Website Security Refresher
Click play to LISTEN to the article below
At Our-Hometown, the security of our customers’ websites and data is one of our top priorities. While there are no new specific security threats to warn you about, we thought it would be a good idea to pass along some general tips for internet security in the COVID-age.
1. Use Two-Factor Authentication
Two-Factor Authentication is probably the single most powerful tool you have to protect against criminals trying to access any of your online accounts.
Two-factor authentication adds an extra step to the login process requiring a user to enter a special verification code that is dispatched to the account owner via SMS/text message or e-mail before logging in. These verification codes are only active for a limited time before they expire and can no longer be used to verify the login.
This is incredibly useful because even if an attacker has somehow obtained your username and password, they still will not be able to access your account unless they enter the special verification code.
Equally importantly, if you receive a verification code that you did not request, you can be sure that somebody has attempted to access your account. This would be a good time to create a new password and re-secure all of your online accounts.
One thing to note is that Two Factor Authentication works best when used with SMS Text Messaging. Many websites and services will allow you to have the special verification code sent to an e-mail address instead of a phone number. However, consider a scenario where the attacker already has access to your e-mail account — they would then have an access to the verification codes as well. We highly recommend using SMS Text Messaging for all Two-Factor Authentication purposes.
2. Use Strong Passwords
Outside of large-scale attacks where hundreds or thousands of people are targeted at once, the majority of “hacks” are the result of a criminal gaining access to an account that utilized a weak password.
You’d be surprised how many people out there still want to use the word “password” as their password!
Fortunately, most websites these days have at least some standards in place that will require users to use at least a medium-strength password. For example, we require all staff accounts to use a high-strength password. You’ve probably seen this all over the internet, where you’re asked to include a certain number of letters, numbers and special symbols in your passwords.
You should always use a high-strength password. While the standards may vary from site to site, most will alert you when your password is too simple or will provide a meter gauging your password’s strength as you type it.
It used to be recommended that people change their passwords every “X” months or years, but data has actually shown that the majority of people end up using weaker variations of the same password so that they don’t forget it, which ultimately reduces the strength of the password. As a result, this practice is no longer recommended.
3. Don’t Share Accounts/Logins
With the two most obvious tips out of the way, we wanted to shift our attention to some issues that may have been overlooked over the past couple of years as publishers frantically searched for solutions to all of the obstacles presented by the COVID-19 pandemic.
With many employees forced to start working remotely with little-to-no notice, it would not be shocking to learn that some liberties were taken to meet deadlines and ensure a smooth publishing process. Depending on your newspaper’s workflow, this could include things like sharing account login information for certain websites.
Take a few hours one afternoon to touch base with your team members and make sure that everybody is using their own credentials to log in to whatever services they need, rather than using any universal/shared accounts. If anyone has been sharing accounts, be sure to have them update their passwords.
4. Adjust Former Employee Accounts
The COVID-19 pandemic put many newspapers into a tough position financially and forced them to make some difficult decisions, which may have included letting go of some valued employees.
Make sure that those former employees who are no longer with the newspaper aren’t able to access anything that they shouldn’t have access to. This could include a staff account on your website or an email account in your system. Depending on the level of access the staff member had, this could also include things like having access to your financial reports, subscriber data or other sensitive information.
5. Manage Screen Share/Remote Access Software
Using Remote Access Software is another practice that became exponentially more popular during the COVID-19 pandemic, as it allows workers to connect to their work computers from home and access all of the files and data they would normally use at the office.
It’s a big win for technology, but it also opens the door for some potential security threats.
Every remote access software will work a little differently, but you’re essentially opening up your office computer to outside connections. A well-educated attacker can take advantage of this and utilize that connection to take over control of your office computer.
But that’s not the worst part. Once they have control of your office computer, they can do a lot more damage. For example, if your passwords are saved in your browser at work, then a hacker controlling that computer would be able to login to pretty much any of your accounts — Facebook, YouTube, Email, PayPal, Stripe — whatever.
Two-Factor Authentication may or may not be useful in this scenario because the computer being used to access your account (your office PC) may be considered a “trusted device.”
If you’ve utilized some Remote Access software during the pandemic but have since returned to the office and don’t use it anymore, we recommend uninstalling that software.
If you continue to use Remote Access software, take precautions and refer to their documentation for information on their security standards.
We also recommend running scans for viruses, malware, spyware and other malicious content regularly.
If you have any questions about the above or want to submit your own tip, send us an email at email@example.com at any time!