Have you ever had that fleeting moment of panic when you realized you might have forgotten to lock your car doors? Suddenly you start thinking about the designer sunglasses in the glove compartment, your garage door opener in the console or the laptop you put under the seat. And now you have to rush out of the office, store, or restaurant to check to see if everything is still there.

You have every right to be concerned in this situation – our vehicles are an extension of our personal space. Your car contains valuables that can be compromised if someone were to gain access. Now think about your work email. Do you feel a similar concern? If not, maybe you should.

Consider the following 2 scenarios:

  • Someone breaks into your car. They find your registration or insurance card with your address on it and steal your garage door opener. Now they can get into your garage and possibly even your house, putting you and your possessions at a serious risk.  
  • Now compare that to your primary email account. Someone hacks their way in and resets passwords to other sites you access, sends phishing emails to business associates, or asks accounting to wire money to a bank account of their choosing. Again, this is some serious risk.  

Now for the scary part.

When your car gets broken into, you immediately know (broken glass, missing items, etc.), so you can take action. If someone breaks into your email account, there is a possibility they will camp out in it for weeks or months without you knowing.

The scenario above is just one reason why IT security is so fundamental to your organization. But never fear, Ripple IT is here. And we’re going to lay out 4 steps you can take today to better secure your team.

1.Get Multi-Factor Authentication (MFA) For Your Email

As you probably know by now, traditional usernames and passwords are extremely vulnerable and can be easily stolen. Multi-Factor Authentication (MFA) verifies a user’s identity by requiring multiple credentials in addition to a username and password, such as an answer to a security question or a code sent to the user’s smartphone.

If you do not have MFA enabled on your email, drop everything and click one of the links below to get that set up NOW. We'll wait.

Once you’ve set up MFA, you’re ready to move on to the next three steps.

2. Educate Your Users

As any IT security specialist will tell you, humans are always the weakest link. User behavior can and will undermine every security measure you have in place. This is why education is so important.

Imagine if you set up the MFA solution for your email, but then your CEO’s password gets compromised. The second factor of authentication kicks in and prompts for the code only the CEO has. You are safe, right? Wrong. If the CEO has not been properly educated, they may authorize the MFA notification that comes to their phone without realizing what they are doing. The result is the attacker has access to CEO’s mailbox now and can set up alternative places for the MFA prompt to go without anyone being the wiser. 

The example above is more common than you might imagine. It’s also a clear reason why education must be part of your security process to keep your measures airtight. The key to educating effectively is repetition and testing. See the education section in our other post for more ideas.

3. Make IT Security Simple to Maximize Adoption

Remember the example we gave in the intro about someone breaking into your car and stealing the garage door opener? You might have been thinking to yourself, “who uses a garage door opener anymore when they’re built into cars these days?” This is a perfect example of hard-to-use technology that users avoid. For some reason many car companies make the button sequence and frequency syncing so painful, users just decide to keep the garage door opener in the car.

Make no mistake, any effective IT security solution must be simple enough for users to utilize all the time. Any circumvention of the solution and you might as well not have it.

Let’s examine the bane of most users' existence and commonly one of the weakest links in security – the complex password.

Does this scenario sound familiar? A user uses the same word for the first 6-8 characters and then add some number (like the year or street number) on the end of the password to satisfy complex password requirements. Sometimes there is a symbol too, like the exclamation mark, which is the most popular. This same password is used for all of their systems that require “complex” passwords. 

This happens all too commonly and is far from secure. If any of those systems get compromised, then that user’s accounts on all applications are compromised. So what can you do about it? Implement a password manager. Password managers are built to securely store all of the user's passwords, make changes and additions easily, and allow for secure management of shared passwords. Typically, they integrate with all the major browsers, making password fills quick and easy. 

A couple password managers we like are: 

4. Build a Plan

Now that you have patched some of the low hanging fruit, it’s time to decide where to go from here.

Security is all about risk management. In order to best serve your organization, you should build a comprehensive plan that includes protection of your users, systems, applications, and data.

We advise using the NIST framework as the guide for how you go about protecting your organization moving forward.

Basically, this framework will guide you on the following:

  • Put processes in place to identify what needs to be secured
  • Implement measures to protect what needs to be secured
  • Detect when and if there is a breach
  • Create a process for responding to a breach
  • Recover from that breach

How an IT Security Partner Can Help

Security is a commitment. The process is never over and can take up a lot of your valuable time. The best way to stay on top of this is to find an IT partner that can take the lead on keeping your organization secure. 

Most MSPs have similar security tools as part of their standard package. The most important thing for you to do when evaluating them is to make sure they cover some of the more nuanced aspects of security like strategy, user education, and simplicity.

New call-to-action