Skip to main content

Healthy habits

Using an information system in the present day might be complex and dangerous for non-expert people. It is important as an organization to keep in mind that people are not supposed to be IT scientists to work on a computer. Just as being allowed to drive a car does not mean being able to identify an upcoming failure by reading a warning code on the dashboard, being an employee of an organization using computers does not mean being able to use those computers safely and efficiently. Training is needed for that.

At Bravas we consider that it is part of our job to help educate end users to keep them secure and confident in their work. You will find here some advice to help everyone to reduce the risk and improve their efficiency.

Digital Life Management

Nowadays, everything is digital, both in personal and professional life. You sign your mortgage within an app on your phone, you ask for your vacations on a website. Your whole personal and professional life is managed through a virtual proxy of your identity.

Being in control of that identity is important, and to do so, you need to clearly define a boundary between the two.

Your professional identity is managed by your organization and represented by your corporate-named e-mail address. This identity is legally owned by your organization and your organization, regulated by local laws, can, under some situations, access elements related to this identity. This identity has a lifetime directly linked to your time at the company. When you leave, this identity will be unavailable.

Hence, it is important for you to manage a second identity, a personal one. This personal identity must be hosted on something not related to your organization, like Apple, Google or Microsoft account. Something that will age with you and will allow you to keep access to your personal identity over time and regardless of where you work or study.

If you are reading this documentation, this means your professional identity is secure by Bravas, a strong security framework allowing your organization to secure your professional identity without passwords.

But you still need to manage your personal identity in a healthy manner. Our recommendation is to follow your account holder procedures to work with passwordless authentication capabilities such as a FIDO2 key. Your online personal identity will then be linked to a physical token like two Yuibkey, so that you can keep it on your keychain for daily use and in your safe box as backup access.

It is important to keep in mind that protecting your personal identity is important for yourself and for your organization. A hacked personal e-mail address can lead to a phishing campaign against your co-workers.

This dual identity can also lead to dual devices. Just like you have a house and an office, a phone number at work and at home, you may want a smartphone for work and a smartphone for your personal life.

Nowadays, a smartphone can have multiple lines and can even split work and personal content to ensure data isolation between the two. But keep in mind that the owner of the hardware will have the final word. Having your personal life on your professional phone means the company can wipe your personal data without notice.

And allowing people to have work-related content on a personal device means not being able to enforce some security restrictions.

This does not mean that you have to buy the most expensive hardware for your personal life. Sometime just a tablet is enough for your daily home use. You can even ask your organization to buy some used hardware.

Being up-to-date

The software industry is vulnerable, it has always been, and will always be. Software is made by humans, with a constraint of time and budget, and without the requirements of advanced testing or enforced safety methods as you will have in western countries for nuclear or aviation industries.

But unlike others, the software industry is agile, move fast, and often releases.

All the software you use will be shipped with limited features and bugs initially, and will be frequently updated to improve the situation.

This is why it is important to always stay up to date. And if the operating system you use is not maintained anymore by its vendor, you must move to the next one.

Being up-to-date for both your personal and professional life to ensure the safety of all your operations and finance.

Avoid passwords or use a password manager

Within your organization, every single service you provide to your stakeholders must be protected by a federated authentication with Bravas.

If your software vendor does not have federated authentication nowadays, this means your software vendor is out of date and will represent a huge risk for your continuity of operations. Do not work with a provider not offering federated authentication.

And in your personal life, you should rely as much as possible on the Sign-in with Apple / Google / Microsoft options to consolidate all your access and online security into a single account that is highly protected by widely trusted actors.

If you are forced to use a solution with passwords, use a password manager such as the one built-in your Apple, Google or Microsoft accounts, or third-party solutions like 1Password. Those password managers will ensure that each third party service that relies on a weak authentication mechanism will be set with a unique password not used elsewhere and not easy to guess.

Device Security

All modern security frameworks, such as the one your organization uses with Bravas, or the one used for personal accounts by Apple, Google or Microsoft, are based on the physical security of your devices.

This means that all your devices must have a local passcode unique to that device and not known by any others.

Being able to unlock any of your devices nowadays has more impact than having a power of attorney on your belongings.

Only you must be able to unlock your devices, not your significant others, not your co-workers, not your boss, only you.

And of course, your devices must not be let unattended. Be sure of where your devices are, and if you have to let them unsupervised, be sure they are locked.

Encryption of your corporate endpoints is enforced by Bravas. Make sure to enable encryption on your personal devices too. The same goes for your external storage. If possible, don't use them and rely on cloud-based data hosting. If you have to use an external storage, be sure it is encrypted and have processes in place to not lose them.

Taking care of your device's security also means taking care of what you connect to it. A USB socket provides both data exchange and electric power supply. Never trust a shared slot providing USB directly. You never know if it is just a power line or a computer behind it to dump your data.

Maybe you were told as a child never to accept candy from strangers. The same goes for adults and USB keys: Never connect your devices to something coming from an unknown source. A marketing USB key or USB key with your company logo found in the street are usually vectors of attacks.