Why would you listen to me about business security and business protection?
At the moment we all need all the help we can get.
I need help in marketing, sales, management and many more areas, actually too many to mention.
Most people on the other hand are really good in these spaces.
Like you I have expertise and mine is security.
This expertise was born from a love for all things computer and digital more than 35 Years ago.
I cut my teeth on mainframes, 10 KG disks and programming in Fortran.
I then transitioned into spaces occupied by Amiga (blast from the past), Windows and Apple.
When I left the navy and in my new civilian learnings I earned a large number of vendor certificates.
That got me jobs in ISPs, networking, managed services and security.
Like everyone else, I thought I knew it all.
In 2008 I was hacked and I discovered that my intimate knowledge of these systems only just saved me from losing a substantial amount of money.
It made me realize that with all of my knowledge when it comes to security and protecting my assets, I was a babe in the woods.
If I was an easy target, then the rest of the cyber and digital users were just plain easy.
So I dived into this space and 4 years later I was quite an accomplished hacker and I wrote the book “Business security basics”.
Working at times for 24 – 48 -72 hours straight, which drove my wife mad, I learned an intimate knowledge of what they could do, how they could do it and why we need to learn all we can about it.
In 2014 I wrote another book “Cybercrime a clear and present danger”, we developed (and continue to develop) business security systems and requirements that move organisations from easy target (sitting ducks) to a lot better protected (moving targets).
The name of the next book is “From sitting duck to moving target” should be released next year.
I realized that everyone needs help in this space.
So here is an easy way to learn what you need to do to protect your organisation.
At no cost, except for an hour of your time, let me show you what you need to do for your business to protect it from today’s cybercriminals.
Sign up for the FREE 60 minute Friday webinar happening tomorrow at 1030.
If you have been following the introduction of these regulations then you know.
You would realsie how big an issue this is going to be. You would also realize that you may not have the time, money or expertice to implement a protection plan.
You may know but you may have thought it has nothing to do with you or your organisations.
You would be wrong.
These regulations are going to have a profound effect on businesses and organisations all over Australia, not just in the european union and Australia but all over the world.
Strict protection and compliance is the name of the game, but for most of the SME’s in Australia, where “she’ll be right” is the foremost thought when it comes to compliance, there are going to be some serious issues.
The regulations ensure that all EU personal data collected by an organisation is to have the same governance and compliance around it as if it was managed by all EU organisations.
But I am not in the EU you say,
The regulations apply to any citizen of the EU in your database.
With the internet making every organisation global, how do you stop it from happening to you.
You could geofence your web site, but there are always ways to get around it if someone wants to purchase your product.
This is a major issue.
The impact – get hacked, pay huge fine, go out of business!
I have been harping on about compliance and business security for the last 13 years.
This is what you need.
Get a framework!
Any framework will do but I recommend NIST.
NIST, compliance and business frameworks are not easy to implement, manage and control but they have to be done to protect every organisation from a cyber event.
Some of the questions you need to ask are:
Who do I know who can help with a framework
How much will compliance cost
How much would a breach cost
How complex is the job of implementation
What risks do we have to mitigate, remove or remediate
What answers did you get?
For your next step talk to me.
Roger Smith is funny, scary, on point and is focused on one thing – increasing everyone’s awareness and understanding of the problems and issues associated with the digital world.
He is the winner of the worldwide 2018 Cybersecurity Educator of the Year award and was Runner up in 2017 .
He is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.
He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI. He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.
One of the worst situations that you can be in is acrimonious separation of an IT person from an organisation.
A bad separation, just like a bad divorce can have significant impact.
Large organisations have systems, policies, procedures and processes in place that protect the organisation, when they are used of course. If followed they protect the organisation well.
SME’s on the other hand have different problems.
We have come across smaller organisation that still have old staff members on the books with full administrator access to everything that is still being done in the organisation.
The problems this creates can be huge.
They have access to privileged accounts. Accounts that can do anything on the organisations digital world.
Just a few ideas of what they can do!
They can steal your trade secrets and take them / sell them to your opposition.
They can steal your client list and use them for a number of bad things – competition, blackmail, sabotage.
