/Security
Your company's security checklist
The list below contains general security recommendations —not unique to Duda— that you should enforce within your organization. Although cyber security measures frequently adapt to counter ever-evolving threats, these security guidelines remain consistent year after year. As you read through, think about the security practices at your company and identify areas for improvement.
Best practices for strong security
Use strong, unique passwords or use biometric authentication
Creating strong, unique passwords is the first line of defense against unauthorized access to your accounts. This is crucial in preventing a variety of attacks, such as brute-force or credential stuffing.
- Whenever possible, enable fingerprint scanning or facial recognition as an additional layer of security for easy, but secure, access to company devices
For Duda account owners:
Duda does not currently enforce password rotations, however, we strongly recommended that you update your passwords every three months to further enhance your account's security.
Use Two-Step Verification (2SV) or Two-Factor Authentication (2FA) when available
We strongly encourage teams to either use
Google SSO for login, as it leverages Google’s robust security infrastructure, or enable
2-Step Verification (2SV) directly within the Duda platform. Both options provide an extra layer of protection, ensuring your account remains secure even if your password is compromised.
Keep software and browsers up to date
Always keep your team's operating systems, web browsers, and software applications up to date with the latest security patches and features. Outdated software can have vulnerabilities that hackers may exploit. This is why Duda only supports the latest versions of browsers.
(See our
System Requirements article.)
Use antivirus and anti-malware software
Make sure your teams have reliable antivirus and anti-malware software installed and kept up to date to maintain a secure environment.
Did you know?
Infostealer malware attacks—malware designed to steal PII and other sensitive data — are on the rise. Businesses and individuals need to be cautious. Here are several articles containing information to help you protect yourself and your organization:
List of Services
-
They’re coming for your data: What are infostealers and how do I stay safe?Read article → List Item 1
Muncaster, P. (2025, April 16). They’re coming for your data: What are infostealers and how do I stay safe? welivesecurity.
-
Everything You Need to Know About InfostealersRead article → List Item 4
Poireault, K. (2024, December 13). What you need to know about infostealers. Infosecurity Europe.
-
Stealer Malware Exposed: The Key Suspect in Identity Credential TheftRead article → List Item 2
Gosher, D. (2025, February 19). Stealer malware exposed: The key suspect in identity credential theft. Bitsight.
-
A ‘significant increase’ in infostealer malware attacks left 3.9 billion credentials exposed to cyber criminals last year – and experts worry this is a ticking time bomb for enterprisesRead article → List Item 3
Klappholz, S. (2025, March 11). A “significant increase” in infostealer malware attacks left 3.9 billion credentials exposed to cyber criminals last year – and experts worry this is a ticking time bomb for enterprises. IT Pro.
Be caution when using 3rd-party APIs and external code
When using 3rd-party APIs, research the API providers' security track record.
In addition:
- Read the API documentation carefully to understand what data is collected, stored, and shared
- Rotate API keys regularly and store them securely (never hardcode them in your codebase!)
- Regularly review API permissions and
revoke access when it’s no longer needed
Securing company-provided devices
Locking and encrypting your company's devices ensures that even if they are lost or stolen, unauthorized users cannot access sensitive information. To do this:
- Enable device encryption: Most modern operating systems, like Windows, macOS, iOS, and Android, offer built-in encryption. Turn on full disk encryption (e.g., BitLocker for Windows, FileVault for macOS, or Android/Apple's native encryption features) to protect your data even if a device is compromised.
- Company-approved devices only: Only company-provisioned devices should be permitted on the company network and its cloud platforms. While employees can use personal phones to access certain collaboration and reporting tools, only company laptops should be permitted for work.
- Enable automatic locking: Set your devices to lock after a short period of inactivity to minimize the chances of someone accessing it if you forget to lock it manually.
- External storage restrictions: The use of external storage devices should be prohibited unless explicitly approved by your security/IT professional.
- Data security on devices: Devices must never be left unattended in public spaces, especially while traveling. Ask your team to report any lost or stolen devices immediately.
Require regular security training
Training your employees about cyber threats is crucial. Human error is one of the biggest security risks businesses face. Even the most advanced security systems can’t protect against mistakes like clicking on phishing emails, using weak passwords, or mishandling sensitive data.
Regular training helps employees recognize threats, follow best practices, and respond appropriately to potential attacks. By fostering a security-first mindset, you create a stronger defense against cybercriminals and reduce the risk of data breaches, financial loss, and reputational damage.
Be cautious with public Wi-Fi
Public Wi-Fi networks are less secure than private networks. If an employee routinely needs to do work from hotels, or coffee shops, use of a VPN can offer additional security.
Backup your data
Regular backups ensure that your important files are safe, even if your device is compromised or lost. However, it’s a protective measure rather than a preventative one.
For Duda sites, Duda automatically creates up to 50 backups of your sites, ensuring that you can restore your site to a previous version if needed. Additionally, site owners have the ability to create their own backups at any time. For more information on how to manage backups in Duda, visit this
article on site backups.
Bottom line
To ensure a solid security practices within your organization:
- Enforce strong and unique passwords and promote biometric authentication
- Mandate and manage Multi-Factor Authentication (MFA) across all available platforms (including your Duda account, your email provider, and other cloud services)
- Maintain up-to-date software and systems
- Secure company-provided devices and manage external access
- Conduct regular security awareness training
A key theme throughout this course is that security is a
shared responsibility. That responsibility includes your clients! On the next page, check out a resource you can brand with your logo and distribute to your clients.