$3. 92 million. That’s the global average price of a data breach within 2019, according to Ponemon Institute .
So it’s no surprise that companies invest greatly in cybersecurity. In the 5 years between 2017 plus 2021, global spending on cybersecurity products can be slated to exceed $1 trillion —and this trend is only expected to continue on its upward trajectory.
If you’re storing firm information in RFPIO in order to streamline your RFP reactions, I have good news: RFPIO has state-of-the-art protection controls to protect your data. Even so, there are still extra things you can do to further protect your information.
Here are 10 things you can do to further strengthen security in RFPIO:
1 . Use SSO: A Sweet Security Option
SSO stands for Individual Sign-On, but it is also an excellent sweet security option. RFPIO uses the most widely approved industry standard, SAML second . 0.
Along with SSO , RFPIO users use the credentials they already have to register. That means they don’t have to consider (yet another) separate consumer ID and password—and Admins don’t have to take on the responsibility associated with managing user credentials.
SSO isn’t simply convenient. It’s also safer. When you use SSO, passwords aren’t stored in the browser and there’s a lower risk of a lost or forgotten password. This prevents security gaps that hackers will take advantage of to gain unauthorized access to the application.
Additionally , SSO allows Admins to manage user activities in real-time, which provides you the extra visibility you need for a tightly run safety program.
second . Automate user management along with SCIM
SCIM stands for System for Cross-Domain Identity Management. Luckily, it is far from as complicated as the 13-syllable name would have you believe.
In a nutshell, SCIM simplifies user management. If SCIM is enabled, users could be added or deleted immediately. It’s as easy as that.
On the one hand, SCIM can make life much easier for Admins. No more manually adding plus deleting user accounts.
But it’s also important from a security viewpoint. With SCIM, user accounts are automatically deleted as soon as employees leave your organization, meaning employees won’t have access to sensitive company information after they’ve left.
3. In lieu of SSO, use 2-factor authentication
If your organization doesn’t use SSO, I would recommend you set up 2-factor authentication being an additional layer of security.
If you’ve ever had a code sent to your own email or phone, that is 2-factor authentication. After a user enters their username and password, 2-factor authentication prompts users in order to enter a valid key or even code.
2-factor authentication prevents an unauthorized person from accessing information. Even if a cyber attacker learns the login credentials, they will not be able to access the particular code for 2-factor authentication.
RFPIO facilitates 2-factor authentication through Search engines Authenticator and Duo Mobile.
4. Manage access with User Tasks
With User Roles (default) and Customized Roles (customized), you can determine what users can see and do, and ensure users only have access to the data that’s relevant to all of them. This is key for safety. When you reduce the number of people with access to sensitive data, you minimize the risk of leaks.
RFPIO’s out-of-the-box user tasks include Super Admin, Administrative, Manager, Team Member, plus Project Requester. With Custom made Roles (available as an add-on, or included with enterprise package), you can create your own roles that make sense for your company For example , Content Owner, Reseller Partner, or Project Contributor, but really it can be whatever you want. The world of custom tasks is your oyster.
Read our Help Center article to learn more about specific permission levels for the out-of-the-box user roles (RFPIO customers only).
5. Control visibility with collections
Collections can be another, more granular way to manage access to sensitive data.
While User Tasks controls access to projects plus organization settings, Collections settings access to content.
When you assign a piece of content to a collection, you can restrict presence to that collection, either with a user group level (e. g. the sales team) or on an individual level. You can get as granular since you’d like.
For example , you may choose to possess a “security” collection and limit visibility to just the InfoSec team. Or maybe you want a “financials” collection, and want to restrict entry to just the finance team plus upper management. Here’s a blog with more detail on using collections to organize your content (or scroll to the bottom to watch the webinar).
6. Get really granular with permissions
If you want to get really in the weeds along with visibility, you can set privacy settings at the individual object level (e. g. a Q& A pair). Rather than assigning it to a selection, you can set privacy configurations to control who can view or even edit a specific piece of content material.
If there’s the Q& A pair you really only want upper management to get access to, you can do that.
You can also adjust watch and edit permissions. For example , maybe there’s a question about a product feature that you really only want the product group to be able to edit, but still wish to give your marketing team access to view.
7. Keep up with your audits
With RFPIO, all activities are tracked and logged at various levels (e. g. task level, content level).
Every so often, I’d suggest pulling the Activity Report, which monitors all user exercise within the application—including permission adjustments, user creation, and user deactivation.
For example , if you notice an individual user’s permissions have been changed to have broader access to data that may not be relevant to their role. In response, you can reach out to the person who produced the change for more information—and, if necessary, reverse their authorization levels to a level appropriate to their role.
You can also pull the User Login Activity Report. This record includes information about:
- Who accessed the particular account,
- When it was accessed,
- Where it was accessed (e. g. IP address), plus
- How they logged in (e. g. SSO, username + password, etc . )
Using the User Login Exercise Report, Admins can see when the user logged in in odd hours, like for the weekend or very past due at night. This could be an indication of unauthorized access that could lead to a data breach.
8. Set up “session timeout”
Avoid the risk of internal episodes by setting up session timeouts that automatically log you out of the application. This is most relevant for organizations working in your office setting.
Here’s the scenario: The VP of Sales leaves their particular desk for a meeting. Scooby-Doo walks over to the VP of Sales’ desk plus downloads a bunch of sensitive financial information from RFPIO, plus uses it to wreak havoc. Classic Scooby shift.
To prevent this kind of situation from happening, you should set up “session timeout”. The particular default timeout is 20 minutes, but you can adjust according to your needs.
9. Bring Your Own Key (BYOK)
Set up an additional layer of security along with BYOK. RFPIO already encrypts data with our own mechanism, but if you want that added boost… you should consider BYOK.
Basically, BYOK provides you with the ability to provide your own encryption key to protect your data—on top of the encryption that RFPIO already uses. This is an added measure for fighting illegal access to data.
If you’re an RFPIO consumer, learn more about BYOK in the Help Center.
ten. Securely share information through Linked Companies
Share company information along with partners (e. g. resellers) in such a way that they can only see and use it—but don’t have edit access. This essentially transforms your RFPIO Solution Library into an internal knowledge base that your reseller companions can use to respond to RFPs or answer any other questions that may come up during the product sales cycle.
You are able to set this up making use of Linked Companies. Learn more about ways to set up and use Connected Companies in the Help Center (RFPIO customers only).