Recently, one of our TouchPoint clients sent us an article about a significant compromise and data exposure of over 300K customer records from another company in their industry. They were interested to learn more about how we handle data security here at Never Settle – specifically with our cloud-based SaaS apps like TouchPoint – although these general principles apply to everything we build.
In addition to our normal security best practices that we train and require from all our developers, we ran TouchPoint through a rigorous security audit and vulnerability assessment conducted by the industry trusted Synopsys as part of our QuickBooks Online certification process. There were no issues discovered as serious as the ones highlighted by the 300K+ data breach example, but we did address all issues found in the audit, which was a prerequisite to being accepted in the QuickBooks Online App Marketplace. Check out our certified QuickBooks Online App entry for TouchPoint.
When App Security is built properly, the biggest potential weak link in stored data will usually be the weakest privileged user password(s). We enforce basic secure password requirements, but even those requirements can’t fully eliminate the risk associated with weaker user passwords. As a matter of your own company policies, it is always a positive thing to encourage stronger passwords in general. Tools like LastPass can help individual users have unique, stronger passwords without having to remember them.
If you have or use Never Settle developed SaaS tools or other cloud-based services, we’d be happy to work with you on conducting periodic security assessments to provide an additional layer of peace of mind regarding your data and your customer’s data. We can evaluate data and apps hosted across any platform. This service would include things like trying to crack user passwords with the same methods an attacker would use to see if there are any weak passwords in use on active user accounts. And we can sculpt this service and cost to your needs. The types of validations and tests we could run for you can range from simple to complex depending on the level of confidence you’re looking for. We can put together monthly, quarterly, annual or even on-demand plans (for times when there’s maybe more employee turnover than normal).
There are also other general considerations you can take into account to keep your business tools, apps, and data more secure. For example, we highly recommend really tight user account management processes. When employees depart, it’s critical to close / disable all their accounts so that they no longer have access.This sounds like (duh!) common sense, but there might be implications you haven’t thought about related to the way that multiple services can be used to provide sign-on access to each other. As a case in-point, do any of your employees use a personal Facebook account to authenticate into any company resources? And, even after their company accounts are disabled, is it possible they still have access through Facebook authentication to company assets? As the interconnected nature of the personal and company online resources we use daily deepens, so does the complexity of the implications on data and application security.