A Complete Primer on Digital Security for Website Owners
by Phill Clapham, ForeFront developer
Introduction
Since its creation and introduction to the public, the Internet has always presented a unique security challenge to anyone who uses it. Many of the things we need to do to protect ourselves online are counter-intuitive to how we do business and interact with one another in the physical world. As such, it is important to familiarize yourself with the basics of digital security. This is especially important for anyone who does business online – once your business is online, you are responsible for not only your own security, but that of your business as a whole, as well as your site’s users and other online properties.
Digital security has become particularly important over the past month, due to the Russian invasion of Ukraine. While it has largely escaped the headlines, there has been a massive cyberwar brewing online for weeks now, and the websites of businesses just like yours have been in the crosshairs due to their value for many types of cyber-warfare and crime.
While security experts have been hard at work ensuring that websites remain operational and safe, there has never been a more important time for everyone to take responsibility for their own digital security.
The Core of Digital Security
At its most basic level, digital security largely comes down to common sense and stopping to think before taking any action online. While there is a lot more to the gritty details – and we will cover these in the upcoming points – each one ultimately comes down to being mindful whenever we interact with any sort of online or networked technology.
What Is Digital Security, Exactly?
In short, digital diligence encompasses the security aspect of every single interaction you have with any technology that is connected to the Internet or networked to a public network. This is a wider definition than you would get in a textbook, but this wider understanding is important because it is imperative to remain mindful that any type of technology with the ability to communicate with another piece of technology is a potential target for today’s clever cybercriminals. Today’s cybercriminals are always at least a few steps ahead of law enforcement’s and private industry’s ability to respond to them, and as a result, the only reliable method for battling the cybercrime of today and the future is a well-informed, proactive approach at the individual level.
Protecting Yourself
A proper approach to digital security starts with first protecting yourself, then working outward from there to ensure your website and other online properties are safe and using security best practices.
Social Engineering
I cannot emphasize this next point enough: Securing your business online and protecting your website and customers are pointless unless you first protect yourself. A good many revenue-losing digital attacks on businesses are caused by what is known as social engineering. Social engineering can best be viewed as seeking to manipulate people so they allow an attacker into a system, as opposed to hacking or brute-forcing one’s way in.
This approach is perhaps the most difficult to defend against, because there is no one set of hard and fast rules to catch it. This is where common sense and being mindful online come into play. Here are some guidelines to keep in mind:
- Email is the No. 1 method attackers use to attempt social engineering on their targets. As such, you should treat every email as suspicious, even if it appears to come from someone you know. Treat every attachment in every email as particularly worrisome. Verify you know the sender and that they intended to send you an attachment before you even consider opening it.
- You will hear the term “phishing” in the news; this is the name for the most common type of emailed social engineering attack. A phishing email is typically an email that outwardly appears to come from a trustworthy source, which attempts to convince you to enter your login information or personal details somewhere you shouldn’t. The biggest defense against this is simple awareness. Ask yourself if the sender has a valid reason for asking for your information – and even if they do, ensure you are sending that info in the most secure way possible.
- Always be wary of links in emails. If you have any doubts at all about a link in an email, it is best to navigate to that link separately via a browser rather than clicking through.
- We live in an age of more online scams than ever, and the rise of Web3 and cryptocurrencies has massively increased their number. The biggest thing to remember: If it sounds too good to be true, it is. This is a truth that will never change.
- Finally, no matter what communication channel it is, always remain mindful. Make sure you know exactly who you are talking to, and that they have a right and need to whatever data they are requesting. Never be afraid to challenge or question any request made of you or your data.
Your Devices
Once you have armed yourself against the psychological aspects of cybercrime, the next component is the digital one, at the heart of which are the many devices we use throughout our day. Let’s lay out some general guidelines before we get into specific guidance for different devices.
Passwords and Site Logins:
- Double-check every single password you use. Try to use a unique password for every login, and make them as difficult to guess as possible. Avoid using any words or numbers related to your life, as social media has made these trivial to guess. Do not share your passwords with anyone (except for a qualified developer who you know and trust, and even then only as needed), and change them often.
- Watch what personal information you share on social media. Many people share more than enough to give sophisticated attackers the information they need to guess passwords and answer verification questions.
- Use multi-factor authentication for every service that offers it.
- Set up and learn how to use a proper password manager on all your devices if you have trouble remembering so many passwords.
Your Phone and Mobile Devices:
Your phone is likely the nerve center of your entire life. It is vitally important that you take steps to protect it:
- Set a strong passcode and be mindful about allowing your phone out of your sight. It only takes moments for an attacker to install tracking and keylogging apps on an unattended device.
- Don’t assume you are too unimportant to be a target. Everyone is a target. Even if you truly have no data or assets worth stealing, your device is still a valuable asset for any attacker to leverage. On top of that, everyone is a target for other types of malware: ransomware, spyware, adware, etc. Always, always, always assume you are a worthy target.
