🔎 Impact Report #5: Curiosity done well ✨

Security & Data Protection

The increasing number of data breaches has an impact on our data, or our clients. While we're pretty good at how we use / store data we should give clients suggestions on what they should do with their data. The risk of a data breach is significant, it can destroy customer trust, drive churn, and most importantly damage the end user's life in some way from stealing money from credit cards to identity theft and ransoms.

Last reviewed:
November 1, 2021

Here's Harvey's fundamentals

  1. All passwords you use for work are stored in 1Password, this includes your personal logins that are connected to work in some way. For example: your personal email is linked to Facebook, if someone hacks your email they can get into your Facebook and take control of our clients ads, pages, etc. They can also then login to other platforms using Facebook’s sign-in button. 
  2. You don't use the same password across critical apps (sensitive apps are email, Facebook, Google, 1password, your computer, anything that could cause serious harm if someone got control of them)
  3. We use 2FA (Two Factor Authentication) on any sensitive apps - for example Google, Klaviyo, Shopify, Hubspot, Webflow.
  4. Length of password is more important than complexity. Make your passwords as long as possible, I aim for 22-26 characters when using 1Password. For memorable passwords, like your 1Password password, make it long. It can be words if that helps. Mine is 5 words, with a character in between each one, some capitals and a number, but super easy to remember, but is hard to 'crack'.
  5. Personally Identifiable Information (PII) is sensitive (i.e. phone, email, name, address, date of birth) so we don't send large files of PII over email (email is very insecure). And if we store that data in our systems we make sure we revisit access settings. (Typeform survey data would only JUST be considered PII, while it does include emails, and name, it doesn't have much else, even still we should secure it.
  6. Be diligent when logging into core systems, and aware of scams. Some of the biggest breaches are just from a person accidentally giving their login details to a hacker via a fake website, SMS, login or keystroke tracking software (which can be inside other dodgy apps).

For our clients

Our clients generally won't be following best practice and we should make them aware of some fundamentals. It's important to note that they are very very unlikely to be targeted as they are smaller, low impact, and low value, but it can happen and could be devastating.

When relevant we should explain the above in slightly simpler/layperson terms. If you see them doing anything risky please let them know.

Record your security and tools

Submit your status for each tool through this form in Airtable: https://airtable.com/shrbsxV9px2ra35vg 

If a tool / app isn't listed there use this form to add one - you guess the security level: https://airtable.com/shr5eILMzWNsmMrnP 

Do this within 24 hrs of first creating any sensitive account.

This definition table explains the 'levels'  (see image)