TABLE OF CONTENTS
- Password best practices
- Physical security
- Mobile devices
- Acceptable Wi-Fi use
- Confidential information
- File storage
- Multi-factor authentication
- Single sign-on (SSO)
- Detecting and reporting phishing attacks
- Least privilege approach to access
- Encryption enabled on computers
- Running up-to-date software
- Web browsers
- Reporting risk incidents and/or security breaches
This article provides a user guide of best practices for maintaining a strong security posture while engaging in work on behalf of B Lab. This article also contains information outlined in our computer policy.
Please keep in mind that this article is not exhaustive; the Operational Technology team is happy to answer questions and provide support to teams for any information not covered by this article. Please reach out to us with any questions by opening a new ticket - ticket responses are added to the FAQs section below on a regular basis.
Work for B Lab should be done on B Lab computers, if possible. If you are using a personal device to conduct B Lab work, take care to ensure that you are logged into B Lab accounts (e.g. not saving files to a personal Google Drive).
B Lab Global understands that from time-to-time staff may need to check their
personal email or conduct limited personal business on B Lab devices. As a best practice, we recommend limiting personal use on B Lab devices to mitigate potential risk and vulnerabilities.
Password best practices
All computers must be secured with a login password. This password must not be shared with anyone else. If you need help with setting a strong password, please submit a ticket.
When available, fingerprint or facial recognition technology can be used as an alternative to passwords to secure computers. Regardless of which option you choose, computers must be "locked" when not in use so that a password or biometric login is required to access the device.
Additionally, we recommend adjusting the device’s settings so that your computer is set to lock after 15 minutes of inactivity.
While any hardware containing B Lab information is in your possession (either owned by B Lab or personally), you are responsible for the security of its contents along with the maintenance of its condition. Devices shouldn’t be left in unlocked cars or in public places while unattended. Providing device access to another individual, either deliberately or through failure to secure its access, is prohibited.
Additionally, we recommend limiting the use of removable media devices (e.g. USB drives) unless necessary for the performance of your assigned duties. For more information on using removable media devices, see the File Storage section.
In the event that a B Lab computer is lost or stolen, it is your responsibility to notify the Operational Technology team as soon as possible at one of the phone numbers listed below. Due to the severity of the issue, you should attempt to confirm that one of the people listed below has received their message. This is particularly important if the device is lost outside of regular working hours, and therefore an email or Slack message might not be seen immediately.
Alex Sherman - (856) 390-1057
John Vitelli - (201) 920-6554
Paige Onouye - (302) 276-8233
While you do not need to notify B Lab in the case of a lost or stolen personal device, you should immediately change passwords to any system (e.g. Slack, Gmail, Asana) that was accessed via an app or browser on this device to prevent potential security breaches.
If you have installed business platforms (e.g. slack, Google Workspace) on your mobile device, we recommend following the aforementioned password best practices to ensure your personal information and B Lab data are protected.
We recommend enabling a phone tracking tool (e.g. Find My iPhone for iOS devices or GPS Phone Tracker for Android) or any device-tracking app to help users locate their devices in the event that they are lost or stolen. You should immediately change passwords to any system (e.g. Slack, Gmail, Asana) that was accessed via an app or browser on your phone to prevent potential security breaches.
Acceptable Wi-Fi use
As a globally distributed network of remote-first workers, we understand there may be occasions where individuals choose to work from public locations. It is important to note that publicly available Wi-Fi networks are inherently insecure and caution should be taken when connecting to them and conducting activities on behalf of B Lab.
At home, you should use a secure, personal Wi-Fi network with a strong password, defined by a minimum of 8 characters containing at least one special character. If you don’t have the option of connecting to a secure network, consider using your mobile data or hotspot as an alternative as these connections are more secure than using a public network.
Below are additional tips for increasing your Wi-Fi security posture:
Pay attention to warnings and alerts on browsers - We recommend using Google Chrome as your primary browser as it has built-in safe browsing technology and automatically stays updated
Log out of accounts immediately after use
Read through the agreement with the company providing the free Wi-Fi to ensure you aren’t sharing all your information with them in exchange for the use of the network
Check your settings and be sure your computer or phone isn’t automatically connecting to the nearest Wi-Fi network.
Each individual is responsible for safeguarding the confidential information obtained
during their work on behalf of B Lab Global. The definition of “Confidential Information” is further detailed in the nondisclosure agreement you signed when you began your work with B Lab, and includes all Confidential Information of B Lab Global, the companies with which it works, and the B Global Network.
Individuals must take all actions reasonably necessary to protect confidential information in their possession or to which they are granted access, and to prevent the unauthorized access of confidential information by others. Any breach of confidentiality obligations will not be tolerated and legal action may be taken by B Lab Global.
Work-related files should not be stored locally on computers (such as on the desktop, documents folder, etc.). In cases where your work requires downloading items to your desktop, you must immediately hard delete these files once they are no longer needed. After deleting the files, open the trash can and select “Empty trash” to permanently delete the files.
If working offline, you should install the Google Drive desktop application so that saved files are backed up and synced as soon as the computer is reconnected to the internet.