- Keep your device up to date. There are serious bugs discovered every day, especially for Android devices, and as such, it is important to keep your device updated regularly.
- While both Android and Apple devices are great in their own ways, both require their own approach to security, so it is important you familiarize yourself with the security best practices for your preferred device. That being said, my personal feeling is that Apple devices have better overall security.
- Even more important than the phone itself are the apps on it. If possible, set up your preferred app store for auto-updating, or check for updates regularly. Keep in mind, especially if you have an Android phone, that malicious apps are regularly found on Google Play, so be especially careful about the apps you install and the permissions you give those apps.
- Be especially careful with free apps. They are the No. 1 source of malicious infections on mobile devices.
- Be careful about using your phone’s wifi when away from home. Only run it when you are consciously connecting to a known network in public, or at least set it up to only allow connections you can confirm. A common attack used in public spaces is to run a powerful ghost network close to a freeway, and have it look for phones driving by with the wifi on and no connection confirmation. Then, the malicious actor can connect to those devices and brute force attack them looking for known vulnerabilities (and there are always a few). Another common attack is to set up a network right beside a public one, such as a library or coffee shop, with the same or similar name, and try to lure devices onto it.
- The same goes for your mobile device’s bluetooth. Only keep it on when you are directly using it.
- Fortunately, many of today’s websites take measures to minimize the amount of data that can be accessed by attacks like this, but these efforts are far from foolproof. If you are away from home, it is best to just assume that any connection you make with a digital device outside of your normal cellular connection is totally compromised, and anything you type can be fully read by anybody around you.
- Limit your usage of virtual assistants that are always listening: Siri, Cortana, Bixby, Alexa, etc.
Your Computer:
The next line of defense is your larger systems, such as laptops and desktop computers. The advice for these is much the same as that for mobile devices. Keep everything updated. Be mindful of what you do and what networks you connect to. Beyond that, there is some specific guidance to follow for these systems:
- If you use Windows devices, you must use security tools on your system. Fortunately, Windows provides its own best-in-class software for this. Make sure all of the Windows security tools are activated and set to auto update. Pay attention to the results, and be sure to act at the first sign of an issue.
- With Windows especially, but ultimately all systems, be mindful of any and all software you install, especially free software. Free almost always means that you are the product, and the company is likely doing something unethical with the data it harvests from you.
- As with mobile devices, never assume you are not a target. Again, every system is valuable to today’s cybercriminals, so everyone needs to take steps to protect themselves.
- Keep backups of all important data and files.
Other Devices:
While they are easy to forget about, many other devices around us are potential targets for cyberattacks. These include, but are not limited to, printers, scanners, smart speakers, smart hubs and network connected speakers. Take full stock of the devices you have in your home and office, and make sure they are fully updated on a regular basis and set up in the most secure way possible. When in doubt, there are local IT services that can help you manage and secure your devices, and we at ForeFront Web can provide some services and recommendations as well.
Again, the most important factors here are mindfulness and awareness. Take stock of the devices in your life and be aware of the threats they can pose and how to mitigate them.
General Advice:
- Look into using a VPN. While they are not as necessary as they used to be, and usually it is safer to use your own cell connection or your phone’s hotspot while out and about, they can still be useful in some situations. We will cover VPNs and when using them is a good idea in more detail in a later post.
- Avoid the “secure enough” mentality. As previously mentioned, the cybercriminals have a substantial lead over law enforcement and private companies, and nearly every device in common use has one more path that allows a sufficiently clever attacker total access if they are not protected.
- Stay vigilant.
Protecting Your Business
Training
The foremost principle to protecting your business online is training. You have to have someone – either on staff, a consultant or a third party service – whose job is to constantly learn about emerging threats and security best practices, then provide ongoing training and support to your staff.
It is also vital that employees be trained on the basic principles covered in this guide, and that these principles are reiterated to staff on a regular basis.
It is also crucial that you, as a business owner, lead your employees by example and practice good security principles yourself. Not only does this set a good example, it also acknowledges that, ultimately, the consequences of any security lapse fall on your shoulders.
Protecting Your Business Online
Protecting your business from cyberattacks starts with training yourself and your employees on good practices and using common sense online. But once you have this aspect covered, there are several specific areas to address. While covering everything you can and should do in the digital space is outside the scope of this article, let’s look at the most important things you should know and actions you should take.
Your Software and Hardware
Just as protecting your business is pointless unless you are first defending yourself, it is also pointless to protect your online properties unless you have first secured the tools you use to get online.
As noted above, it is vital that you take stock of what devices your business uses and understand how to secure them.
While this can be a daunting task for small businesses, we recommend reaching out to local IT companies for these services. ForeFront can also provide you with a security audit that includes recommendations for how to handle this, and we will cover what this entails later in the article.
