Security is a big deal. Your organization needs to constantly work on new ways to strengthen security. No matter how big or how small your organization, if it uses a computer or has a website, it’s a target. Hackers range from “script kiddies” breaking in and vandalizing your site for the fun of it, to those who have set up bots to do the work for them, while they sit back and watch the credit card information come rolling in.
The size of your organization doesn’t matter. Don’t think that because you have a small organization, you’re immune to attackers. Though it seems obvious a bank or other financial institution needs tighter security than a blog about shopping, if you are online, you are a target.
Why would anyone target my organization?
“Low-hanging fruit.” A hacker will go after the attainable. Though defacing your site specifically may not be his goal, if he can break into your site and turn it into a spambot, he’s achieved his objective. The hack may not even be evident on your website, but in the background, it could be sending thousands of undesirable emails out, which could in turn get your website’s IP blacklisted for spam, and cause you trouble when you try to send legitimate emails to your subscribers.
Or the hacker might have filled your site with search terms for prescription drugs (“pharma hacks”), and link them up to disreputable sites. That can cause your search engine rankings to drop. You end up lower and lower on Google, and Google decides your site is too low-quality to rank high for anything, and you can no longer reach your audience.
And of course, the most well-known reason: if you do collect payment information, the hacker may well attempt to obtain your visitors’ credit card information in order to use it or sell it to a third party.
How can I protect my organization?
You should be aware of these basic steps:
- Personal computer firewall & anti-virus.
First things first. Protect your own home and work computer by using a firewall and anti-virus software. Windows comes with Windows Defender, a built-in firewall, and you can use anti-virus programs like Norton, McAfee, or Avast, among others, to protect your computer from incoming viruses.
- Website protection.
If your organization has a website, make sure the software running it stays up to date. Use the latest version available of the software and don’t put off security updates.
- Shift the responsibility.
Becoming PCI compliant in order to take credit card or other personally identifying information on your own website is a daunting step. We recommend you use a third party payment processor. Taking payments and keeping information safe is their domain of expertise. Let them handle it, and keep the credit card numbers off of your website.
Ok. We are doing all of that. So let’s get to the point.
What is the weakest link in our security?
In most cases, that would be… you. Yes, you, your coworkers, your boss, your employees.
Computer programs are set up to recognize viruses and hacks. Email programs usually recognize incoming spam and can flag it as such. Your website, we hope, has some form of security, like a firewall, to ward off attackers. But sometimes, a phishing email may make it through all the software filters. That’s where we must rely on human intelligence to recognize the scam.
How can we strengthen security?
Education is key. Stay up to date on the latest scams going around. Strengthen security by educating your employees, your coworkers, even your boss.
- Don’t click on a link in an unsolicited email. Period.
If you are not expecting an email from someone, and they send you a link asking you to “check this out,” think twice. It could be that their email was hacked, and someone is sending out malicious links, which, once you click, can deploy a virus onto your computer. Smart phishing campaigns may even target a particular person in your organization, and may attach documents that appear legitimate – a Word document or an Excel file, for example. But those documents may contain macros – bits of code that will execute when the file is opened, in order to infect your computer.
- Don’t send sensitive information by email.
Use a program like Noteshred to send sensitive information over an encrypted connection.
- Learn to recognize phishing email.
- Do you know the sender?
- Did you expect this email from the sender?
- Was the sender supposed to send you an attachment or a link?
- Is the email written in the sender’s usual tone?
- Does the email contain spelling or grammatical mistakes, unusual for this sender?
- Is the email specific? If the language is vague – a job hunter not specifying the job he is looking for, or someone claiming to want to buy “the item” you put up for sale – it’s highly likely to be a phishing email.
- If you’re not sure about the answers to these questions, contact your IT department. If your small organization doesn’t have an IT department or designated person to handle these issues, pick up the phone and verify with the sender.
- Take a look at this example of a phishing scam email, or this example of a phishing website scam.
- Use a Virtual Private Network (VPN) when you’re using the internet over public wifi.
This prevents people from “eavesdropping” on information you send and receive over the internet. CyberGhost is an easy-to-use option, with free and paid versions, if your organization doesn’t have an internal set-up for this.
- Strengthen security by setting up SSL for your organization’s website.
Setting up SSL means your website starts with “https://” instead of “http://”, and you’ll see a padlock or other indication of security when you visit the site. This is one more way to protect your website’s visitors, and it means if they log in to your website, their password will be sent over an encrypted channel. What’s more, Google is starting to rank search results based on whether or not they have SSL, so by adding it, you’ll be doing yourself a favor as far as search engine rankings as well.
- Another idea to consider is having a specialist come in and give a short seminar for your organization, to show people the basics about how to recognize phishing scams or other scams they might fall prey to.
Don’t be the weak link in your security chain. Strengthen security: stay up to date, and learn to recognize scams.