B Lab reserves the right to retrieve and review any message or file composed, sent, or received while using a B-Lab-issued computer. Storing personal information on a B Lab computer is done at your risk. B Lab is not responsible for any loss of personal data due to hardware failure, misuse, misplacement, loss, or theft of B Lab property. Additionally, B Lab data should not be stored on removable devices (e.g., USB drives).
Use of 2-factor authentication is required whenever available (based on the security policies of the individual platform) and will be required for Google Workspace and Salesforce.
For more information on 2-factor authentication and how to enroll with Google, see this Freshdesk article.
Single sign-on (SSO)
SSO enables users access to applications, websites, and data for which they have permission by logging in with one set of credentials. When possible, you should authenticate to websites with your Google Workspace account. This transfers control for the authentication of various websites to Google, which is more secure and has 2-Step Verification enabled. Most of B Lab’s internal platforms support logging in with your Google account (e.g. Slack, Freshdesk, Salesforce).
Detecting and reporting phishing attacks
As a remote-first workplace operating primarily through digital platforms, phishing attacks via email, pop-ups, links, or other means are a primary threat that users must stay vigilant of.
Below are some tips for detecting and navigating a phishing attack:
Check the domain of the sender - Is it misspelled or looks otherwise suspicious? Is it sent from a public domain (e.g. ‘@gmail.com’)? Are there inconsistencies between the email address, domain name, and links?
Be aware of messages that create a sense of urgency or call to action (e.g. “You must submit now”), particularly regarding personal data or financial information
Do not click attachments or hyperlinks on unsolicited emails, especially from an unknown sender
Our Operational Technology team needs to know of scams, breaches, and malware so they can better protect our infrastructure. If you experience a perceived attack or receive suspicious looking emails, we advise you to report the email as phishing in Gmail and log a Freshdesk ticket.
Least privilege approach to access
The Operational Technology team employs the principle of least privilege, an information security concept whereby users are given the minimum levels of access/permissions needed to perform their assigned duties.
If you or your team requires expanded access to a digital platform, you must submit a ticket with your request and provide additional context explaining the need for greater access.
Encryption enabled on computers
All B Lab computers should have either BitLocker (Windows) or FileVault (Mac) enabled. These encryption softwares prevent files from being read off of the hard drive in the event that the computer is lost or stolen. If you notice that Bitlocker or FileVault are not enabled on your computer, please notify a member of the Operational Technology team.
Additionally, the Operational Technology team runs periodic reports of B Lab computers to highlight any machines that are not encrypted. In the event that your computer is flagged, a member of the team will schedule time to enable the relevant encryption software.
If you are using a personal computer, we recommend enabling either BitLocker (Windows) or FileVault (Mac) to keep your files safe. There is no cost associated with either system. You can find more information about BitLocker on this Microsoft support page and for FileVault on this Apple support page.
Running up-to-date software
Outdated software presents three primary problems for individuals and organizations: security vulnerabilities, program instability, and poor compatibility with other applications. Additionally, software updates will often also contain security patches and new security features, both of which are important to install in a timely manner.
As a best practice, we recommend ensuring your computer, browsers (incl. plug-ins), and antivirus software are routinely updated. Applications should also be updated, but are not prone to as great of a security threat if delayed. Generally, you can check on the status of your software through the settings feature for each platform. Some software (e.g. Chrome) are able to run updates in the background automatically. We recommend you enable automatic updates, when possible, to ensure your software stays up-to-date in a timely manner.
While you have the ability to install applications on your device(s), it is important to understand the risks of malware and data security that can accompany third party software. If you are at all unsure about the legitimacy or security of an application you want to install, you should submit a ticket to have the software reviewed by the Operational Technology team before downloading it or signing up. B Lab is not responsible for troubleshooting the functionality of any unsupported software, whether they are free or paid services. If these third-party applications interfere with any of B Lab’s supported internal tech platforms, the user is required to uninstall them, with the assistance of internal IT, if necessary.
Generally, URL links that begin with HTTPS (or, https://) web addresses provide a secure connection to the website. HTTP (or, http://) web addresses are not encrypted and data can be intercepted by third parties. We recommend only accessing HTTPS sites.
However, simply having “https” in the web address does not mean a website is legitimate. You should use your discretion when operating web browsers, particularly when downloading files or software from the internet or handling confidential data. We recommend complying with browser alerts/warnings cautioning users against accessing potentially harmful or unsafe websites.
As a best practice, B Lab supports using Google Chrome for web browsing and accessing internal platforms. In addition, it is important that Chrome is kept up-to-date. Instructions for updating or checking for Chrome updates are available here.
Reporting risk incidents and/or security breaches
In the event of a risk incident and/or security breach, you should submit a ticket with all pertinent information and contact a member of the Operational Technology team via slack immediately (Alex Sherman, John Vitelli, or Paige Onouye).
If a serious breach, such as a lost computer or a compromised password, occurs outside of regular working hours, it is your responsibility to contact a member of the Operational Technology team and confirm that they have received the message and are aware of the issue as soon as possible.
Alex Sherman - (856) 390-1057
John Vitelli - (201) 920-6554
Paige Onouye - (302) 276-8233