[BreachExchange] Hackers won't take a holiday this Christmas so neither can your cyber protection systems

Audrey McNeil audrey at riskbasedsecurity.com
Mon Dec 19 18:43:34 EST 2016


http://www.independent.ie/business/technology/hackers-
wont-take-a-holiday-this-christmas-so-neither-can-your-
cyber-protection-systems-35304122.html

It is important that companies, both large and small, are vigilant about
the security of their data.

Even Santa Claus needs to be conscious of data security. He gets names,
addresses and personal letters from all over the world. Just like any other
business, he needs to make sure the elves are protecting that data - so
here are my Christmas data tips for the man in red, and for your business:

1. The biggest threat will come in the form of emails. Phishing emails will
try to get you to enter sensitive information like your credit card number
and Paypal or banking details.

Unscrupulous cybercriminals will try to pull on the Christmas heartstrings,
and may use well known charitable campaigns to try to draw you in. It is
important that all staff are aware of the threat.

2. As well as knowing what threats look like, staff should know that they
should never share their passwords internally or via email and passwords
should be changed on a regular basis, ideally every 30 days.

3. It is a business' responsibility to keep customer information safe.
Longer, more complex passwords will make it harder for criminals to breach
your system. Use symbols instead of letters like this example $@nt at C!@u$,
and make your customers do the same.

4. If you use a payment processor like Stripe or Paypal, customer credit
card data is not stored on your website, removing one significant headache.

You will still have customer address data for deliveries, email addresses
and perhaps a password.

It's crucial you keep this database of customer details safe and secure, by
ensuring your website is on a reputable, secure web hosting company.

5. Make sure you use a reputable payment processor that has verification
systems for addresses and cards to reduce fraud attempts. Its one extra
step a hacker will need to get through in order to access the system. Don't
be tempted by low commission rates. Use a familiar, proven name to get your
website trading online.

6. Set up system alerts for suspicious activity. Many shopping cart systems
have built-in features to monitor events like multiple orders placed by the
same person using different credit cards, phone numbers that are from
markedly different areas than the billing address and orders where the
recipient name is different than the card holder name.

7. Website security isn't reliant on a single solution, but on layers of
security that keep unwanted visitors at bay. If you're hosting your own
website on a server, install a firewall. If you have a shopping cart make
sure users need to log-in with a validated email address and use CAPTCHA on
forms and orders to minimise the number of automated or 'bot' requests made
to your website.

8. Employees should know the basics of web security, like the fact they
should never email or text sensitive data or reveal private customer
information in chat sessions. Staff training in data protection is vital.

9. Monitor your site regularly and make sure whoever is hosting it does
too. You can't be there all the time so use automated tools and analytics,
the equivalent of having security cameras in your shop. Make sure whoever
is hosting your website monitors for malware, ransomware, viruses and other
harmful software as well as unwelcome visitors.

10. Make sure you or whoever is hosting your site has a disaster recovery
plan.

11. Customers will look for https in their browser bar and a padlock icon
when shopping. That way they will know the website and their details are
encrypted and secure. Advise customers not to make purchases over a public
wi-fi system, as they can be prone to electronic eavesdropping.

12. Everyone expects to receive emails wishing them all the best for the
festive season but have a look at the email address of the sender before
you open any email. If something doesn't look right, it isn't.

All in all, just be vigilant. Yes, it is the season of goodwill but don't
extend that goodwill to cybercriminals by inviting hackers into your
network.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161219/c01b5b54/attachment.html>


More information about the BreachExchange mailing list