The Security Checklist for Online Businesses

Cybersecurity is not just a technology problem. The system is only as strong as its weakest link. To have an effective cybersecurity system, you need a comprehensive security policy for all employees that covers both online and offline behaviour, as well as leaders to instill a security-conscious culture.

One of the most recent scams is the “VP imposter scam,” which is a smaller version of CEO fraud. An employee receives an email from a VP. VP is in a customer meeting offsite, but he needs gift cards purchased immediately. The employee was told to immediately go buy the gift cards and send the VP the photos of the backs of gift cards before the meeting ends. Sounds urgent, so the employee complies. Unfortunately, the VP was an imposter, using a spoofed address from a “look-alike” domain. Once the card back photos were sent, their values are drained, and the imposter cuts contact. The victim employee eventually realized he was scammed when VP didn’t reimburse, triggering an IT investigation.

Technology will not solve this issue, because this is not something a spam or other email filter will catch. This is a targeted phishing message. But a security policy can stop this, and your company needs both to function properly.

What Makes a Good Security Policy?

There are several things that make a good security policy:

  • Make everyone understand the stakes – anyone can be compromised, from CEO on down to the lowliest grunt, including the vendors. A reported booking.com hack was actually phishing messages that compromised partner’s own backend.
  • Define the chain of command clearly – a VP should not be able to order a random employee around, but only his/her direct staff. Attempt to bypass such must be verified.
  • Define clear areas of control for each department – this can range from “regular users should not be able to install new programs, only IT” to “only CFO can edit transactions.”
  • Define risk in each job, and how to manage that risk – different jobs have different risk levels, and that determines how much training and how much technology is needed to manage that risk.
  • Plan for worst-case before it happens – If you are penetrated by a scammer, how do you proceed? This had to be planned properly ahead of time.

For any organization or individual, it is extremely important to keep your data secure from all kinds of different threats, ranging from hackers stealing your passwords to various different forms of viruses that are used to steal copies of your financial information or forcibly display a wide variety of different popups or advertisements or to open specific programs or web pages independently of any form of user input.

One of the most obvious threats that are most neglected is that some people use the most basic and rudimentary forms of security software that only do the most basic things. The more concerning part of this is the fact that many people do not even bother to update their security software to modern standards and just let the software do its job in the background. However, the problem with them doing this lies in the fact that they are neglecting to update their security software in favour of just using the default version without updates which can lead them to be unable to defend against more modern threats as their security software becomes more and more outdated. Let cyber security managed for you by professionals.

In addition to the use of outdated security software, some people have been known to use a form of data transmission that did an extremely poor job of correctly encrypting their data which left the data in question open to be discovered and stolen by almost any hacker who could gain access to that data stream.

This access control, or authorization, limits certain visitors access to certain areas of the website through security checks. Sometimes, however, access control can be broken, granting access to users who do not have clearance to areas of your website containing sensitive information. If this has ever happened with your website, you know the stress and headache it can cause and have wondered how you can better protect yourself. Lucky for you, we’re here to help.

Why Does Broken Access Control Happen?

The first thing we will want to look at when it comes to resolving broken access control is to determine what causes it in the first place. The first place where developers may fail is in an underestimation in what it takes to implement access control that is reliable. To brake access control, all that a hacker needs to do is simply figure out the access control scheme in order to find a way around it. This is often done by a simple request for access to areas of the website that are not permitted. The hacker will then find a flaw in the access control scheme in order to break it. Once they are in, the attacker is able to do a lot of damage such as deleting content or even taking control of your website. As you can see, the effects of broken access control can be detrimental, and it cannot be over-stressing the importance of knowing the best way to resolve broken access control.

How Can I be Sure I am Protected?

So how can you be sure you are protected? First and foremost, you will want to evaluate the access control requirements for your application and make sure that it is well documented in your policy. This policy should contain details such as who has access and what they should be able to see on your website. You will then want to perform numerous tests from multiple accounts to be sure it cannot be bypassed.

Conclusion

Finally, it is always wise to keep an eye out for social engineering techniques being used to threaten your security. These threats are a little less obvious than most, but they are another thing to keep an eye on. These methods are far less technical and more personal as it mostly involves manipulating people into sharing their personal data rather than hacking your systems.