They can cause software issues, lock outs and shut downs
They can lock legitimate users / all users out of the organisation.
In most cases the IT person is there because they know computers. They were allocated the role when they joined and you may even have paid for some education and training packages to make them better.
This just puts them in the position of holding the keys to the kingdom.
If you are going to remove an IT person from your organisation, the best thing you can do is outsource your IT, for a short time or indefinately. They have the expertice to protect your organisation and they are under contract to ensure your systems are safe.
Roger Smith is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.
He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI. He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.
We just threw it together on WordPress because it looked OK, pretty cool eh, what do you think?
These are some of the reasons and responses that most organisations say about their websites. They do not consider their website an important component of their business security.
All of these implied reasons are all BULL
The damage that a compromised website can do to your reputation, your brand, your customers, your staff and your organisation in general can be devastating.
How can it have such an impact?
Today’s world everything is automated.
From building cars to putting together modem routers, it is all automated, created by robots or done with no human intervention.
Just set and forget!
In this world a bored teen with minimal parental supervision, access to the internet and access to a computer, tablet or smart device can download any number of automated systems that can and will target any website.
just because they are attached to the internet.
Bored teenagers and Hackers alike Don’t Even Break a Sweat…Download… Copy… Paste… Hack!
Its just that easy!
Automated systems target everyone!
That is why a Million+ Sites were Hacked or Defaced by Exploits in the last 12 – 18 months.
Once again attached to the digital world = target!
WordPress security can be very easy as well as exceedingly difficult.
Like any required expertise, anyone can do it but it takes an expert to actually secure a website properly.
Just 1 Bad Plugin or Update & Your Site Is Theirs!
What about Google?
If your website is infected and starts delivering malware to your visitors then you’ll Get Blocked by Search Engines for hosting…A Fake Store, An Attack Site or A Phishing Site…
This will have significant impact on your site especially if you are spending money on SEO.
The all-encompassing world of search – especially GOOGLE, can have a significant impact on your website through search engine optimisation (SEO)
I spoke about reputation in general, how about Brand in particular?
The impact on your reputation, brand and ability to create revenue can be significant.
Your Site, Your Reputation, Your brand, Your Rankings & Your Domain Value Destroyed literally overnight and in a lot of cases it will not register on your business.
The problem could be seen as a change in Googles algorithm.
How big an impact would a significant drop in search visitors have on your organisation?
The significant drop in visitors could be attributed to the blacklisting of your site.
Anyone going to your site will get the google precaution web page – proceed past this point at your own risk. How many people are going to go against that message, only 10%.
It’s Going To Costs You Days & $1000’s To Restore, De-Blacklist + Re-Rank.
So that cheap and cheery website that you put up is now having a significant impact on your organisation.
Significant impact on your cash flow!
Significant impact on your revenue!
Lets now take it further.
If you keep getting your website hacked it will have significant problems for the hosting company as well as all, of the other organisations that have websites hosted on the same platform. Same platform, same internet address.
They will literally ask you to take your website elsewhere because you are having a significant impact on their revenue and profits.
WordPress security – what can you do?
All of your problems started with the assumption that putting up a WordPress website is easy and can be done by anyone. Here are a number of precautions that you can take to reduce the risk.
Update, update update
Like everything digital in today’s world updates are one of the keys to protecting the website. Updates to the WordPress core are critical but updates to plug Ins, widgets and themes are just as important.
Updates remove those areas where the automated systems can get a foot hold on your site.
Visit your site regularly
We have known organisations who have not touched their website in 2 – 3 years. This is bad for 2 reasons. If you are not visiting your site regularly then you are not helping your marketing, you are not putting up, in the words of Tim Read “interesting and helpful content”.
Google does not like this.
If you are not visiting it regularly you are not getting the feel of what your visitors are seeing, and you are not being prompted to update all of these important components.
Use top quality plug ins, themes and widgets
Free is OK, but if you pay for plug ins, themes and widgets then there is a good chance that they will be better for your website.
This includes not only better functionality but also better security and support.
Use 2 factor authentication or Captcha
With some of the tools available, your website can be scanned and the usernames can be discovered.
