Security is of paramount importance at Parallel given the sensitive nature of the information we deal with. This section contains some of our high level guidelines for helping ensure the safety and security of our confidential information. This list is certainly not complete and only represents a small subset of our overall security guidelines found in our Security Policy.
- Make sure you use a separate password for every service (for instance, your Gmail password should be different than your Slack password).
- You should use the password autogeneration capabilities of your password manager to generate secure passwords.
- Don’t share passwords (with co-workers, friends, strangers, or any other people, living or dead ). Every person should have their own account on every service.
You should use Multi-factor authentication (aka, 2 Factor Authentication, aka 2FA) for every service that provides it. Note that 2FA is mandatory for most Parallel services.
- Always prefer a time-based one-time password option (a number that changes every 30 seconds) over text message. SMS 2FA is vulnerable to an attack known as a SIM Swap.
- Use an app like Google Authenticator or Authy to provide your time-based one-time passwords
- Some services allow you to download “backup codes” that you can use instead of a time-based code in case you lose your phone (or access to your time-based password generator). Make sure you store these somewhere safe!
While browser extensions are easy to install and test out, make sure you only install extensions from sources you trust. Here are a few extensions we do recommend:
- HTTPS Everywhere - ensure that you only visit sites that support encrypted HTTP
- Privacy Badger - A tool from the EFF, Privacy Badger automatically learns to block invisible trackers.
- uBlock Origin - blocks ads and the data they collect
- Apple Safari - go to settings (Safari ➡️ Preferences in the menu), then choose the AutoFill and uncheck all checkboxes.
- Google Chrome - go to address autofill settings and payment methods settings
- Mozilla Firefox - go to privacy preferences and scroll down to Forms and Autofill
Here are some general guidelines for email:
- If you get an email that looks suspicious, forward the email to our IT support at firstname.lastname@example.org.
- An email can be suspicious, even if it’s from someone you know, if there’s an unexpected link or attachment .
- Don’t be afraid to reach out to anyone directly to ask if they sent something you weren’t expecting (for instance, reach out on Slack).
- When in doubt, reach out to email@example.com.
All Company hardware should have the Company’s device profile installed to enable remote lock/wipe in case your laptop is stolen. Your device should also:
- Have full hard drive encryption enabled (for macOS, use FileVault).
- Make sure you have your screensaver set to lock your computer after a short period of activity (and require a password)
- Never leave your phone or laptop unattended in a public place (for instance, at a coffeeshop). Even if you leave your computer alone with a stranger for only a minute, quick physical access is all that’s required to hack your computer.
- Ensure all of the important files on your devices are backed up in one of our tools. All computers eventually die, act as though yours could expire any day.
Be familiar with the general approaches used in social engineering, and know that you could be targeted based on your access to highly sensitive personal information. You should understand the vectors used, like Vishing , Phishing , and Smishing .
If you have a company issued laptop, you should not allow any other person to use it for any reason. It is possible that someone could unwittingly visit a website with malvertising or one that takes advantage of a browser vulnerability. Hopefully, that risk is mitigated if you are careful to only visit sites that are work related (which can only be assured if you are the only person using company equipment issued to you).
In general, we operate with a stance of Zero Trust. We assume that our internal networks could be compromised and seek to secure resources rather than networks. Given the nature of our remote workforce and our utilization of cloud services, we cannot assume that resources are located within an enterprise-owned network boundary.