Practical Steps for Securing Your Mass Notification System

Considering the number of notable data breaches over the past year, it’s no wonder cybersecurity is a top focus area for IT and business resilience professionals around the globe. And when it comes to an enterprise level mass notification service, a high level of attention and scrutiny is most certainly justified.


Whatever their purpose (either for emergency notification, IT alerting or routine communications), notification services utilize employee contact data as a basis for communicating through a variety of devices and mediums. While it’s unlikely an organization will have ultra-sensitive information, such as social security numbers, residing directly in a notification database, it’s nevertheless imperative corporate personal data and any integrated software solutions are well protected.

Wondering how you can enhance your organization’s notification data security? Here are a few practical tips for your consideration.

Expand password requirements. Increase security by specifying strong organizational requirements for creating and using notification service passwords. Set a minimum length of a password for your users, and adjust its complexity to require upper case, lower case, and symbols. Set a password expiration timeframe, and prevent the re-use of passwords. Enable auto-lockout after a specific number of invalid login attempts.

Utilize two-factor authentication. With two-factor authentication, users are required to validate themselves in two distinct ways in order to login to the service. Along with the standard username and password requirements, users must input a number that is generated automatically every few seconds by a unique hardware security token (which is also synchronized with the notification service).

Use digital certificates for email. With email notifications, recipients may be hesitant to open an alert containing an address from a third party. With digital certificates in place, notification emails utilize the company’s authenticated primary domain, and alert recipients can be certain the email originated from within the organization.

Restrict message access with PIN codes. Beyond securing a user’s login information, it is also important to control the delivery of certain phone-delivered messages, ensuring the intended person is the actual information recipient. To ensure messages aren’t delivered inappropriately, use PIN codes for access to incoming voice calls. Contacts without assigned PIN codes are unable to listen to playback of phone alerts.

Deploy single login. Using single login, a notification service user can login to only one account at a time from any given browser with a certain set of credentials. As such, credentials cannot be used by multiple users or across multiple sessions.

Utilize Single Sign-On (SSO). With Single Sign-On, users can access the notification service using their enterprise credentials. While benefits include reducing password reset management costs and improving the user experience, this measure can also support enforcement of strong password standards.

Ensure data is encrypted both at rest and in transit. Many service providers allow for encryption of data as it travels the internet between points (in transit). However, few organizations take this a step further by encrypting the data residing on its servers (at rest). Make sure your vendor provides at-rest data encryption for maximum security.

None of the measures above are difficult to implement. They just require the willingness, a few policy decisions and, of course, the right enterprise class notification vendor that offers a wide breadth of security capabilities.