That is one of the 2 things the wanna be hackers need to compromise your website.
Using 2 factor authentication and or a captcha system you are adding another layer to the log in process.
This makes it harder to access your website using automated systems.
Enforce complex passwords
I know they are hard, but complex passwords are very important when it comes to fighting all those automated systems.
All passwords should have 3 components, complexity (numbers, letters, symbols and capitals), long (more than 8 characters, but 10 is better) and uniqueness (different for every web site you visit or have access to).
Now hopefully you understand why protecting your website with the right attitude is good business sense.
The bad guys are out there and they are looking for every opportunity to ruin your organisation, your reputation and your ability to make money.
It is no longer a case of hoping for the best when it comes to business security.
Business security demistified
Changes to the way we do business, how business is conducted, how fast the transactions are done and the insidious implications of social media have made business in the last 5 years a huge challenge for most business no matter the size.
Multi nationals who rely on their advertising spend to get customers through to the small and medium businesses, the mom and pop organisations, who are challenging them in most areas of today’s business world all have huge if not insurmountable business problems.
No longer can we rely on “that’s how we have always done X”.
In today’s world that is old thinking, old strategy and in most cases a good way to disillusion your clients and go out of business.
With all of this happening we also have the problem of protection.
These are just a few of our inward and outward facing security problems.
We are often told that security is a business problem but all of the onus to fix it falls to the ICT department. This is no longer the way to do it.
Business security is a whole of business phenomena. Everyone from the head of the board to the warehouse cleaner needs to be involved, and involved from the nuts and bolts through to the strategy.
Today’s world is all about data, and protecting that data from anyone and everyone who does not have permission to use it, see it or interact with it. With everything in today’s world being digital, in most cases we cannot see the problems this creates.
Today’s business security is all about common sense, seeing the wood from the trees and making sure that you are alleviating risk at every possibility.
Business security is all about risk!
Business security comes down to risk, defining the risk and then mitigating it for your organisation.
Every organisation is different and every organisation will mitigate the risk differently but all organisations need to start looking at the problem of risk.
Want to see what i am talking about go here and do our quick and nasty trial survey. 7 of the 98 standard NIST questions. Let’s see what your business maturity level is.
This has been hacked! X number of records have been stolen! Another bank ATM system has been compromised!
Yada yada yada. Whats the use?
You can invest millions in cybersecurity and still get hacked.
We now seem to not care.
We are getting reckless.
Reckless to a stage where the old adages are coming back. If in fact they ever went away.
It will not happen to me?
But it will! If you do not focus on protection it will happen to you. It will happen to you because of what the bad guys are capable of. The bad guys know more about the intricacies of programming than some of the engineers who created the program in the first place.
In today’s digital world a bored teenager, with access to the internet, a computer, an aptitude for mischief and minimal parental supervision can literally RUIN your life.
That is not a good thing! But it happens, happens all the time.
I am too small to be a target!
Actually no one is too small to be a target. Everyone who has a device that connects to the internet is a cybersecurity target.
Your mobile phone, your smart device, your laptop or your computer are all connected to a network that eventually connects to the internet.
The moment that you connect to the internet you are a target. You are a target of all of those automated systems created by the bored teenagers.
The moment you open an email, do a search for a product or service, create a website or any of the tens of thousands of things we do on the internet – you are immediately a target.
I have nothing worth stealing!
Ask that of the millions of people, offices and organisations who have been compromised by the cryptovirus also known as ransomware. When you are confronted with the reality that you can no longer access your data, you suddenly realize how valuable that information really is!
Most of the people targeted have some level of protection, some type of security because they realised they had something worth stealing. Even then it happened!
What makes you any different, especially if you do not have any or only minimal protection.
Education is the key.
The reason that people like me harp on about cybersecurity is we see the problems. We see the impact and more importantly we see the solution.
The solution is not investing in millions of dollars of technology, although technology IS needed. It is not about legislation, making it harder to do business, that is also needed. It is wholly and solely about education.
Education has a drastic impact on the frequency, occurrence and severity of being compromised.
