October is a time for crisp autumn weather, changing leaves, apple cider, and spooky ghost stories. Appropriately enough, October is also Cybersecurity Awareness month! Imarc has had the pleasure of working with a variety of security-focused clients, giving us some great insight into the mindset of cybersecurity vendors and consumers alike. Grab your fuzzy blanket and a s'more, it’s story time!
Dr. Jekyll and Mr. HTTPS
Security warnings and expired SSL (Secure Sockets Layer) certificates make your site look quite terrifying to passersby – and for good reason. As we said in the Summer of 2017 and again this past Spring, HTTPS is no longer a nice-to-have, but a necessity. Without the encryption provided by a valid SSL certificate, you’ll be introducing visitors to these brutish warnings:
Even worse, you’ll show that you haven’t followed the absolute basics of internet security. Why does the encryption involved with HTTPS matter? It protects user data from being snatched up by scary internet monsters, as well as validates that the address being visited is who they say they are… and not the alter ego of a vengeful mad scientist.
Big changes have swept through the realm of internet privacy this year thanks to the EU’s General Data Protection Regulation (GDPR). The practitioners of internet magicks across most major marketing platforms have been hard at work to comply, offering new support for opting out and purging data from users who wish to unsubscribe from data collection.
Imarc’s cybersecurity clients have been varied in their decisions of which tools and methodologies to depend on, but one thing is clear: GDPR is the guiding force for online data tracking and management both in and outside of the European Union.
Most of the challenges we’ve seen with GDPR have stemmed from understanding which actions are necessary to maintain compliance, and which sites are expected to comply. Need a rundown of what’s been going on? Check out our April blog post, GDPR: What Digital Marketers Need to Know
As spellbinding as GDPR can be, it’s opened up conversations on general privacy policies across the internet. Consumers are more cautious about what they are sharing, how, and with whom. The best solutions tend to be the simplest – transparency regarding data collection and privacy protections is no exception. Many recent requests from our cybersecurity clients are regarding the safety of both company and client data. Take a look at Imarc’s take on privacy, and give us a scream if you’d like some help in revamping how you manage your own data.
Night of the Living DDOS
DDOS (distributed denial of service) attacks are a nightmare in which a system is bombarded with so many requests it collapses. For our cybersecurity clients, it’s a very real threat that can cost revenue and prevent legitimate site traffic from reaching its intended destination. Our clients strategize, mitigate, and prevent these attacks with a variety of tools, but two services stand out as favorites in confronting the horde:
Cloudflare is a major network service provider that’s been widely used by websites and web applications in the last decade. Of the services it provides, the features our clients most often cite for requesting or purchasing Cloudflare services are:
Upstream Caching Layer (which speeds up your website monstrously)
Hiding the Origin IP Server Address
You can read more about DDoS and Cloudflare’s solutions on their website.
Armor is a hosting service favored by our security-concerned and compliance-conscious clients for its built-in VPN capabilities, Regulatory Compliance, and DDoS mitigation. While it’s not the only hosting service to provide DDoS protections, it’s frequently requested by clients that require a high level of security customization in addition to having specific HIPAA, GDPR, and PCI compliance needs.
Rise of the 2FA
Two-Factor Authentication (2FA) is rapidly spreading across the internet, particularly with social media accounts and other commonly targeted access points. Here at Imarc, we’ve seen 2FA come up in requirements for both visitor and administrator logins.
By adding an extra layer of security that requires verification from an additional secured source (whether it be an SMS message, telephone call, or a physical device/token), a site becomes more resistant to breaches resulting from stolen credentials. Cursing your lack of 2-factor? Check out the security settings on your favorite apps to get started!
Attack of the Social Engineers
Not too long ago, one of my supervisors told me an eerie tale from his earlier days at Imarc. It was the story of a stubborn client that was insisting on keeping visitor passwords visible to all administrators for their website. He couldn’t seem to get this client to understand why this was a bad idea. Running out of options, he convinced the client to sit in with him as he made a phone call.
Pretending to be a subscriber to the client’s services, he claimed to have forgotten his password. With very little vetting, and using only that subscriber’s name, he was able to gain access to the account via an internal representative. If he had been a real threat, he then could have changed the login himself, accessed more information about the subscriber, and made purchases as that person. Following that call, the client immediately removed the ability for passwords to be seen by administrators.
What my supervisor had demonstrated is known as Social Engineering – the practice of gaining access to a system by manipulating the people associated with it. No matter how robust or secure a system is, its most vulnerable point is its human elements. The best way to protect user data and privacy is to keep it out of the direct access of other people. For websites this involves:
Compartmentalizing logins between individuals and systems
Thorough verification procedures (via 2-factor authentication or security questions)
Only displaying relevant user data
Limiting access to user data
The best way to defeat social engineering attempts is to keep staff informed and remain wary. My recommendation: KnowBe4 Security Awareness
When it comes to your security, it can be a scary world out there on the web. Whether your website needs an updated SSL certificate or a full security overhaul we’re here to help! Drop us a line, and let’s talk!