Password managers are a great way to help reinforce the strength of your account security. Password managers make it not only much more reasonable to have a unique login for every site or application you have credentials for, but you can also make the passwords very long and random (e.g. you can have passwords that look like “e82X@c4!$Gsk101#S3ndu8(38s”, which is 26 characters long, completely random, and practically impossible for an attacker to guess).

Password managers ensure that you never have to remember these passwords, which also makes rotating them easier as well. Remember just one strong passphrase to authenticate to your password manager (and enable MFA!) and let the password manager take care of the rest for you.

Multi-Factor Authentication (or MFA) helps secure accounts by requiring a unique code generated at the time of login that is typically from a smartphone or other physical token. It is becoming more widely supported on several applications. Applications such as Authy, Google Authenticator, or FreeOTP can all be linked with many applications like Google, Facebook, Amazon, bank accounts, and more.

MFA greatly helps secure accounts because the second code must be present at the time of authentication, so even if someone gets ahold of your password, they typically won’t be able to log in without that second factor. While there are ways to bypass this, most attackers won’t have the technical ability to get around MFA when it's properly set up. While strong passphrases are still highly recommended, MFA can help add an additional layer to authentication to help guard accounts against weaker passwords. Having a layered approach to authentication like this does a great deal to improve account security and takes very little effort to set up and configure.

More and more companies are moving to Single Sign On (SSO) solutions, and for good reasons. SSO bridges the gap users typically face between security and convenience. By having your IT link multiple applications with a SSO solution, there is only one strong passphrase needed to authenticate yourself into said applications. Monitoring can be done by IT to help ensure no one else is accessing your accounts but you. This helps alleviate the pressure on users to have long, strong, unique passphrases for the multiple applications they need to access daily for their work.

Users can secure their account even further by employing multi-factor authentication or password managers. Single Sign On applications are not without their weaknesses; they are still web applications, and with that comes all the security issues web applications face. However, if your company is choosing a well-known provider, chances are they have internal security teams dedicated to hardening their application. Many of them could even have a bug-bounty program, which rewards security researchers from around the globe for reporting vulnerabilities to their team. Despite their potential weaknesses, SSO applications are generally recommended among security professionals since they make it easier for users while still offering improved security through authentication and account change monitoring.

Most users are not compromised through an advanced hack targeting their company’s networks or computers. Instead, social engineering threats like phishing scams are the most prevalent for harvesting user credentials or other information. Often these general emails are unsuccessful, but emails that are specifically crafted to target an organization or users of a specific service (like eBay, Facebook, Google, Amazon, etc.) can be quite effective.

User training on spotting phishing emails can help, but these emails can look innocuous to even seasoned veterans at first glance if the scam is crafted well enough. While people are often more concerned with which antivirus products are the best on the market, phishing scams are still making off with their account information. It doesn’t matter how up to date your computer is, what kind of antivirus product you have, or that you have a dedicated security team at your organization if you willingly hand over your credentials to attackers. How can you help secure yourself? By ensuring your authentication methods are secure and that you understand what phishing attacks look like..

The SEC OCIE guidelines are vague in many areas, subtly suggesting some things and forcefully recommending others (with the caveat that security may be different for each firm). One thing that they do not mince words on, though, is the need to vet vendors. They clearly state that a company does not abdicate its need to ensure that its data is secure just because it moves the data to the cloud.

How can you verify that data kept on servers that you don’t control is safe? You obviously can’t. At the same time, both as a good practice and to satisfy the SEC (and other governmental, compliance, and regulatory agencies), it is important to conduct due diligence on vendors.

What’s involved in this process? In theory, it is actually quite easy. Just start asking questions. Ask the vendor, check their website, Google them. Ask in-depth questions and follow up when the questions yield information that is different than you’d expect. If you are already using a vendor, look at how they are performing. Basically, you want to do a miniature Risk Assessment on each vendor that holds your data or has access to your systems.

Some vendors will cooperate quickly, providing all the necessary information immediately. Others will get the same information slowly, and still others won’t even bother calling back. Some (like Microsoft) really don’t care. The trick is to find out everything possible anyway. It often takes a little detective work. Figuring out how data is backed up, what a company’s reputation is, whether they’ve had any incidents, how good their security really is (all of these can be discerned). It is just a matter of – as the title suggests – being diligent.

Cobaltix Compliance is happy to do this work for clients or to guide them if they would like to do it themselves.