We all want to abide by security best practices, but who decides what is best? If something is best for one firm, it is best for all? Too often we do not take the time to analyze what we are protecting to ensure we are protecting it as well as we can. There are, however, some basic techniques that can be deployed in nearly all organizations. I’m calling these recommendations “minimum practices.” Here are six to consider.
1. Multi-factor authentication
Multi-factor authentication (MFA) is must-have protection that every firm needs to determine how and where to deploy. Some say a best practice is not using text messages or other phone-based authentication techniques that could potentially be hacked. I’d argue that the goal is not perfection. Rather, it’s to be secure enough that the attacker passes you by and goes on to the next victim.
SMS attacks require that the attacker targets your firm. Spoofing a specific phone number takes planning and time. For most firms this targeting is not realistic. Any sort of second authentication method, not just the most secure, is a plus.