3 Secure Ways To Communicate Passwords (And Why It Matters)
By Rob Wiltbank
In software development, it’s inevitable that you’ll want to outsource some work. Especially as you grow. You might need a pesky plugin altered, or you need help with an enterprise-level software integration. At some point, you’ll need to supply access to an off-site contractor. What’s the safest way to do that?
Let me tell you a quick story about an agency I’d contracted to help with the deployment of an application. This was a significant project, and we had contractors with us from the start. One morning, I logged into my computer to find an email from one of the contractors that included an image. The image was a screen capture of a server address and an admin-level username & password. These days, I hope it’s universally understood that there are three things you never send in an unencrypted email:
- Credit card information.
- Social security numbers.
I immediately called him on the phone. He was mortified about what had happened. But what concerned me the most was what he had said during the conversation. “I just forwarded it along as it was from my team member.” Which meant it had circulated around his office before I’d ever gotten it.
Implications of a Password Incident
The information security industry has set criteria that help determine a security issue’s severity which include:
- Was there an actual security breach because of the leaked credentials?
- Who has possession of the information?
Knowing this information helps shape the path to contain and remediate the incident. In my case, our two companies contained the information between us. We were fortunate. The potential business implications of a significant security breach are nightmares. Had there been a legitimate breach, it would have exposed sensitive client and employee data. It would have revealed financial information. It could have led to theft of social security numbers. And, depending on your industry, this could have made local or national news.
Remediating a Security Incident
Your first step will always be to put together your IT team. The sooner you can communicate the issue, the better your outcome will be. Too often, people will (understandably) be reactionary. Take a moment to recount where you stand, and make sure all the key players are at the table. Then, you can put together an effective plan to move forward. This would generally include:
- Block access to the compromised system, change passwords, and begin an audit of the server logs.
- Notify the contractor. If they have a security team, have them work with your IT department to effect any needed changes. If they are at fault, they will probably not charge you for this work.
- Clean up the trail. Mail doesn’t just live in your inbox. The message lives on email servers in your environment and the contractor’s. Make sure to delete the email from all email clients and servers on both sides.
- Develop a plan with the contractor for future communications that involve passwords.
- If you’re not comfortable having the person who sent the email on the project, ask to have them replaced. This may cause delays in the timeline, but it’s worth it. You have to be comfortable with the people who have access to your most sensitive business data.
How to Send Passwords Safely
Advance planning could have prevented this incident. It’s important to lay out the ground rules before the job starts. When it comes to the secure communication of passwords, you have a few options.
- Communicate passwords verbally, either in person or over the phone.
- Communicate passwords through encrypted emails. There are some great open source tools for encrypting your email. It requires a little initial setup and configuration. But, it’s worth it for long term relationships. Check out tools like My Business Card Says “Hydra Keeper”
- Best Tips To Develop And Test WordPress Websites for Responsive Design
The post 3 Secure Ways To Communicate Passwords (And Why It Matters) appeared first on GetResponse Blog – Email Marketing Tips.
Read more here:: http://blog.getresponse.com/feed