manager or you can use your phone as the authenticator, either with an app like Microsoft Authenticator, or via codes sent over text/call to confirm that it’s really you. Making sure you have MFA on every account possible shows that you take your data privacy, and your clients’ data privacy, seriously.

On top of securing your logins, you should also be securing your hardware. As our Professional Services Automation and Field Engineer, Luke makes a lot of trips to see our clients, often by train. Whilst Luke always keeps his laptop nearby, knowing that his hard drive is encrypted allows him to travel with confidence – if he did lose his laptop or it was stolen, the data on the system is protected.

With remote or hybrid working the new norm for many companies, it’s important to have encryption on your machines – hybrid employees are travelling more frequently with their machines, and remote workers have the freedom to work from almost anywhere. Losing your machine is one thing, but exposing the data on it can be incredibly damaging. Don’t tempt fate, encrypt your hard drives.

Be up to date

Something we’re all guilty of is delaying software updates. They take forever, you have to restart your device and wait for it to install, and they always seem to prompt you to update at the worst moments. Whilst software updates are understandably very inconvenient for us, they’re also inconvenient for hackers. Updating to the latest version of the software doesn’t just give you the latest user interface and fun new apps to experiment with, it also patches up weaknesses that hackers are exploiting to jeopardise your system.

So, if you’ve been waiting for a sign to update your iPhone, your laptop, your software, or anything else – just accept the damn update!

In the same vein, don’t neglect your hardware. If you’ve ever tried to update your phone or computer to the flashy new operating system but aren’t able to do so, it might be time to consider an upgrade. Eventually, all phones become obsolete and stop receiving support from the manufacturer. We’re not saying that you need to buy the latest iPhone every time they come out, but if your phone has stopped receiving major updates for some time now, it’s worth considering an upgrade. The same is true of computers, but often relates to the operating system – if you’re still a Windows XP purist, get with the times!

An honourable mention goes to hardware that’s often overlooked, such as routers. If you’re still using a router provided by your internet service provider, make sure it’s using the latest WPA3 standard of security (mandatory since mid-2020) and is protected with a strong, custom password you set yourself. If you’ve been using your router for a good few years and it’s using a lower security protocol, it might be time for an upgrade. Not only are newer, dedicated routers more secure, they also provide better signal throughout your home, and you can take it with you if you move. What’s not to love?

Be strict

Our Service Desk Engineer Greg recommends that every business follow the Principle of Least Privilege. This means that all staff members are only given the absolute minimum permissions and access needed to perform their job. Whilst this initially sounds like quite an extreme measure to take with your trustworthy employees, it’s a tried and true method of keeping your business secure.

Following this principle isn’t about trust (though it does inhibit internal bad actors from wreaking too much havoc), but is about limiting mistakes and keeping irrelevant or sensitive information away from everybody but those for whom it was intended. The Principle of Least Privilege ensures intellectual security, better system security, and ease of deployment (the fewer privileges an application requires, the easier it is to deploy within a larger environment).

Another supporting principle to this is that of Zero Trust. Where the Principle of Least Privilege relates to permissions and access, Zero Trust relates to authentication and operates impartially for all users across the environment. On your personal device you can opt for sites and software to remember your password, log you in automatically, or not require an MFA code – Zero Trust prevents this on company machines. In terms of authentication, the system treats you like you are logging in for the first time, every time.

Whilst this might sound inconvenient, we implore you to look at your IT and your business with a security first mindset. At TFS we’re very aware that it’s always about striking the right balance between security and convenience, which is why using a password manager for your passwords and MFA ensures the entire experience is as convenient as possible, making you less likely to relapse into bad habits.

Be prepared

When it comes to testing your disaster recovery plan, Senior Escalations and Systems Engineer Gabor says there’s no time like the present. It’s one thing having a plan, but it’s another thing knowing how to execute it if there’s a disaster. If you’ve never practised your disaster recovery plan, you don’t know how long it’ll take, who will carry out which tasks, and most importantly, whether there are any gaps or holes in your plan.

We at TFS recommend this is done once a year at a minimum, but ideally twice a year – failing to prepare is preparing to fail. Don’t have a recovery plan at all? Contact us to make sure you’re covered on a rainy day.

Get your data privacy up to scratch

Now is the best time to make sure your data privacy measures are up to date and assess everything you use and do regularly to see if there’s anything you need to brush up on. Whilst we’ve all been guilty in the past of reusing the same, easy-to-remember password and none of us think it could ever be us that falls victim to phone theft, take our engineers’ advice and check over the above, as data privacy breaches and cyber crimes can, and usually do, happen unsuspectingly.

Get your IT company to help you with anything you’re unsure about or might need more information on. Don’t have one? We can help. Get in touch with us today to discuss your IT support needs, and if you’re really looking to get in tip-top data privacy shape, ask us about an audit.

You can call us on 020 7572 0000, get in touch via our Contact us page or message us on our live chat from the homepage.