Charles McColgan, CTO at TeleSign, says:

There have been hacks from some very high profile companies that made front-page news recently. Though each hacks is different, there are common best practices to learn.

1. Suggest that your users provide a unique password  

Users should have a random and different password for each site they use. The problem with a stolen password is that frequently the user has leveraged the same password across several accounts.

2. Leverage your user’s phone as a second factor

If two-step verification is set-up, then it wouldn’t matter if passwords were compromised, because the hacker would need to know the password and have physical possession of the authentication devices – in most cases the end users phone. 

3. Verify users when they exhibit unusual behavior

During sign-in, users can establish their phone as a trusted device. When the user logs in from a new device or engages in unusual behavior or behavior that patterns fraudulent activity, a secondary authentication occurrence should be triggered.

4. Collect a phone number for important alerts

Attaching a verifiable phone number to an account enables you to streamlining password resets and secure communication to your user base if there is ever a system-wide data breach.

5. Communicate, communicate, communicate

Companies that have been hacked need to quickly tell users that a breach occurred, how it occurred, and what the user needs to do. Be transparent about what data was compromised and what you are doing to fix the problem. Give your users peace of mind by explaining how you protect their password, credit card information, and other important details.

Just as companies buy insurance to cover fire or flood loss related to their buildings, organizations have to insure their most valuable asset: their data. And the best ways to protect data is following best practices and learn from the companies that have been hacked.