We at ShipCompliant take the issue of cybersecurity incredibly seriously. Protecting our client’s information and their privacy is our number one priority, which is why we test our system for weaknesses daily. With recent hacks in the wine industry, we’ve received questions from our clients wondering what they can do to protect themselves and their customers. We thought it would be best to go directly to the source of much of our cybersecurity, so we invited Zack Sanders of Rarefied to share some of his best practices that could be applicable to wineries. We hope you find this post helpful, and let us know of any questions you may have!
High-profile cyber attacks have become increasingly common recently – with organizations like Sony, Home Depot, Ashley Madison, and the US OPM all succumbing in markedly different ways to individuals or groups of people with a variety of motivations. Despite these different motivations, the one thing these organizations all do have in common is that they were specifically targeted by attackers.
Because of this distinction, most small and medium-sized businesses with innocuous missions think that because they are not high profile, they are largely immune to a targeted attack. While this may be true from a political or “hacktivist” point of view, these businesses can still be prime targets. Bot nets and other malicious software packages are constantly scouring the Internet for easily exploitable vulnerabilities. If the software discovers one, it will phone home to the attacker who will then manually probe the target further.
Because nearly every business these days has an online presence, there is almost always something to gain by pulling off an attack on a vulnerable target – customer names, emails, passwords, credit card numbers, etc. In addition, this type of data is often less secured in smaller businesses because there is usually no in-house security expertise to enforce best practices.
But, there are things you can do to protect yourself. Here are ten easy steps you can take that will provide measurable value in securing your data:
1) Do not store credit card data
Utilize services that are already PCI compliant like Google Checkout, PayPal, Authorize.net, etc. (PCI Compliant means the systems hold to the Payment Card Industry Data Security Standards.) Not storing this data adds a level of protection for your clients, and you.
2) Encrypt passwords in databases
If you have a website that users log into, make sure that your web developers are properly encrypting passwords in the database, such that if the database is compromised, user passwords won’t be viewable in plain text.
3) Make sure login or shopping cart transactions are done over HTTPS
Encrypting sensitive data in transit is an important part of ensuring a secure experience for your users.
4) Take advantage of the cloud
While utilizing the cloud for data storage, hosting, etc. introduces vulnerabilities different from those that exist from your own server, your overall risk and cost with the cloud is still much less. Systems setup and maintained locally can quickly be hacked if they are not updated and monitored frequently.
5) Have a “joiners and leavers” policy
Insider threats and disgruntled employees are an increasingly common origin of attacks these days. Make sure that access is only granted to those that need it and ensure a plan exists for quickly removing access if need be.
6) Have a backup and disaster recovery plan
Ensure that critical data is backed up in case something happens with the production version. Also, be certain that the backup is stored securely, and in a different location from the production system.
7) Keep software, operating systems and antivirus up to date
Vulnerabilities are often published on the Internet for out-of-date versions of software and operating systems. Diligent patching should be a cornerstone of your organization no matter how large.
8) Use strong passwords
The more critical the login, the strong the password should be. Don’t use the same password for your QuickBooks account that you use when signing up for a guest account to try a new product.
9) Protect your email
This is the groin of your individual security profile. Your email account is the most important account to protect because almost all passwords for any service can be reset through email. Use a unique password for this account that you don’t use anywhere else and take advantage of two-factor authentication if possible. (Two-factor authentication is pretty much how it sounds. An example of this is banks requiring your ATM card and your PIN number.)
10) Good security is awareness
Attacks can come from anywhere. They can be internal or external, technology based or human based, sophisticated or basic. The key to strong security is layering and awareness: Layering means you don’t rely on single products or services to make you secure. You employ multiple, complementary layers of products and services such that if one is breached, the others are there to back it up. Awareness means that everyone from the CEO to the cleaning crew is knowledgeable about security and what to do and not do. It’s not just the IT person’s concern anymore.
Zack Sanders is the co-founder of Rarefied, located in the Denver area. Rarefied Inc. focuses exclusively on ethical hacking as a service. They safely conduct targeted attacks on IT infrastructurse in order to discover security issues before they are exploited by a malicious hacker. Contact them today for information on web application security assessments and network penetration testing services: firstname.lastname@example.org.