At the moment the bad guys do not have to work very hard to get users to click on a link or open an attachment (Social Engineering 101 – the easiest way to target anyone)
We have been conditioned to do it.
Click, double click or swipe is normal everyday activity when using a digital device. There is no thought, it is conditioning. We have to break this conditioning because in most cases that is what the bad guys rely on.
The only way to break this is education – try this course.
The on boarding business security course (http://business-security.com.au/login/)
Relying on one persons understanding of digital crime is a recipe for disaster.
You can be the most knowledgeable person on the planet in your chosen field but you cannot be the most knowledgeable person on everything – that is impossible.
When it comes to the digital world, the individual facets of the world are daunting.
There is no single entity who has all of the answers. In a huge number of places we no longer understand the questions to ask.
We all work in some realm where we either consider ourselves exceptional, or other people consider us exceptional in our knowledge and understanding.
Most people realise this and accept input from others who are experts in their own fields. This collaboration makes everyone involved better.
We have seen those exceptional people do the absolute dumbest things when it comes to digital protection and cybersecurity.
In most cases it comes down to EGO.
To quote the Sky hooks and my friend Shirl ” ego is such a dirty word”. This is where one of the largest problem lies when it comes to digital security.
Our egos get in the way.
Our egos do not allow us to be wrong, do not allow for others to have input into our problems or in some cases accept input from people who do actually know more about the problem than we do.
The EGO of security
One of the biggest problems with keeping ego in check is the understanding of secrecy.
By using my ego to implement security means that others who may have a deeper understanding of the problem or a better solution are kept out of development because i have deemed it secret.
To develop a complete digital security strategy we need to leave our egos at the door. We have to listen to anyone and everyone with an idea concerning protection and implement the best ideas from that process.
When that happens we will see an improvement in digital security. We will see an increase in collaboration and maybe, just maybe, we will be able to beat the digital criminal at their own game.
Google! How many times have we said or heard someone else say:
“Why don’t you Google it?”
“Google told me that….”
“I can fix this problem—I read an article about it on Google!”
These lines are often spoken by someone who tried to save time, money or effort by reading an article instead of consulting an expert. And whether it’s a broken computer, a backed-up sink or the weird-looking bald patch your dog has suddenly developed, when people put their faith in Google there’s usually an unspoken postscript: “I tried to do it the way Google said, and it didn’t work.”
I have been working in IT security for 30 years. I’ve come to see that computer technology is one of the areas where people are most likely to turn to the internet for help. I am not knocking Google—my team uses it regularly to resolve complex and confusing issues with technology.
We also understand that 99.9% of the articles are CRAP.
Well, maybe that was phrased a little too harshly. How about this—80% are CRAP.
Your search for a solution can put you in touch with a lot of people claiming to be “experts.” Some of them even are experts, and may have put a few good ideas into writing. Those search results do not equate to the huge number of hours that a professional will have spent in their chosen profession.
Google does not show me how to fight a civil action in court, but a high-paid lawyer will.
Google does not make your tax records easier to understand, but a good accountant will.
Google does not make changing that engine part any more understandable, but a mechanic does.
With 20% of all google searches being for new content, there’s no Google search you can do that will capture every exact specific of your court case, tax documents or computer problem.
What Google does, is make you realise that you do not know everything. It helps you understand that a professional—the person who wrote the article—is better qualified to do it.
When the sink backs up or the car starts making a funny noise, go ahead and Google. Yes, you can muddle through, and maybe get the right outcome!
But if that first “easy” solution doesn’t work, don’t keep trying more. The cost in time and money of continually tinkering with high-priced possessions are more than what you’d pay to get your problem solved once and for all.
If you want it done right, Google it, find an article about it—and then talk to the person who wrote the article.
Business technology changes every two years, and while we usually stay with the same provider Moore’s Law about doubling in speed while cutting the price in half is well known in business. Everyone is constantly looking for the best new product, amazing technological advances that provides better results and what we can get that will change our perception of business or improve the bottom line. We are always looking for better equipment, better tools, better technology and anything that will help us grow business.
