Cybersecurity is top of mind for IT and business resilience professionals all over the world. And, since mass notification systems rely on employee contact data, it’s crucial these systems are examined with scrutiny. While it’s unlikely an organization will have ultra-sensitive information (such as social security or credit card numbers) residing directly in a notification database, it’s nevertheless imperative personal data is well protected.
Here are seven tips for ensuring your emergency notification service remains in your full control.
Expand requirements for passwords. Strong requirements can be established for creating and using notification service passwords. Set a minimum length of a password for your users, and adjust its complexity to require upper case, lower case, and symbols. Set a password expiration timeframe, and prevent the re-use of passwords. Enable auto-lockout after a specific number of invalid login attempts.
Utilize two-factor authentication. With two-factor authentication, users are required to validate themselves in two distinct ways in order to login to the service. Along with the standard username and password requirements, users must input a number that is generated automatically every few seconds by a unique hardware security token (which is also synchronized with the notification service).
Use digital certificates for email. With email notifications, recipients may be hesitant to open an alert containing an address from a third party. With digital certificates in place, notification emails utilize the company’s authenticated primary domain, and alert recipients can be certain the email originated from within the organization.
Restrict message access with PIN codes. Beyond securing a user’s login information, it is also important to control the delivery of certain phone-delivered messages, ensuring the intended person is the actual information recipient. To ensure messages aren’t delivered inappropriately, use PIN codes for access to incoming voice calls. Contacts without assigned PIN codes are unable to listen to playback of phone alerts.
Deploy single login. Using single login, a notification service user can login to only one account at a time from any given browser with a certain set of credentials. As such, credentials cannot be used by multiple users or across multiple sessions.
Utilize Single Sign-On (SSO). With Single Sign-On, users can access the notification service using their enterprise credentials. While benefits include reducing password reset management costs and improving the user experience, this measure can also support enforcement of strong password standards.
Ensure data is encrypted both at rest and in transit. Many service providers allow for encryption of data as it travels the internet between points (in transit). However, few organizations take this a step further by encrypting the data residing on its servers (at rest). Make sure your vendor provides at-rest data encryption for maximum security.
None of the measures above are difficult to implement. They just require the willingness, a few policy decisions and, of course, the right enterprise class notification vendor that offers a wide breadth of security capabilities.