Security

As part of working at Human Made you are going to come into contact with a lot of important, confidential information; from things like the password to a client’s FTP accounts to SSH key that grants you elevated access to production servers. It’s very important that you take steps to keep such information secure.

This applies to all employees, contractors, consultants, temporaries, and other workers at Human Made and covers the use of all your devices.

Any employee found to have violated our security rules may be subject to disciplinary action, up to and including termination of employment. Take this seriously.

We have a security checklist which you should run through with another human. This could be your trial buddy, or you can ping John who’ll be happy to help you out with security.

Your Computer 

  • Set your computer to require a password to wake up from sleep, that way if you close the lid and step away for a few minutes someone can’t steal it and get access to all the secrets. You may use biometric scanners to unlock your device, such as a fingerprint scanner or FaceID.
  • Automatically lock your computer after a short period of idle time (10 mins maximum).
  • Run a virus scanner on any files you are sent (Gmail does this for you automatically).
  • Have full disk encryption
  • Enable device tracking on your computer where available:
    • macOS: Settings > iCloud > Find My Mac. Check on icloud.com to verify.
  • Enable operating system anti-malware:
    • macOS: Keep “Install system data files and security updates” turned on for macOS. Verify in System Preference > Software Update > Advanced
    • Windows: Enable Windows Defender (Also called Windows Security in newer versions)
  • Keep System Integrity Protection Enabled on macOS
  • Use a strong password with your SSH (proxy) keyDo not use passwordless keys. (Ignore this if you are using VPN and not the Human Made proxy or are not using either)
    • You can test your SSH password by running ssh-keygen -y on the command line. If you are not prompted for a password, you need to add one, which you can do with ssh-keygen -p. Your public key will remain the same, so remote servers/proxy access does not need to be updated
    • You should also use strong algorithms with RSA 2048 at a minimum; higher numbers are better, and 4096 should be used for any new keys generated. (ed25519 is also OK.) to check the algorithm.
  • Never share your private key with anyone, or copy to a remote server. If you need access from another server with your remote key, use SSH agent forwarding.

Your Phone 

  • Require at least a 6-digit pin to unlock your phone. You may use biometric scanners to unlock your device, such as a fingerprint scanner or FaceID.
  • Enable device tracking on your phone where available:
    • iOS: Settings > iCloud > Find My iPhone. Check on icloud.com to verify.
    • Android: Settings > Google > Security > Remotely locate this device. Check on Android Device Manager to verify.
  • Encrypt your work phone:
    • iOS: Set a passcode. Under Settings > Touch ID & Passcode, “Data protection is enabled” should be shown at the bottom of the screen.
    • Android: Settings > Security > Encrypt phone. This should show “Encrypted” if enabled.

Strong Passwords & 2-factor authentication 

  • Enable 2-factor authentication for:
    • Amazon AWS
    • Backblaze
    • Bob
    • Dropbox
    • Facebook
    • GitHub
    • Google (Gmail)
    • Humanmade.com
    • Slack
    • Salesforce
    • Trello
    • Twitter
    • WordPress.com
    • Xero
    • Zoom – If you store sensitive data in your Zoom account (i.e. record to Zoom Cloud and/or use the audio transcribe feature)
    • Any other services you use that support two-factor authentication
  • Use Twilio Authy, 1Password, Google Authenticator for two-factor authentication.
  • Use a password manager like 1Password for your passwords. You can expense your password manager. Human Made has its own 1Password accountNever write your passwords down outside of your password manager.
  • Use the Human Made 1Password account to log into shared accounts and services.
    • Avoid sharing accounts where possible. Use private vaults with individual members added instead.
    • If you’re using the Authy app, you can additionally protect access to it with a PIN or a fingerprint.
  • Use strong long passwords (16+ chars) made up of random letters, numbers and symbols. 1Password can generate these.
  • Always use a separate password for each service. This reduces the chance of wider compromises in the event your password is discovered.
  • If you are using GitHub on the command line, create a unique access token.
  • Treat any P2 uploads (e.g. images, videos) as potentially externally accessible and use Google Drive or Dropbox to share files internally for truly private stuff.
  • When using Wi-Fi, you must follow the wireless security guide.

Online Services with sharing functionality 

When using online services such as Dropbox, Google Drive, Microsoft One Drive and other similar tools, please make sure to check sharing settings to ensure you’re sharing to the right people.

For example, when using Google Drive, make sure you’re setting sharings to “Anyone in Human Made can access” and not “Anyone with the link can access”.

Google Docs, Google Sheets 

When starting a new Google Doc or Google Sheet, it is best to start from the intended resting folder within the correct Team Drive. This way the documents inherit the default, secured permissions from the Team Drive.

Never start company documents from your private Google account.

Browser extensions 

Some browser extensions have access to everything on the website you are using. Make sure that you only install highly rated and trusted official extensions and carry out due diligence by searching for any news of past or current security breaches. In addition you can configure extensions to only run on the websites it needs to, or when you click on its icon.

Important: extensions that operate on text such as Grammarly can send everything you type on a web page to a service that you do not control. If they are running when you use websites such as Gmail, Slack, GitHub, Small Improvements, Workable or anything else work related you could be sending sensitive data to a 3rd party not covered by our privacy policy. These extensions should be switched off for work related websites and are otherwise generally discouraged.

Screenshots 

If you use a screenshot app that uploads to the cloud, make sure it’s one that obfuscates the link by appending / prepending random data to the filename. For example, Dropshare can be configured with the Random Suffix option.

Use private rooms when necessary 

When you’re working in public (such as a co-working space, cafe or the airport; list not exhaustive), do have an idea of whether your discussions or meetings are going to cover confidential issues. If so, look for a private room or setting to have those discussions.

When in doubt 

Ask for advice in #company-tech-support

Revoking access 

When an employee leaves Human Made, access rights to all systems will be removed. This includes wiping company devices (phones and laptops).

Security Officer 

As CTO, Joe Hoyle is our security officer, you can contact him directly about security related matters and use his name if you ever need to tell a client or contact who our security officer is.

5 comments

  1. The link to ‘encrypting backups’ doesn’t go anywhere. What do we mean by backups? Are we recommending or mandating local physical backups?

  2. The link to ‘encrypting backups’ doesn’t go anywhere. What do we mean by backups? Are we recommending or mandating local physical backups?

Comments are closed.