Technology that provides better results are known to change the perception of business and improve the bottom line. That slight advantage can be critical in today’s business world. Unfortunately, we have the mindset to forget that there are digital criminals in our midst waiting for the right moment to strike. These people are prepared to use the best and latest technology available to compromise the technology of others and to attack anyone who is connected to the digital world. As criminals, they steal, bribe, sneak and compromise anyone or anything in order to get their hands on their new technology.
After those cyber criminals have access to that technology, they dismantle it and break it down so they can gain a better understanding of how it works. They also work toward understanding the manufacturer so they can make “hacks” and access the information or data of others. They work to find out what it can do, not just what the manufacturer thinks it can do. While you may not recognize it now, there is a distinguishable distinction between those two.
As an example, if it is software that is used by a large proportion of digital users, the thieves can get access to a SDK (software development kit) they will immediately take action to take it apart, see how it functions, see what has been overlooked and determine how they can utilise it for their own nefarious needs. After that hands-on research, they can easily discover ways to compromise the program.
We Can Make A Difference
By incorporating the fundamentals of high quality digital security, we can stop these thieves in their tracks. Examples are using passwords, patching, firewalls, AV and backups while some people just exhibit paranoia. The more that technology changes, those are the basics that give you a platform from which to work. With the continuing technological advances, we have to find a better way to improve digital security. By using the fundamentals, you will start to think outside the box and work to discover other solutions and more effective answers to challenge these criminal masterminds.
The fundamentals are the basis for your protection from those criminals that lurk in cyberspace just waiting to catch you with your guard down. As users of technology, we need to take a stand and work to find the right security solutions to protect our equipment, our data and all of our information. By staying up to date on the advances and the latest security digital security options available, you can take a step in the right direction by blocking out digital thieves who are waiting to disrupt your business.
Website Security and how to make your website more secure
[Start of transcript]
Just waiting for the last couple of stragglers to come along. We’ll get stuck into it exactly at 12 mid-day, and it should only take about 20-25 minutes to get through this, but it will also give you a bit of feedback on what’s happening, what you can do and how you can do it.
Good afternoon. Today’s Lunch and Learn is part of a series on digital security, but we’re not really looking at digital security from a vendor point of view, we’re looking at a digital security component that is designed to protect your business, and why you need to protect that component of it.
So today’s Lunch and Learn is “Why is my website a target of hackers?” And we’re just going to go through what the bad guys are doing, why we have websites, how they target your website, how they get in, what their end game is, and how do you stop it from happening to you, and then we can have a conclusion and questions and answers after that.
Why do YOU have a website?
Well, for most of us, it’s to get information out to the public. We have a product or a service that we want people to know about, so we have a website that tells everybody what we do. It can be either a static or a dynamic, doesn’t really matter. It’s just information.
Or, we could be running an e-commerce site, and that e-commerce site would generate revenue for the business. And in some cases, there are a lot of businesses that are purely based on e-commerce, so it’s very important that their website is really, really secure.
E-learning and education
Another component is e-learning and education, which is now on the rise, because it’s a lot easier and more efficient and effective to deliver learning to the general public over the digital world.
And then of course, we’ve got the blogging. And everybody, if they have a website now, is being told that they need to create content that goes on that site, and the best way to do that is to talk about either your products or your services in such a way that people will interact with what you’re talking about.
Blogging websites have been broken down into a number of CMS, which is content management systems, so that you can have total control over what you do. And we’re finding that WordPress, Joomla and Drupal are probably 70% of what people are using in the digital world as a blogging platform.
Who is targeting your website?
So, who and why are they targeting your website? Well, there’s three distinct, I suppose, animals that are out there, that are targeting your website.
There’s the script kiddies. Now, the script kiddies are people who are anywhere between 9 years old, 25 years old. They’re the up-and-comers. They’re thinking this is a lot of fun, and they use automated systems that they’ve downloaded from the cybercrime gangs. And those systems can be free, or they can cost a lot of money. One of the better ones is a Russian component that you can buy for $4,000 Euros. And that will give you the capability to start up your own business as a hacker.
We then have the hacktivists. Now, the hacktivists are the people who actually annoy the crap out of you. You’ve done something in your business and they didn’t like it, so they’re now in a position to be able to try and access your website. They’ll deface it. They may or may not steal information, but their whole role is to bring presence to what they don’t like about you.
