If you're utilizing any piece of software to manage your data, or your customers' data, it's crucial that you're doing everything you can to ensure that data's safety. As a small business, we don't have full suites of software managed by IT teams to log in to every day, but there is still a lot we have to do. Here is the checklist to review every 6 months or so to make sure nothing is slipping through the cracks:
1) Use a unique password for every software you log in to, or better yet: use a password manager.
We hear about this often enough: big companies get hacked, and user information like passwords are exposed. There's not much you can do to stop your software company from getting hacked, but there is a lot you can do to to minimize the impact it has on you. The most important thing? Never re-use passwords. Using unique passwords means that even if one of your passwords is exposed in a hack, none of your other accounts are compromised.
If you have a hard time remembering unique passwords, use a password manager. We use 1Password at Less Annoying CRM, but another good option would be LastPass. These password managers store and can generate secure passwords for you. This means you only ever need to remember two passwords: the one to log in to your computer itself, and the one to log in to your password manager.
2) Enable two-factor authentication whenever possible.
Two-factor authentication ("2FA") adds a second layer of protection to your login -- in addition to your password. 2FA involves sending you a code via an authenticator app, your email, or SMS for you to enter on top of your password to log in to a software. This enhances security because it means that someone would need more than just your password to hack into your account. So if your password gets compromised somehow, a hacker still wouldn't be able to get into your account if you have 2FA enabled, and they don't have access to your phone/email/authenticator app.
Important note: When you set up 2FA on any software, you will be provided with backup codes. These backup codes can be used in lieu of your 6-digit generated code in case you lose access to your phone/email/authenticator app, so it's vital that you store your backup codes somewhere safe (e.g. in a password manager!). Do not just close out of your backup codes without saving them!
3) Review your browser extensions to make sure you're not granting unnecessary access to your webpages.
Browser extensions can have more access to your webpages than you might expect. It's unlikely that all of your browser extensions need full access to all of your websites, so it's important to occasionally review the extensions you have installed to make sure you've granted them the minimum amount of access they need to function.
4) Enable full-disk encryption on your computer.
Full-disk encryption means that the data you put into your computer is also encrypted automatically. It encrypts your files, your installed programs, and even your operating system. Full-disk encryption ensures that even if your computer gets stolen, thieves cannot steal your computer data.
If you don't, ask! We make it as straightforward as possible to learn about how LACRM keeps your data secure, and most software companies do as well. It might seem like a chore but give those documents at least a skim so you know what is being done to protect your data.
1) Email your passwords to anyone, or keep it stored written down somewhere.
No software company should ever require you to email your password to them to log in. If you accidentally email your password to someone, immediately change your password to something else. If you're using a password manager already, share passwords through that password manager. This negates the need to email or tell anyone your password.
Important note: if a software company does require you to read out your password, or emails your password to you, stop using that software. Passwords need to be encrypted and if someone working at a software company knows your exact password, it means that they are not encrypting your password and is therefore highly insecure.
2) Set up a "default" password like "password" or "123456".
This one is a no-brainer, yet millions of accounts still use these default passwords. Take a look at 2020's list of most common passwords, as well as how easy they are to hack here. That little bit of convenience with using easy-to-hack passwords might feel like it's saving you a lot of time, but it's not worth compromising yours and your clients' personal and private data to shave off those few seconds.
3) Rely on email or SMS authentication if an authentication app is available.
If you have two-factor authentication turned on, that's already doing more than half the work for you. But to really make your 2FA even more secure, you should make sure you are setting it up with an authentication app like Google Authenticator or Authy. Why?
Email is less secure than using an app because if someone hacks into your email program, they'll have access to any 2FA code and can reset your passwords on any software program, which will almost entirely ensure full account loss.
SMS authentication is less secure than using an app because it is very easy for a hacker to receive your SMS messages if they know your phone number (they can just go to a mobile phone store and pretend to be you!).
4) Leave your "stay logged in" option for longer than a week.
Many pieces of software have an option for you to "stay logged in" -- it's convenient, it's fast, and it's useful if you're sitting in front of the computer for most of your day. But it becomes a problem if you set your software to stay logged in always (i.e. until you log out), or for weeks or months at a time. The reason to not do this is simple: if you leave your computer logged in and unattended, anyone can access your software accounts.
A safe compromise would be to keep yourself logged in for a week at most. Setting your "stay logged in" option to just 10 minutes would be even more ideal especially if this is a software that you're not logging in to all the time (i.e. your password manager).
5) Re-use the same password! (Just don't do it).
If there is only one thing you take away from this article, this should be it. The easiest thing to protect your accounts is to use a unique password for every single piece of software you log in to. Sure, it might feel like a chore, but with how often we hear about data breaches (just search for your email address here to see how often your own information has been leaked in a breach), this is the simplest way to protect your data.