Here are five security principles you need to rethink in the new year.
Stop me if you’ve heard this lede before: the internet is evolving and so too is cybercrime. I know, right? That’s like, every single cyber security article you’ve ever read. Ever.
But here’s the thing, it’s kind of true. Whereas once cyber criminals were relegated to a niche part of our Hollywood collective consciousness, now hacking and cybercrime is at the forefront of our attention span. We’ve had high a number of hacks against the private sector. And despite the protestations of the current administration, pretty much anyone that knows their elbow from their rear end can tell you that Russia hacked the United States’ 2016 elections.
It’s a lot to swallow, and it’s not going anywhere anytime soon. Just as in the years previous, cyber security continues to be a game of cat and mouse. Pretty soon they’ll be AI-powered cat and mice. The stakes just keep rising.
So what are some steps you can take to stay safe in 2018? Here are five website security myths that need to be left in 2017:
5.) Small Business Owners Are at Less of a Risk of Being Hacked
No. While you can certainly filter some evidence to say that statistically a small business has a lower chance of being hacked than a major corporation, that’s misleading. Small businesses are at an even greater risk when it comes to hacking. That comes down to resources.
But let’s start from a numbers standpoint, more than half – 62% – of all cyber attacks launched are aimed at SMBs per IBM. Per Symantec, while 90% of major corporations have been targeted. 74% of SMBs have too. And then there’s this damning statistic from the National Cyber Security Alliance, 60% or 3 out of every 5 small businesses that suffer a cyber attack end up shuttering within six months of the incident.
Hackers know that while larger companies could make more lucrative targets, they’re also more well guarded and easier to get caught hacking. Smaller companies may lack those same resources making them steadier targets. Don’t fool yourself into think you’re too small to get hacked. You’re not.
4.) Your Employees Can’t Impact Your Network or Website Security
While I feel like this myth has been thoroughly debunked, apparently some companies still don’t realize that their employees are actually one of the biggest threats to their network and website safety. That’s not said in a malicious way about your employees, either. It’s just that people are
stup—prone to occasional bouts of carelessness.
Part of this stems from a misperception on the employee level that enough has been done from a company standpoint already. If it’s gotten through your company’s firewall and spam filters, it’s probably safe, right? Plus it says it came from my co-worker, so I’m just going to click… Chalk it up to simple ignorance or poor training, but many employees don’t even realize that they could imperil their company with something as meaningless as clicking the wrong attachment.
But make no mistake about it, your employees are a huge threat. Just this past weekend, the state of Florida had to disclose a breach of over 30,000 Medicaid records after someone at the Agency for Health Care Administration accidentally fell for a phishing email. This sort of thing happens all the time. Don’t assume your employees understand the intricacies of web security on their own, train them, talk to them about it regularly. And be realistic about what you can and can’t reasonably expect of employees from a security standpoint.
3.) A Firewall and Antivirus Software is Enough
Sadly, those days are over. We’re entering an era of comprehensive web security as a service. You’re already seeing a number of major players like Venafi and Comodo move into that space and it’s hard to argue with the new technology’s benefits. For starters, the cost of staffing an effective in-house security team, for companies of all sizes, is staggering. We’re talking purchasing hardware, hiring and training staff and then maintaining everything on your own.
SaaS products are helping companies and organizations avoid those costs by essentially out-sourcing everything. That’s because nowadays you need more than just a simple firewall and some antivirus software. You need 24/7 monitoring, malware detection and removal, it’s probably smart to have a good CDN for better security and performance, plus you’ll need to have a Systems Incident and Events Management team for any major crises.
Just go back and reread that last sentence or so. I admit it’s a run-on, but that’s done for the effect. That’s all the stuff you’d need to pay for on your own to have sufficient security in-house. Or you could pay pennies on the dollar and outsource it to a reputable security company. In 2018, a Firewall and Antivirus Software is no longer enough, it’s time to invest in security-as-a-service.
2.) Your Password is Strong Enough
How is it that the internet can convene and decide on a set of standards for something as trivial as the proper order of ingredients on a burger emoji, but establishing consistent standards for good password hygiene eludes us? If you do some research on passwords you’ll read a whole bunch of random advice that all seems to contradict itself.
Let’s start with what not to do: don’t pick something easy and use it for all of your accounts. Yes, I know that’s so much simpler. And who wants to remember a bunch of different passwords for a bunch of different accounts? Here’s what I’ll say, understanding that I’m not going to convince a lot of you to use different passwords, make sure the one you do use is substantially difficult to guess. And not just by a person, but by a brute force attacker. I go for long random strings of numbers, letters and symbols. Avoid words all together.
And remember, if you’re reusing passwords, anyone that steals yours has access to all the other accounts that also use that password. For companies, the better solution is just to use a password generator like LastPass to protect your site.
Also, don’t stop at just a password. Always enable two-factor authentication. I’m not going to lie to you, 2FA adds additional steps and can even be considered… annoying. But it’s also an extremely important layer of protection that you can no longer afford not to make use of.
1.) If you don’t store customers’ credit card info, you don’t need an SSL/TLS Certificate
I have literally written a book’s worth of material on this exact subject. And I mean literally. Grammar.ly sends me a report every week that tells me just how many thousands of words I’ve devoted to this subject. Thousands upon thousands of words. The creative writer inside of me is dying in the most agonizing fashion.
But let’s talk about SSL.
Yes, it’s true that SSL was once a product designed more for e-commerce and websites that collected personal information. That’s because an SSL Certificate is essentially a piece of software that you install on a web server to protect communication. Once installed and configured properly, the certificate enforces secure HTTPS connections that prevent the data being transmitted within from being stolen or manipulated.
You could see why this sort of thing would be important for financial transactions and medical records and that sort of thing. Well, the browsers – led by Google and Mozilla – have determined that HTTPS should be the new standard for the internet. Or, to put it another way, all connections made between websites and the people that view them should be encrypted—they should all be secure.
It makes sense, but it’s also going to cause a fairly massive shift on the internet. As of right now the research varies on how much of the internet is encrypted, but suffice it to say a sizeable chunk of the internet is not currently using an SSL certificate. And that’s going to become a problem sometime around March or April when Google Chrome begins to mark any website still making HTTP connections as “Not Secure.”
And nothing is going to crater your website’s business like a highly visible browser security warning that says your website is “Not Secure.”
So in 2018, regardless of what kind of personal information you’re storing and processing, you need to add an SSL/TLS Certificate to your website.