And then, we’ve got the black hat hacker, the true blue person who wants to steal information or steal money from you. And they are the ones who are probably 0.001% of the all-encompassing class of digital criminal. And these are the people who live and breathe breaking into your website.
What do they want?
Well, we all know they want money, and they’ll go out of their way to steal either information or they’ll steal money from you if they can.
But they’re also after your intellectual property. Your intellectual property which is really important for how you do business and intellectual property that you keep on your website that is under lock and key either through an e-commerce gateway or other ways of controlling access to the system. So in other words, if you’ve got a PDF up there that you want to sell, your intellectual property is that you are selling that PDF as part of your business.
But one of the main things, and people do not realize is, that the bad guys want to steal access, or gain access to your website so they can infect visitors who are coming to your website. So they can upload malware to your website so that everybody who access your website has the complexity of being infected when they leave. And that is one of the reasons why the websites that we have are big targets for the cybercriminals.
How do they get in?
So, how do they get in? Well, they get in a number of ways.
Unpatched systems is one. If you’re running things like WordPress or Joomla, or Drupal, you will be constantly told that you need to update certain components of the website, because new components have been released to patch areas where you may have a vulnerability.
We also have insecure practices. Now, an insecure practice is when you install a website from initially when you set up your website and it comes up and goes, “What do you want to use as the administrator password?” And a lot of people will put in admin/admin.
Those automated systems that are ran by the script kiddies are actually looking for websites that have admin/admin as username and password. That is an insecure practice that we really need to stamp out. If you’re going to go—if you’re going to build a website, you have to think along the lines of it has to be secure from the moment you put it together.
And those insecure practices, you may have put in admin and admin as username and password. You’re quite happy with the way the website’s going. You’ve not got an e-commerce site that is based on that website, with the username and password of admin and admin, and that is not a really good place to be because that is what the bad guys are targeting.
And as I said, the digital criminal is no longer someone who we think is going to be relatively stupid, because they are very good at building our trust. They are very good at targeting us individually or as a group, and they go out of their way to make sure that along the way we are trusting them. Their trust comes down to social media, comes down to emails that we may have received from them. All of this is building trust within you and them.
The last thing that will allow them to get in though is a technology failure. Again, this is something that we keep an eye on, because the underlying system that your website is built on is built on technology.
A technology failure might also mean we haven’t closed a port on the firewall that goes to the website, or we’ve got problems with technology, or we’re being targeted by a degauss attack. Because they know that if a degauss attack is targeting your e-commerce site, then it’s not going to be able to deliver money to you.
What is their end game?
So what is the digital criminal’s end game? Their end game is to get as much out of you as they can.
So they are there to steal everything. And when I mean they steal everything, they literally do go out of their way to steal everything. So they want your database. They want your access to your PayPal system. They want to be able to steal whatever they can from you. And if you’ve got things behind payment gateways and firewalls, and all that sort of stuff, they want to get at that. And that is why they go out of their way to target your website.
Compromise your visitors
But most importantly, they want to compromise your visitors. If you’re getting a lot of traffic, let’s say 20,000-30,000 visitors, unique visitors, a year, and they—a week, sorry, and they compromise your website, then every one of those 20,000 visitors that will come to your website leave infected. And that is why they go out of their way to make sure that they are targeting websites.
A compromised website can damage:
If you get compromised, your website is hacked, and either through a script kiddie, which is not so devastating as other ways, but if you get hacked by a hacktivist or a full-blown hacker, then you are going to have damage that you are not going to understand how to fix.
For one, it will damage your reputation. And by damaging your reputation, in the digital world, reputation is everything. And although we may think that yes, we’ve been hacked and we know. We’ve fixed the problem and we’re going to back after the general public again with the same product and the same line. We’ll find that our reputation is now tarnished. Because it’s been tarnished, the chances are that people, or less people, will now come to you.
But things a compromised website will do is it will impact cash flow, especially if you’re in an e-learning situation or an e-commerce situation, because you are in that situation that allows you to do whatever you need to do.
