Protect Yourself & your Website from Getting Hacked
I’ve had a few clients recently undergo attacks to their identity which included their website, their merchant account, and their emails. With various recent data breaches (Equifax, Yahoo, Target, Uber & more), there is a very good possibility much of our information is already floating out there somewhere in the ‘dark web’, but not all is lost. There are some practical ways to protect ourselves against the most common scams that many of us get hit with on a daily basis. Here are some basic principles to managing your online data, emails and website, which are essential to running your business safely and securely.
- Don’t ever open an email if you don’t recognize the sender. Most of us get emails on a regular basis from friends, family members, clients and brands we follow, but we may also receive new client inquiries or leads. If you feel that the email is more than likely legitimate and the subject line does not look ‘sales pitchy’ or ‘scammy’, open it in a safe environment, like directly via your email server or a non-essential device. If the email is threatening, DELETE IT or if the sender is asking you to click on anything for more information, DON’T DO IT! This is how ransomware, viruses and hacking software gets loaded on your computer or device.
- Don’t click on any links in an email even if you know the sender! Scammers are becoming more and more proficient in imitating legitimate brands, and sending emails that look like they are directly from the IRS, the Post Office, Federal Express, Google, Paypal, etc. In those fraudulent emails, they usually have a link in them that they are urging you to click. DO NOT CLICK THOSE LINKS! If you are unsure about the content or information in the email, go directly to the specific organization’s website (not via the email) but through a web browser, or call the organization up (again not with the contact information provided in the email) but use the contact information listed on their official website. Then, ask their customer service representative to verify the email’s content. Nine times out of ten, these organizations will not contact you via an email, at least for the first point of contact.
- Do not give out any information about yourself on any cold call. I get nearly a dozen scam or sales calls a day as a business, and at least 30-50 emails (my spam filter gets rid of most of them). As I get dozens of phone calls each week from new clients or existing ones, I have to answer but I quickly discern the purpose of the call from any phone number I do not recognize. If they can’t tell me how they heard about me, what they need from me or what business they’re from, I do not hesitate to end the call without a word. I’m especially alert when it’s a out of state phone number, as my business is local and advertised locally, but scammers have even overcome that hurdle by masking their number and appearing to be calling from a local or familiar number (see recent Rossen Report on this scam). Be weary, be alert and be ready to hang up. The same goes with emails, do not provide any information via an email reply or link – just delete it.
- Never give anyone remote access to your device unless you know them or personally hired them. CASE STUDY: I had a client that received a call from “Microsoft” to say their computer had been hacked, so they should give the caller remote access to their computer to ‘fix’ the problem. Feeling nervous and unsure, the client did in fact give them access to their computer and minutes later, their computer data was compromised and stolen. First of all, Microsoft or any other PC brand is not going to call to warn you of a possible breach. If you suspected a breach or any other computer issue, you’d be calling them, not vice-versa. So NEVER give remote access to any of your devices to repair or troubleshoot your device unless you personally know them or their company, and have initiated the relationship via a contract for their professional services.
- Make passwords strong and change them regularly! It takes work to not only be creative when it comes to password generation, but to maintain, update and store them securely. The importance of secure passwords, especially when it comes to your online presence, can not be stressed enough. I’ve seen websites hacked, domains stolen or hosting accounts tweaked by unauthorized persons. So if you give your passwords out to employees, partners or contractors, make sure you change them when those relationships end. Here are some additional points of assistance when it comes to passwords:
- The more complicated, the better. As a rule of thumb, passwords should be 12-15 characters in length, have no words or names in them, and be a combination of uppercase and lower case letters, numbers, and symbols. Don’t use children’s names, pet’s names, birthdays of you and your family or any full words, and especially not “password”. This goes for your website administrative access, hosting & domain account access, emails, bank accounts, online ecommerce accounts, and any other site where you need a username/password to login. There are several great Strong Password Generator sites out there that can help you if you need inspiration.
