“There are risks and costs to a program of action — but they are far less than the long range cost of comfortable inaction.”
Keeping up with the latest security requirements in the digital world is an often overlooked task in our busy schedules. Recently we’ve seen an influx of security breaches, server outages and large-scale attacks like WannaCry and Petya.
Let’s discuss a few of the basic preventative steps you can take to secure your own digital assets as well as your company’s here in the last few months of 2017.
At Black Label one of our main service offerings is website design and development and whether we’re working with small or large scale clients we take security measures very seriously.
WHY WE USE WORDPRESS AND WPENGINE
In 2017, 28% of the entire internet is run by WordPress and the security team behind WordPress works round the clock to make sure that WordPress’ core files are secure. Updates are released on a regular basis and since WordPress was initially released, over 2,450 security vulnerabilities have been quickly patched.
In order to stay up-to-speed updates to WordPress’ core files must be completed regularly (or preferably automatically). We host a majority of our personal and client websites with WPENGINE because they do a top notch job of making sure we’re aware of security concerns and provide automatic updates to all of our installs.
Aside from using WordPress and WPEngine a few more general rules can be applied to any CMS and hosting platform you have chosen:
USERNAMES/PASSWORDS, PLUGIN LEGITIMACY & SSL
One of the simplest things you can do as a website user or administrator is to make sure you’re not using a general username. Hacker bots often try a few thousand passwords with the default WordPress username “admin.” By simply creating a username other than ‘admin’ you’re already getting one step ahead of malicious entities that may try to break into your site. If your password happens to be a unique string of capital and lowercase letters, numbers, and special characters, that’s even better.
Another step you can take is to make sure the plugins you’re using on your site are legitimate and have been updated regularly. If a plugin hasn’t been updated in over a year, has unknown compatibility with the latest version of WP, and its ratings are low…it’s time to look for another option.
Installing an SSL certificate on your site is another step you can take to make your site more secure for you and your site’s visitors. SSL certificates authenticate the identity of your website and encrypt information sent to the server.
As announced last September, Chrome has begun marking non-secure pages containing password and credit card input fields as Not Secure in the URL bar. Coming this October, Chrome will begin marking non-secure pages where users type in any data at all into a form input. If you’d like more info or need help installing an SSL certificate on your site Contact Us.
DOMAIN AND HOSTING INFO
If you are working with an agency, freelancers or subcontractors, you should always have control over their domain and hosting accounts, and provide access to third parties (not the other way around). We see too often where clients are reaching out to old contacts in an attempt to regain control of their domain, and are at the mercy of the other party as they set up the account on their behalf. Always make sure that the main account owner and email address on your domain and hosting accounts leads to your company and not to a third party developer, agency or contractor.
Password Protection: Storage and Sharing
Aside from the importance of creating unique passwords let’s also discuss personal password management and protection.
It should be understood at this point that keeping a document all of your usernames and passwords on your hard drive or in your email account is definitely a bad idea. At Black Label we use 1Password, a password manager and encrypts your password data and serves it up seamlessly on your desktop, mobile device or favorite browser extension. We also recommend Team Password, a locally developed password manager that has amazing rates for larger teams.
When sharing a password with a coworker or business partner we want to again discuss the importance of using unique passwords for the various applications and services you subscribe to. If for some the person you share a password with turns out be not-so-trustworthy, or has an infected computer, you won’t have given them access to all your other online accounts. That way if for some reason your password is compromised, it won’t lead to the compromise of all your data.
Social Media Security
Social media accounts are often shared between employees and with vendors so it is important to know your options and to never over share your account info.
Often times as a vendor we are haphazardly added as “admins” which definitely makes our life much easier, but really gives us more access than we need. It is usually possible to share user access and set roles in a social media account rather than handing off the admin username and password itself.
Facebook and Instagram allow you to easily connect accounts, share permissions and add page roles to other users. Here’s more info about those page roles and what they do.
KNOW YOUR SOCIAL IMPRINT
It’s important to know what data from your social accounts is publicly available and what users are seeing when they search for your company. Plan a quarterly task to audit this information and search Google and within your social media accounts to find out what users are seeing whether they already follow your account or not. Become familiar with the privacy settings on each of your social media accounts and hide/show information as needed.
Employee Security Training
It’s important that a focus on security be initiated by all of your employees and not just your account managers and tech departments.
As with WordPress it is very important that you keep your software accounts and web browsers as up-to-date as possible. Not only does that help us at Black Label as web developers, but it also assures your software and data is protected. And remember that an investment now in up-to-date software can prevent a larger bill if your data is compromised in the future.
EMAIL – WHAT NOT TO OPEN
Email phishing scams are getting more and more inventive every day so it’s important to make sure you and your employees are aware of common tactics and methods
First and foremost never respond to any email with an account password or private data unless you are positively sure you know the sender and their email address is legitimate. Look carefully at the sender’s email address URL and name and if any red flags arise be sure to delete the email or mark as spam.
Also make sure to never open attachments or click on links within an email unless you know the sender and their email address. This sounds like common knowledge but it’s important that we are always on the lookout for email fraud and paying close attention to the details when navigating our inboxes.
Break It Down
Try to stay in the loop with current security news and educate yourself on the latest security events and issues. By taking a few of the simple steps we’ve outlined above you can make sure your data, your company’s data and your customers are secure. And if all of these tasks feel overwhelming, break it down and plan ahead to work on securing one area a week or a month.
As a sponsor of the Waterfront Tech Series, we would also like to point you to their upcoming event “Episode 2: Privacy, Fraud, and Breaches…Oh My!” where multiple speakers will be discussing security, fraud, privacy issues, hacks, and breaches that affect everyone single one of us.