So if you get a compromised website and all the cash that you’re making is suddenly not going to your coffers but going to the bad guys, then you have a serious cash flow problem. That way, you now have something that you really need to do something about.
In addition to cash flow, it will impact your productivity. And I’m talking about whether you can build the widgets that you are selling on the site, on your website, and the productivity component of it is again another impact on your business.
What can you do to stop it happening to you?
So what do we do to stop it, and how do we stop it happening to us?
Patch it all
Well, one of the things we have to do is patch it. WordPress comes out with an update probably once every two or three weeks, and it will come up on your website saying you need to install the newest update.
It gets pretty annoying because it knows that if you don’t patch it then your system and your website is vulnerable. So you need to update your systems as often as required. But that also means you have to update your plugins and your widgets, and everything else that goes with either WordPress, or Joomla, or whatever other systems.
And if you’ve got a system that has been made by someone else, there better be a security component to it. Because if it’s been built on something that only one or two people have access to or have an understanding of, you still need to make sure that it’s not vulnerable to being hacked.
Process and policies
You also need to put in policies and procedures, and processes. How often do you visit your website? How often do you visit not only the front end but the back end? How often do you actually go to the home page of your website?
If you do go to your home page of your website, are you taking notice of things that aren’t working, aren’t doing what they are supposed to be doing, or that information is stale and old, and needs to be updated?
That also means the policies and procedures that you put in place for people who are actually updating the website themselves. If they’re installing a widget on a WordPress site, have you got specific criteria for why it’s being installed?
That specific criteria might include it’s got to have more than 4 ½ stars before you’re allowed to you, and it’s got to be around for more than a year, and it’s got to have more than 10,000 users. Now those criteria would make it very hard for someone to compromise your system through a plugin.
Complicated username and password
As I said, when you set up a WordPress site, it asks you for a username and password for the administrator. The best thing you can do is not only use a complicated password, but use a complicated username. For instance, admin_joeblow_123. And then you need to remember the password and the username, because otherwise you won’t get into your system.
Restrict or manage comments and users
You need to—most people have blogs, and if they’re blogging they are looking for comments or input from other people. And you also need to—because the bad guys also know this and there are times when you’ll get a lot of crap coming through your website, because you’ve got comments enabled but people don’t have to log in and use a username and password.
And that’s a restriction that you need to put in place if you’re going to accept comments. If you’re going to accept comments, the reason why you need a username and password is so that you go to the second step of not having the automated systems putting information into your comments on blogs.
And also, your users have usernames and passwords and you can enforce complicated passwords on them as well just to be on the safe side. But if they’re adding to a comment or if they’re blogging individually on your website, those people also need to have a decent username and password.
Wherever possible, try to make sure that the data is encrypted. Because if it’s encrypted, then if they do—if someone does break in and steal, for instance, your database of users and commenters, then that information is very hard to get out of that database. On top of that, if you’re encrypting the information, whether it’s coming or going, there’s no chance of being eavesdropped on and that information being picked up.
But encryption also goes to locking down your system as well. So two-factor authentication. Because with two-factor authentication, you use a username, a password and something else. To me, that is a lot more secure if you’re going to have a very productive website that is going to do things for you.
Use a web gateway
The last component that you can do for your website is to use a thing called a web gateway. Now, your web gateway literally is a gateway on the internet that captures all the traffic coming to your website. There are companies that actually sell the product of a web gateway. We’re not one of them, but what we have found is a web gateway cuts down probably 99% of people targeting your website. Everything else is still functional, but the bad guys have a lot of trouble getting past that gateway to get to your website itself.
So in conclusion, the bad guys are out there. Don’t get me wrong. They are out there. And they want access to your website to not only steal from you, but to also target your visitors. So make sure you protect your website the same way you protect any other digital system, because if you do that, if something that we initiate to get to the point where you’re protecting your business, then you also understand that we are protecting our clients, our people who are coming to our website.
So that’s the conclusion. My name is Roger Smith. I am an Amazon #1 author on cybercrime and digital security. I am also the CEO of R&I ICT Consulting Services, and I am a speaker on the digital world and how normal users need to be aware of the dangers and how they can take appropriate action.