Over the last ten years, data breaches have become both more damaging and frequent. Massive leaks regularly make the headlines and hackers target businesses of every size, in every field. As former FBI Director Robert Mueller said, “There are only two types of companies: those that have been hacked, and those that will be”.
If you own any kind of online business, you’re probably collecting user data, which is valuable to both your company and your users. In its most simple form, it can only be an email address and a password, and even such basic data can have a significant impact if leaked or stolen.
However, hackers don’t stop at passwords: credit card numbers, personal information, email addresses, business data, everything has some value, and the business impacts of such breaches can be catastrophic. To protect your users’ data, and therefore your business, here are the ten security best practices that you should follow.
Make data theft more difficult
1- Use a firewall and a VPN to protect company data
Perhaps the most obvious of security practices: protect your internal network from external access. Set up a firewall to protect access to your data and a VPN to secure remote access.
2- Have an elaborate password policy
Up to 80% of people reuse their passwords, use personal passwords for work or use very poor passwords, with “123456” and “password” still being the most used passwords in 20181. Having an elaborate internal password policy is critical in preventing unwanted access.
Use a password manager2 and enable two-factor authentication3 wherever possible. All passwords should also periodically be changed.
3- Backup your data regularly to avoid ransomware attacks
The latest trend in cyber criminality is to get access to your business data, encrypt it and extort money from your company to get that data back. This is called a ransomware attack4, and it can easily be mitigated by having frequently updated backups. These backups should be encrypted and stored in protected locations.
4- Build a cybersecurity culture
With remote work and BYOD practices becoming more prevalent, more stress than ever is put on employees’ security awareness. It’s crucial to educate all your employees on security risks and issues and have well-documented security policies for them to follow.
Phishing or social engineering are common methods used by hackers to gain access to data or information. Your employees should know how to detect and react to them.
Secure your website or application
5- Use relevant development practices
Releasing a bugged website or app containing a security flaw can lead to pretty disastrous attacks: cross-site scripting, SQL injections, account theft5…
Using relevant development practices can reduce the risk of having such vulnerabilities. You should make sure all code pushed to production is reviewed and tested. Dependencies should be kept up to date and checked for vulnerabilities. Use tools6 to automatically detect potential vulnerabilities.
6- Perform third-party security audits
While it remains necessary to check and test your app’s code yourself, you should not only rely on your team to ensure your app is secure. Hire an external security company to perform security audits of your code and infrastructure on a regular basis (at least once a year).
Limit the impact of unauthorized data access
7- Don’t store plain text passwords
Storing user passwords is not an easy task. Too many companies store passwords as is, or use weak/out of date hashing algorithms. Plain text passwords are gold for any hacker, and would severely hinder your users’ trust.
Hash any password you store using a secure hash algorithm such as Argon27, or use a third party authentication provider.
8- Manage employees’ permissions
While it might be tempting to grant all access to every employee, it creates a gaping hole in your security. Allowing employees to access sensitive data they don’t necessarily need increases the risk of both insider threats and external hackers.
Employees should be granted access only to information and resources that are necessary for accomplishing their jobs. This is called the principle of least privilege8.
9- Monitor network and actions
If someone is stealing your data, you should be able to detect it. You should monitor your network traffic and set up automatic alerts.
User action monitoring solutions are designed to record every action taken by your employees and immediately detect and investigate suspicious user activity.
10- Use at-rest encryption
Any data you collect should be stored encrypted. Any cloud storage provider should have an option to automatically encrypt all data. Check that it’s turned on. If you have your own database, use a Key Management Service9 to secure all your data.
This will prevent any hacker who obtained this data from exploiting it without also gaining access to the master key (which should, hopefully, be extremely difficult).
Go further
If you have implemented all of the above, congratulations! You are among the best in class on data security and privacy.
However, all these countermeasures only make breaches and leaks more difficult to pull off. Insider jobs and elaborate hacks are still possible, and an attacker gaining access to the right admin account could still siphon all user data stored in your database.
All hope is not lost though, as there is a way to guarantee your users’ security and privacy: give them back the ownership of their data. By using end-to-end encryption directly on each user’s device to secure data, you can guarantee that no one can access it except its rightful owner. This is in-app privacy.
At Tanker, we’ve spent the last two years creating an open-source privacy solution that integrates into your web or mobile app and secures user data at the source.
You can sign up for free and try it here: https://tanker.io.
PS: This article was originally written by Aloïs Jobard and published on Tanker’s Medium. As you might not be on Medium yourself, we've reproduced it here to give you a chance to see it in your notifications feed.
Top comments (7)
The best way to prevent losing users' data is not having it in the first place. Businesses are overly greedy collecting data and too lazy deleting it.
On point 2:
the 'wisdom' of this age is to not rotate passwords on time but when there are indications that it is needed.
see: nakedsecurity.sophos.com/2016/08/1...
to list the do not do's
Two points here:
Please don't use an elaborate password policy. Policies like "8-16 characters, including one uppercase letter, one lowercase letter, and one number" are not useful. Instead, impose a minimum entropy of the password. Obligatory xkcd: xkcd.com/936/
Even before you get to the actual security of data, you need to first ask how you mitigate a compromise. Wikipedia needs backups to restore in case the site is erased, but doesn't need to protect the data from being viewed. A CIA system for communication with agents, on the other hand, needs a plan for extracting those agents and any handlers that may be compromised, and then rebuilding the networks that were compromised.
Before you store any data, figure out what you need to do to make all parties whole. The cost of doing that determines what level of security you need.
Completely agreed on annoying password policies, but I think it's important to balance that with helping users who manage to reliably top the bad password lists!
I'd encourage websites who want to go the extra mile to integrate with the "Pwned Passwords" API of HaveIBeenPwned.com and high-quality password strength estimators like zxcvbn instead.
Requiring periodic rotations is another bit of conventional wisdom that makes sense until you remember that you're dealing with people. Password managers, minimum entropy requirements, and 2fa give a lot more bang for your buck overall; rotations can help in certain sensitive circumstances but they're a bad general remedy. Most users already find password management painful, and asking them to do it all over from scratch every few months introduces all kinds of opportunities for doing it poorly.
Great post Dimitri 👏👏
I have came across some apps that does't do passwords but uses some alternatives to log users in.
Alternatives:
Login Links: Sends one time login link that expires after one use or after some time (Usually within couple of Hours.)
Entry Code: A 5-to-6 Digit One time code that users gets via Email or SMS and they use this code to Login to the app.
Other way is to Use Third party authentication like facebook or twitter, but in order to do that, said product must have already built trust among their users and even after that many users will not be comfortable of using their social logins.