From there, the advice contained in Protecting Yourself is just as applicable to your organization as it is to yourself. In short, the most important thing to do is make sure the devices you use and the software running on them are regularly updated and set up in the most secure way possible.
Your Domain Name and DNS
Perhaps one the most overlooked aspects to business security is protecting your domain name. Here are some guidelines to keep in mind:
- Do not lose track of where you bought your domain name. Keep the account information for your registrar at hand and know when your domain name expires.
- Make use of any and all privacy tools your registrar offers. Most offer the ability to hide your registration information in WHOIS searches and replace it with theirs. Make use of this service.
- Make use of any domain transfer locks your registrar provides.
- Avoid buying domain names from Network Solutions. We hate to call out another company, but their service is consistently so bad that we have no choice. If you have a domain name with Network Solutions, we suggest transferring your domain to another registrar upon your next renewal. Reach out to us for help with this, as doing so can be tricky but worthwhile.
- Make sure to set up backup payment methods and contact information with your registrar. Do not risk losing your domain name over a missed email or payment.
- Register as many variations of your domain name as you can think of and afford, and point them to your valid domain. Not only is this good SEO practice, it ensures an attacker can’t use variations of your domain name to fool visitors.
- Avoid managing your DNS with your registrar; use a service such as Cloudflare when possible.
- When possible, allow a knowledgeable company such as ForeFront to manage your doman’s DNS for you.
Your Email
The email attached to your domain name is one of your most important branding tools, but it is also one of the most important things you must work to protect. While many dangers are specific to email, the most important to know about is spoofing. This is the practice in which an attacker sends emails that appear to come from your domain. There are multiple ways to go about doing this, but the most common involves taking advantage of holes in the most common email setups. To protect yourself, make sure the DNS of your domain is set up correctly to operate with your email provider via the use of SPF, DKIM and DMARC records. Talk to our team at ForeFront about our security audit services, and we can take care of this for you.
Here are some further guidelines to follow:
- Make sure you are making use of any and all spam filtering tools your email provider offers.
- Make sure to provide ongoing training to your employees about email security, constantly reiterating the importance and principles of digital security and best practices.
- Set an official email policy of revealing as little private and sensitive data as possible in all outgoing emails.
Your Website and Hosting
Your site is not just the public face of your company. It is the No. 1 thing that will be targeted by attackers day to day. The good news is that most of the responsibility for this falls on the shoulders of your site host. That said, there are still guidelines you should follow:
- Passwords. As previously stated, every single password needs to be strong and unique. Use a password manager if you start to get overwhelmed by the number of passwords you need to keep track of. An amazing number of site hacks happen from cracked passwords, and most cracked passwords are discovered because people are using the same password across multiple sites. This means attackers can compromise small, relatively unattended sites; get passwords from them; then use those passwords to gain easy access to what would normally be high-security sites.
- Unless you are technically inclined, it is best to allow a knowledgeable company such as ForeFront to manage your hosting for you, as we are best suited for handling the ever-growing assortment of threats aimed at today’s websites.
Your Social Media
Don’t overlook your personal and professional use of social media when it comes to security as well. Here are some guidelines to keep in mind:
- On your personal accounts, make it a point to share as little sensitive information as possible. This includes things such as your current location and pictures of your children. While there is nothing inherently wrong with posting personal items on social media, if you do, you should make full use of the privacy tools offered by that service, and you should be careful about what audience you allow to view your most sensitive content.
- Many of the same rules apply for your organization’s social media. Think carefully about what data might be contained or hidden in your public posts, and work to minimize the release of anything sensitive.
- Make a point of claiming your company’s brand on as many social media channels and sites as possible, even if you don’t intend to use them right now. Protect yourself from your branding or variations thereof being used against your customers.
Protecting Your Customers
If you have implemented everything we’ve discussed above and taken steps to protect yourself, your business, your business tools and your online properties, then the protection of your customers is the natural result of your efforts. The biggest remaining thing to keep in mind is to try to minimize the amount of personal data you collect from your customers as much as possible, especially via your website.
Get Help & Security Audits
We all need help sometimes, particularly when it comes to digital security – and especially given how bad the online security situation has become. Because of this, ForeFront is pleased to announce we are now offering security services and audits for our clients. We offer multiple levels of service, from a basic two-hour tune-up to a complete digital security audit of your business. Services include:
- Complete hosting security audit
- Complete site security audit
- Complete email audit
- Complete DNS audit
- Complete hardware and software security audit
- Complete business process and workflow security audit
- Complete social media security audits
- Security training, policy and workflow development and audits
- Complete top-to-bottom digital security audits
Phill Clapham is an elite developer at ForeFront Web, and is our troubleshooting “jack of all trades”. We’re pretty convinced there’s nothing he can’t fix!