Skip to content

Security

MCC holds personal information about our clients, our staff, and our work. Keeping that information safe is part of every staff member's job, regardless of role. This page covers what you need to know — multi-factor authentication, password hygiene, recognising phishing, what to report, and a high-level summary of how MCC protects data. It is written for everyone, not just developers, and assumes no technical background.

1. Why security matters at MCC

Clients trust us with site addresses, contact details, contracts, photos, scheduling information, and in some cases financial records. That trust is part of how we win work and keep accounts. A security failure — even a small one — can erode it quickly.

Security is also part of everyday work. A compromised email account can be used to send convincing scams to clients in MCC's name. A lost laptop or phone that's still signed in can expose client details and create real problems for everyone involved. Good habits — strong unique passwords, watching for suspicious messages, locking screens when you step away — protect MCC's reputation and your own.

You don't have to be a security expert. The handful of habits described below cover most of what matters.

2. Multi-factor authentication (MFA)

Multi-factor authentication means signing in with two things rather than one — your password, plus a one-time code from your phone or a security app. Even if someone steals your password, they can't get in without the second factor.

You are required to have MFA enabled on your @matthewscleaningco.com.au login. When you sign in from a new device or location, Google will ask for a second factor. The most common method is a prompt on your phone or a code from the Google Authenticator app. Systematic enforcement of MFA across all accounts is being completed as part of an ongoing security review — if your account isn't set up yet, Glenn will be in touch.

If you lose your phone, your security app, or otherwise can't get to your MFA codes, contact Glenn (see Section 5) straight away so he can help you regain access without creating a security hole. Do not turn MFA off on your own, even temporarily.

3. Strong passwords

A strong password is long, unique, and not used anywhere else. The single most important rule: don't reuse passwords across accounts. If one site is breached, attackers will try the same password on every other site you use.

Use a password manager to make this practical. A password manager (e.g. 1Password, Bitwarden, Apple Keychain, Google Password Manager) generates long random passwords for every site and remembers them for you. You only need to remember one master password. Without a password manager, almost no-one ends up with unique passwords everywhere — it's just not realistic to remember dozens.

Never share your password with anyone, including IT staff or Glenn. If someone needs access to your account, they get their own account.

4. Recognising phishing

Phishing is when someone sends a message — usually email, sometimes a text — trying to trick you into giving up a password, clicking a malicious link, or sending money. Phishing is the most common way accounts are compromised, and the messages can look very convincing.

Common signs to watch for:

  • Urgency. "Your account will be closed in 24 hours unless you click this link." Real businesses don't operate this way.
  • Unfamiliar sender, or a familiar name on a strange address. A message that looks like it's from a supplier or colleague, but the email address is slightly off (e.g. glenn@matt-cleaning.co instead of @matthewscleaningco.com.au).
  • Suspicious links. Hover over a link before clicking — the real destination shows in your browser's bottom-left corner. If it doesn't match the visible text, treat it as suspicious.
  • Requests for credentials. No legitimate company will ever ask for your password by email. Ever.
  • Unexpected attachments. Especially .zip, .exe, .html, or anything that asks you to "enable macros".

If a message feels off — even if you can't say why — stop and check before clicking anything. The cost of pausing for 30 seconds is nothing; the cost of getting caught is enormous. If in doubt, forward the message to Glenn (see Section 5) and wait for confirmation before acting.

5. Reporting suspected security issues

If you spot anything that feels wrong, report it. The earlier we know, the easier the fix.

Contact: Glenn Murray — glenn@matthewscleaningco.com.au

Things worth reporting include:

  • A suspicious email, text, or call (even if you didn't click anything).
  • A lost or stolen laptop, phone, or any device you use for work.
  • Suspecting your password has been compromised, or noticing unfamiliar account activity.
  • Anyone asking you to share credentials or bypass a security step.
  • Anything that feels wrong, even if you can't explain why.

You will never get in trouble for reporting something that turns out to be nothing. Reporting is always the right call.

6. How we protect data

MCC protects client and staff data through a layered set of controls:

  • Identity and access. Google Workspace single sign-on with MFA on every account (rollout completing as part of an ongoing security review). Access to sensitive systems is granted explicitly per role.
  • Encrypted connections. All access to MCC's systems happens over encrypted channels (HTTPS), so data is protected in transit.
  • Access controls in the BMS. Staff see only what their role needs.

For the specifics of how we collect, store, use, and disclose personal information — including individuals' rights and how to make a privacy request — see MCC's public privacy policy at https://matthewscleaningco.com.au/privacy-policy/.