Security to start with
We work in cybersecurity and we hold ourselves to a high standard. These rules apply to everyone from day one.
MFA — mandatory
Turn on multi-factor authentication on all company accounts (M365/Entra, GitHub, Azure). Use an authenticator app, not SMS, wherever possible.
Did you know: our own ZEUS console also requires 2FA via email — we look after the security of our own product too.
Passwords and secrets
- Long, unique passwords from a password manager — never the same one in multiple places.
- Zero secrets in the code. Keys, tokens, passwords → Key Vault / GitHub Secrets.
- We scan repositories for leaks (gitleaks). A leak = rotation + a report.
Phishing
The most common attack vector. The rules:
- Don't click "urgent" links from unknown addresses.
- Check the sender's domain (
profesnet.pl≠professnet.pl). - In doubt? Report to IT — better once too often than too rarely.
Client data — sacred
- We operate on the principle of read-only and least privilege.
- Client data does not leave the client's environment without a clear basis.
- Don't copy production data to a laptop or to private tools.
What to do in an incident
- Don't hide it. Report it immediately (your buddy / IT / security).
- Don't "fix it quietly" — you might destroy traces needed for analysis.
- Write down what happened and when.
The ProfessNet standard: a reported bug is a good bug. A "no blame" culture — what counts is a fast reaction, not finding someone to blame.
Security is a habit, not a one-off lesson. In the next part — the plan for your first week.