Are You Secure?
Security has been a hot topic this past year – more so than usual. These days it’s more than just running basic anti-virus software because our digital exposure is much more pervasive and beyond our control. Hackers are getting more sophisticated and attacking on more angles now — like the recent Wi-Fi router hack. And they are coming from everywhere — RUSSIA?! So, how secure are you really? There’s no way to know for sure because there’s a lot you don’t control — like hacks to other services and businesses that have your information (e.g. the Experian hack).
However, there are things you can do to protect yourself. This article isn’t going to comprehensively go through every way you can protect yourself and your business, but just a few that have been on my mind lately.
Security of Your Website
Firstly, if you have a website, you should be aware of a subtle but big change Google is making to Chrome (If you don’t have a website, hit us up and we’ll build one for you!). I just spent an afternoon making sure my websites and all my clients’ websites are ready for this change. You should too!
Chrome will show “Not secure” in the address bar for websites loaded with HTTP. Here’s what that means visually:
It’s not enough that you have an SSL certificate allow your website to load with HTTPS. If your website was loaded in HTTP, it will still say “Not secure”. You will want to automatically redirect your website always load with HTTPS. Most of the time when you install the SSL certificate, this will happen automatically. If it doesn’t, you may need to change the default URL of your website.
What is an SSL Certificate?
Backing things up a moment… let’s briefly get into what an SSL certificate is. The Internet is basically just computers talking to one another. Your computer (the client) talks to other computers (the server) to get what and how to show a website. With HTTP sites, that communication happens in plain text. Meaning if someone (a hacker) wanted, they could snoop in on that conversation and see everything. For just browsing websites, that’s probably OK. This is definitely not OK if a website wants your credit card information (e.g. to complete an online purchase).
An SSL certificate protects the communication between your computer and others it’s talking to. This is done over a Secure Socket Layer (SSL) protocol. The company issuing the SSL certificate (Certificate Authority or CA) ensures that the communication is secure. At a minimum, the CA will verify the server is who they say they are (domain verification). Then they agree on a secret language (encryption key) to send messages back and forth between your computer and the computer with the website information. (Here’s a good website for the technical details of a very common CA: https://letsencrypt.org/how-it-works/) For payment transactions, you’ll want even more security, so do your research on what type of SSL certificate and which Certificate Authority you ultimately choose.
Site Lock
SiteLock is a cloud service that scans your website routinely to check for a variety of things — domain verification, malware scan, virus scan, etc. Basically, it’s continually checking to make sure your website does not get hijacked. If it’s important to you, SiteLock can give your clients trust and peace of mind while they browse your website. If you have this setup, you can display a SiteLock badge on your website that shows your website is authentic. Unlike a SSL certificate, it doesn’t secure the actual transmission of data but is an indicator that your website is coming from who it says it is and is free from malware, viruses, etc. The last time a scan was run is also date-stamped on the badge.
If your website is information-only, maybe SiteLock isn’t as important with respect to establishing trust with your customers/clients. But it is a layer of protection on something you don’t always have control over — the server hosting your website. You may be running anti-virus software on your own computers, but unless you’re hosting your website from your own computer, there’s no way to know for sure whether the computers that host your website have the same level of protection.
Keep in mind though that SiteLock has many levels of packages you can pay for — one is just to scan and let you know of issues, but it won’t do anything about it. If you want to fix the issues, you’ll need to pay for a higher package.
Bottom Line
If you run a business, avoid your website being labeled “Not secure” by Chrome with a simple SSL certificate. Your web hosting service provider may offer the free SSL certificate (Let’s Encrypt is a popular one). If you plan to take sensitive information from your website users, you will need a private, more secure SSL certificate.
If you are browsing online, Chrome is making it a lot easier to identify what’s secure and what’s not secure. Check for that green lock icon before you send any sensitive information over the Internet.
Security of Your Computer
Securing your website offers your clients assurances that when they are browsing on your website they can rest assured there’s some level of protection of information they send through your website.
However, protecting your work (and personal) computer is equally if not more important. This is especially true if you need to share sensitive information with your clients.
Here are some basic tips:
- Passwords – Use secure passwords and unique ones for each account. I use LastPass. It has a free version and a premium one for more features. It’s a password vault that uses local encryption. Your master password is stored on your computer and not their servers — so if you lose it, they can’t recover it for you. You only ever have to remember one password (the master) and LastPass will store the rest and auto-fill login forms for you. So you can generate new passwords every time you create a new online account. Don’t share your password. If you need to get passwords from your client, do it over the phone and not via email.
- Log Off – Don’t just close the window or let it sit and log you out automatically. Log out after you’re done doing what you need to do so your browser isn’t sitting open to a signed in account.
- Clear cache & cookies – Clear the data your browser collects and stores periodically. If you don’t want the browser to store it at all, browse in “Incognito mode” (that’s what Chrome calls theirs, other browsers will have something similar).
- Anti-virus Software – Run a reliable anti-virus software on your machine. I personally use BitDefender – it can run on multiple devices, including your smart phone. It not only does regular virus scans and proactively blocks anything suspicious but it monitors web activity to protect you from suspicious web behavior. There are lots of anti-virus software to choose from, and every year they vie to be the best. Choose what you think is best for you.
- Check for Updates Often – Always keep your software and firmware updated. I’ve always been good at checking Windows Updates and Office Updates manually (even with the auto-update feature on). But now I’m extending my checks to my Wi-Fi router firmware given the recent router hack. When new security threats are uncovered, a slew of people work hard to tighten up those security holes. But the only way you benefit is if you keep all your software and hardware up to date!
- Back-ups – Perform regular back-ups of your machine to an external hard drive. In case your computer is virus-ridden, dies abruptly, etc. you won’t lose all your work. I have a NAS (Network Attached Storage) setup with file back-up happening automatically all the time. My NAS also lets me setup my own cloud service similar to Dropbox or Google Drive. But it’s my own private cloud. So if you’re paranoid about keeping sensitive information on a third-party cloud network, here’s another solution.