$3.92 million. That’s the global average cost of a data breach in 2019, according to Ponemon Institute.
So it’s no wonder that companies invest heavily in cybersecurity. In the five years between 2017 and 2021, global spending on cybersecurity products is slated to exceed $1 trillion—and this trend is only expected to continue on its upward trajectory.
If you’re storing company information in RFPIO to streamline your RFP responses, I have good news: RFPIO has state-of-the-art security controls to protect your data. Even so, there are still extra things you can do to further protect your information.
Here are 10 things you can do to further strengthen security in RFPIO:
1. Use SSO: A Sweet Security Option
SSO stands for Single Sign-On, but it is also a super sweet security option. RFPIO uses the most widely accepted industry standard, SAML 2.0.
With SSO, RFPIO users use the credentials they already have to sign in. That means they don’t have to remember (yet another) separate user ID and password—and Admins don’t have to take on the responsibility of managing user credentials.
SSO isn’t just convenient. It’s also more secure. When you use SSO, passwords aren’t stored in the browser and there’s a lower risk of a lost or forgotten password. This prevents security gaps that hackers will exploit to gain unauthorized access to the application.
Additionally, SSO allows Admins to manage user activities in real-time, which gives you the extra visibility you need for a tightly run security program.
2. Automate user management with SCIM
SCIM stands for System for Cross-Domain Identity Management. Luckily, it is not as complicated as the 13-syllable name would have you believe.
In a nutshell, SCIM simplifies user management. If SCIM is enabled, users can be added or deleted automatically. It’s as easy as that.
On the one hand, SCIM makes life much easier for Admins. No more manually adding and deleting user accounts.
But it’s also important from a security perspective. With SCIM, user accounts are automatically deleted as soon as employees leave your organization, which means employees won’t have access to sensitive company information after they’ve left.
SCIM happens through SSO and is supported by OneLogin and Microsoft Azure. If your identity provider supports it, I highly recommend implementing SCIM—both for the added convenience and peace of mind.
3. In lieu of SSO, use 2-factor authentication
If your organization doesn’t use SSO, I would recommend you set up 2-factor authentication as an additional layer of security.
If you’ve ever had a code sent to your email or phone, that’s 2-factor authentication. After a user enters their username and password, 2-factor authentication prompts users to enter a valid key or code.
2-factor authentication prevents an unauthorized person from accessing data. Even if a cyber attacker learns the login credentials, they will not be able to access the code for 2-factor authentication.
RFPIO supports 2-factor authentication through Google Authenticator and Duo Mobile.
4. Control access with User Roles
With User Roles (default) and Custom Roles (customized), you can define what users can see and do, and ensure users only have access to the data that’s relevant to them. This is key for security. When you reduce the number of people with access to sensitive data, you minimize the risk of leaks.
RFPIO’s out-of-the-box user roles include Super Admin, Admin, Manager, Team Member, and Project Requester. With Custom Roles (available as an add-on, or included with enterprise package), you can create your own roles that make sense for your organization For example, Content Owner, Reseller Partner, or Project Contributor, but really it can be whatever you want. The world of custom roles is your oyster.
Read our Help Center article to learn more about specific permission levels for the out-of-the-box user roles (RFPIO customers only).
5. Control visibility with collections
Collections is another, more granular way to control access to sensitive data.
While User Roles controls access to projects and organization settings, Collections controls access to content.
When you assign a piece of content to a collection, you can restrict visibility to that collection, either by a user group level (e.g. the sales team) or on an individual level. You can get as granular as you’d like.
For example, you may choose to have a “security” collection and restrict visibility to just the InfoSec team. Or maybe you want a “financials” collection, and want to restrict access to just the finance team and upper management. Here’s a blog with more detail on using collections to organize your content (or scroll to the bottom to watch the webinar).
6. Get really granular with permissions
If you want to get really in the weeds with visibility, you can set privacy settings at the individual object level (e.g. a Q&A pair). Rather than assigning it to a collection, you can set privacy settings to control who can view or edit a specific piece of content.
If there’s a Q&A pair you really only want upper management to have access to, you can do that.
You can also adjust view and edit permissions. For example, maybe there’s a question about a product feature that you really only want the product team to be able to edit, but still want to give your marketing team access to view.
7. Keep up with your audits
With RFPIO, all activities are tracked and logged at different levels (e.g. project level, content level).
Every so often, I’d recommend pulling the Activity Report, which monitors all user activity within the application—including permission changes, user creation, and user deactivation.
For example, if you notice an individual user’s permissions have been changed to have broader access to data that may not be relevant to their role. In response, you can reach out to the person who made the change for more information—and, if necessary, reverse their permission levels to a level more appropriate to their role.
You can also pull the User Login Activity Report. This log includes information about:
- Who accessed the account,
- When it was accessed,
- Where it was accessed (e.g. IP address), and
- How they logged in (e.g. SSO, username + password, etc.)
Using the User Login Activity Report, Admins can see if the user logged in at odd hours, like on the weekend or very late at night. This could be an indication of unauthorized access that could lead to a data breach.
8. Set up “session timeout”
Avoid the risk of internal attacks by setting up session timeouts that automatically log you out of the application. This is most relevant for organizations working in an office setting.
Here’s the scenario: The VP of Sales leaves their desk for a meeting. Scooby-Doo walks over to the VP of Sales’ desk and downloads a bunch of sensitive financial information from RFPIO, and uses it to wreak havoc. Classic Scooby move.
To prevent this kind of situation from happening, you should set up “session timeout”. The default timeout is 20 minutes, but you can adjust according to your needs.
9. Bring Your Own Key (BYOK)
Set up an extra layer of security with BYOK. RFPIO already encrypts data with our own mechanism, but if you want that added boost… you should consider BYOK.
Basically, BYOK gives you the ability to provide your own encryption key to protect your data—on top of the encryption that RFPIO already uses. This is an added measure for fighting unauthorized access to data.
If you’re an RFPIO customer, learn more about BYOK in the Help Center.
10. Securely share information via Linked Companies
Share company information with partners (e.g. resellers) in such a way that they can only view and use it—but don’t have edit access. This essentially transforms your RFPIO Answer Library into an internal knowledge base that your reseller partners can use to respond to RFPs or answer any other questions that may come up during the sales cycle.
You can set this up using Linked Companies. Learn more about how to set up and use Linked Companies in the Help Center (RFPIO customers only).