The Human Side of Data Security
As of April 2023, LeagueSpot secures over 71,000 accounts for users that are primarily in the high school and college age ranges, and in some communities are as young as 8 years old. We view it as our primary objective to protect all personal data from unauthorized access, and the responsibility is even greater when kids are involved.
I have written before about how much effort we put into securing our platform with best practice technical architecture and policies. But while technology is relatively predictable and the most effective security procedures are well known and documented, we also need to talk about the more error-prone side of security: the person between the keyboard and the chair. According to a Cisco white paper, phishing and social engineering attacks account for 90% of data breaches.
Every platform requires human administrators and moderators who have elevated access to user data. In order to keep your data safe, our LeagueSpot security philosophies are tailored to address this specific reality. Please feel free to borrow any of these for your own business.
Hire and train trustworthy people
Every one of our employees must pass a background check prior to gaining access to any of our systems. It is extremely important to us that we avoid placing people with criminal backgrounds in positions of power, especially in youth communities.
We train all of our employees how to handle sensitive information, and they receive cybersecurity training teaches them how to identify social engineering attacks that could compromise their accounts. To formalize the responsibility of protecting user data, we also require that anybody with an elevated role has signed a confidentiality agreement.
Secure their company-managed accounts
All accounts that can access user data are managed by LeagueSpot, which means we have the right to revoke access at any time - such as when an employee leaves the company or their account becomes compromised.
We have a complex password policy which also requires that the most secure system account passwords be changed frequently. To elevate password complexity, LeagueSpot pays for password managers for all employees, allowing them to create extremely secure passwords without forcing them to be written down or forgotten.
We also assume that passwords may be compromised, which we address by requiring multi-factor authentication on all of our systems. This ensures that even if an attacker does steal a password, they are still extremely unlikely to be able to access systems without a second form of authentication.
Minimize their access scope
Security policies aren’t perfect, so we have to plan for the case where - in an extremely unlikely event - an account becomes compromised by an attacker. The best mitigation tactic is to reduce the amount of information that any given account can access. We do this by implementing the principle of least privilege: limiting the number of administrator accounts in our systems, and scoping all other accounts to the minimum information that they require to do their jobs. If an account were to be compromised, the attacker would then only gain access to a small portion of sensitive data instead of all of it.
We take our role as the guardians of your data seriously. With the increasing number of data breaches and cyber attacks, it is important for individuals and organizations to take proactive steps to secure their data. By following best practices like those listed above, we can work together to protect sensitive data from potential threats.
Humans are often considered the weakest link in cybersecurity, making them prime targets as attack vectors for cybercriminals. To mitigate this risk, organizations should hire the right people, provide cybersecurity awareness training, implement strong password and MFA policies, and have access controls in place that reduce the impact of breaches if they occur.
If you have any questions or want to talk about securing your data, please reach out at firstname.lastname@example.org.