- Separate Users = Separate Logins. If using WordPress or any other content management system for your business website, make sure you give everyone editing or managing your website a SEPARATE username/password. This should be done for several reasons. First you can track what that person is doing when they’re logged in, what pages their updating, what content they’re publishing and what media they’ve uploaded to your site. Second, if you and your staff has separate access, you can all be in working at the same time without one person being kicked out. And third, when that person leaves your company, you can easily delete their profile so they instantly lose access to your website without having to change or update your login.
- Update Regularly. Update your passwords regularly (every 3 to 6 months at the minimum) and don’t record your passwords in any file or location that can be easily stolen. There are helpful apps to maintain and securely store your passwords like 1Password, Zoho, Dashlane, Sticky Password, Keeper, Password Boss, and more.
- Get Professional Monitoring. Since the recent data breaches have been a popular topic on news media outlets, there has been an explosion of identity theft protection services. Although none of these services can actually prevent your identity being stolen, they can monitor various outlets to hopefully alert you to suspicious activity that may or may not have lead to identity theft. These services usually monitor some or all of the following: credit card activity, financial & bank accounts, personal information including drivers’ license number, social security number, addresses and emails, public records, medical records and health insurance accounts. Some popular services include LifeLock, ID Shield, Identity Force, IDwatchdog and more. Many provide apps so you can have 24-7 access to your monitoring service and receive alerts on your phone. Again, these services can’t prevent your identity being shared on the ‘dark web’ but there is a sense of security in signing up for one of these paid monthly subscriptions, as they say ‘knowledge is power’.
- Keep up-to-date on your Anti-Virus Software. Install and use anti-virus software to alert you about potentially dangerous downloads and block suspicious web traffic. Be diligent about regularly checking for software updates as new virus and vulnerabilities arise daily that the software will need to guard against. Research and find software that will protect your devices against ransomware, viruses, spyware, malware and other online threats. Utilize a firewall on your home or office network that is password protected as well (see #5 on choosing a network password).
- Be especially careful when you’re on a shared computer or public wifi network. When you’re sitting at your favorite cafe with your laptop or mobile device, you may not be aware of who is watching you within the space (shoulder surfing) or online (man in the middle attacks). Public networks offer a variety of vulnerabilities because the information transmitted is generally unencrypted, so it’s not just the wifi hotspot that’s public but it’s your data too. So make sure the sites you visit are on an HTTPS address, where there’s some level of encryption or just be very careful what you do while using their public wifi. For example, avoid online activities where you need to enter personal information such as online banking, shopping online with a credit card, or submitting any confidential data. There are a lot of scams out there including fake access points (AP) that cybercriminals will use to steal any transmitted data, so make sure you are connected to the correct wifi network by asking the staff of the cafe, hotel or restaurant.
- Backup your data externally and DAILY! The most common mistake many people make is not backing up their data (pictures, documents, advertising and marketing materials, client files, financial records) to the cloud or a physical external source (both is recommended) daily. So if you are attacked or your computer system dies a permanent death, you will know that all your data is protected elsewhere. If your essential data is stored elsewhere, this will also protect you if you are hit by a ransomware attack (a type of malicious software designed to block access to a computer system and its files until a sum of money is paid).
- If you get hacked, don’t panic. The worst thing you can do in the moment is to lose your head and make matters worse. First, isolate your pc or laptop so you ‘quarantine’ the virus from other connected systems or hardware. Pull the network cable out of your PC and turn off the Wi-Fi connection. If you have a laptop, there is often a switch to turn the Wi-Fi off. Turn your computer off and remove your harddrive (get professional help if needed). Getting your pc off the network will prevent the hacker from doing further damage. Then have your IT professional scan and remove any malware or viruses, back up your data from the removed drive to a clean drive, and start over in rebuilding your system.
In this crazy world, where business owners and entrepreneurs rely so heavily on their data and digital files, it’s imperative to take time out of our busy schedules to prevent and prepare for further security breaches and malicious online activity. As Benjamin Franklin stated, “an ounce of prevention is worth a pound of cure,” which is as true today than it was in his day. Stay smart, alert, cautious and ready for whatever comes next.