Security & You

Right now, small to medium businesses are under attack and are the primary target of international hackers and enemy nations. Wow! That sounds pretty fantastic and out there, I know. But it is very real. You may be scratching your head as to why hackers would be targeting small companies. The fact is that there is more money between a high volume of small businesses than can be gained from "big fish," and the truth is that most small businesses are less protected from these threats because of that very type of thinking. Consider reading this article by techradar.com, "SMBs are being hit with more malware attacks than ever, and many can't keep up".

Compromised websites can be used to attack website vitistors, accessing your Facebook and Google accounts give attackers access to your advertisement platforms where they can use advertisement to send users to malicious domains posing as your bussiness, and you'll be footing the bill. If hackers get in to your payment or ecommerce systems they can drain your accounts, intercept incoming payments and accompanying payment information.

One of many reasons we host our client's websites ourselves and on Google Cloud Virtual Machines goes back a few years when we relied on shared hosting providers and had a mix of websites hosted by us and some by our clients when one of our clients was hacked. A page was altered to collect emails and send them to the attacker. The compromised site was a client-hosted website on a shared hosting platform for WordPress, using the hosting platform's security software. We work almost daily on each website we manage, so we found this pretty quickly, but it was unacceptable and could not happen again.

We now manage the hosting environments for all managed websites from the server operating system and up. This way, we have complete control over the server and software, allowing us to use more comprehensive security software on the operating system rather than relying on plugins. The difference is that WordPress security depends on the final layers of software that compose your website, a scripting language called PHP. Once a system is compromised, the PHP can be altered to allow the attacker to hide without detection. However, we use software on the operating system where most hackers focus on penetrating WordPress and the PHP scripts, altering PHP scripts cannot overide the server software, meaning they cannot hide from detection, and attacks on the WordPress system are detected and blocked.

We require clients to utilize two-factor authentication on their WordPress website, and we recommend that you do so with all accounts where there is an option to do so. Unfortunately, not all websites and services make use of two-factor authentication, so in those instances, we advise that you use near the maximum number of characters for your password so that at the least any high volume attempts to guess your password can be detected, which is a common practice for many older websites.

Securing your documentation is another point that needs to be made. We often send or scan images of documents with account numbers or other personal information that can be used to hack accounts and services. These documents can be read, copied, and downloaded with simple access to your device. The most simple of attacks can lead to this information escaping your control. To prevent this type of vulnerability, once you have completed whatever use you've made of the documents, remove them from your device. If you need to maintain digital copies, keeping them on a thumb drive in a secure location is best. Make a copy thumb drive as a backup if you do not have the original paper copy.

Facebook phishing attempts are becoming increasingly aggressive. These attempts may appear sent from legitimate pages informing you of community standard violations, copyright infringement, and warnings that your page is being shut down. However, clicking on the links in these messages prompts you to provide personal information such as your login or credit card details. To check your page's status and ensure no violations, navigate to Facebook Page Health.

It's important to note that Facebook will never message you about violations. If you receive one of these messages, do not respond. Instead, report the sender, ban the page, and mark the message as spam. Marking phishing messages as spam is crucial to ensure that your response time for customer messages is not affected. Meta is aware of these phishing attempts, and hopefully, they will be addressed soon.