2023-03-21

Key security measures for a small organization

A small non-profit recently asked me for recommendations for improving their password security.  They wrote:

Do you make recommendations on password security software for businesses?  We are looking to increase our security and password protection, but are getting so many different opinions on best options.  Last Pass was popular and has been recommended in the past, but apparently has had some security breaches as well.

 My reply was as follows.  (This would apply equally to a for-profit organization.)

Bitwarden and 1Password are the password managers I tend to suggest.  Because of the LastPass data breach I no longer suggest LastPass.  Organizations should typically use the Teams version of their chosen password manager so that the service can be managed for the organization.

 For a bit more background you can see my blog post on the LastPass breach:

The big LastPass data breach and what to do about it (gsharratt.com)

This is a good article with more info: 

The 2 Best Password Managers of 2023 | Reviews by Wirecutter (nytimes.com)

Two-factor authentication (2FA) is the other critical part of security for account credentials.  My blog post has more info, including lots of info on Authy:

Set up two-factor authentication (2FA) - another nice COVID-19 project (gsharratt.com)

A core third leg of security is device security, including strong passwords/PINs for all devices and full-disk encryption (FDE) for all computers, so that no data is compromised if computers are stolen or lost.  If you have Macs they likely already have FDE, but if you have Windows PCs they would need BitLocker in order to support FDE.   Search for “BitLocker” in this blog post:

Core security advice for general users [aka security hygiene] (gsharratt.com)

Hopefully you have an IT person or an IT managed service provider, and they can help you set up FDE for all computers.  They might possibly also be able to help you set up a password manager and 2FA.

This blog post contains an overview of other security controls that you could consider:

Security hygiene for a small professional office (gsharratt.com)

Note that the above are just generic suggestions that are typically suited to small organizations, since I know little about your organization and so can’t give advice.