It’s hard for all of us to be an expert in IT infrastructure and security. I’m so thankful to have a team that focuses on security best practices and takes care of the issues for me. While I don’t know their “secret sauce” I do know that they’re quietly working in the background making sure our network is safe and buttoned up from any sort of intrusion or data breach. They’re kind of like that warm, fuzzy blanket keeping Segpay and our merchants safe. This month as we enter cooler weather and a typically busier time of year, I wanted to give the gift of their knowledge as a way to provide some best practices of keeping online merchants safe and secure all year long.
Fight Back Attacks
Attacks can happen at any time—and you must be ready all the time. Remember several years ago when a group called “Fancy Bear” was bringing down financial institutions with Denial of Service (DDoS) attacks or bot-like malicious traffic? They were sending out ransom letters requesting Bitcoin payments. They came after us and several other gateway players in our space. This forced us to investigate solutions to fight back and protect our endpoints which are ways into a company’s system. There are multiple and highly effective solutions out there to combat this problem. We have taken advantage of Cloudflare to help hide our IPs, act as a firewall for our web applications and provides DDos protection. We’ve recently implemented ThreatX into our arsenal, which adds redundancy to our security posture while also allowing us to custom-craft traffic rules to ward off card-runners or card cleaners which plague our industry. This same solution can be implemented at the merchant level to alert merchants to potential DDoS. Having tools in place can make a big difference and provide you with an extra layer of security.
Lock it Down
Keeping data safe is one of the big reasons why locking down your company’s computers are important. For processors like us that are registered Financial Institutions in Europe, we are regulated much like a large acquirer making it even more important that our data is kept safe. It is important for merchants to protect their data too. One suggested way to do so is encrypting the hard drives of your company’s computers. With the encryption, if someone steals a computer all the data on it is protected. Another option is using a USB lockdown to help eliminate the possibility of a disgruntled employee from downloading sensitive company data and using it somewhere else. Here’s a tip a lot of people don’t like but one that could be very beneficial- removing admin rights on all company laptops. This prevents employees from downloading apps, software, or clicking through a link that could be infected with malware. Malware often has the potential to infect an entire network. It can also control what employees are clicking on and downloading keeping employees focused on their jobs. Our IT team also suggests implementing and randomizing the local administrator account password on all company machines. This way, if one machine is compromised, an individual cannot access all the machines. This also mitigates what malware can do if it were to discover the admin password. Lastly adding 2FA (two-factor) or MFA (multi-factor) authentication for your company immediately neutralizes the risks associated with compromised passwords can help eliminate issues.
No Phishing Zone
Phishing is one of my favorite scams, they can be so creative and convincing, too. From time to time, I’ve had employees say they received an email spoofed from me requesting that they go out and purchase gift cards immediately. In case you didn’t know, spoofing is a type of attack in which the “from” address of an email message is forged. Once we see this happening, our IT team is quickly notified. I tell everyone to make sure that the emails are truly from me and my email address. Sometimes it is from my address, and sometimes, it isn’t. Spoofing someone’s email is totally possible, and the bad actors can do it right from your company domain. To protect against this, our experts suggest implementing an email protection solution such as Proofpoint. Proofpoint protects against email attacks and provides business continuity in the event of an email outage. On top of this, implementing Domain-based Message Authentication, Reporting, and Conformance (DMARC) email authentication protocol policy will help prevent email spoofing and phishing. DMARC helps mail administrators prevent hackers and other attackers from spoofing their organization and domain. We’ve seen the DMARC minimize these types of attacks. Another helpful idea is implementing Outlook user submissions. This allows employees to report spam or phishing emails to Microsoft for analysis. If you’re not an Outlook user, there are similar services associated with Gmail and other email providers.
Company Wide Compliance
It’s good to get your whole company involved in compliance. Host an event where the heavy lifting of the annual PCI audits and monthly compliance falls on the entire staff, not just the IT team. At Segpay, we all go through the annual PCI training. Here are some suggestions to share with your new hires, so they get a good start while also keeping company information safe:
- Lock your computer while you are away from your desk.
- Use a secure, encrypted solution to store your credentials, such as KeePass or Roboform.
- Do not store passwords in a spreadsheet, OneNote, Notepad, or any other unencrypted format.
- Do not write passwords down on paper.
- When sending credentials, separate the username and password and send them on two different mediums. For example, you can send the username via email and the password via Microsoft Teams.
- Delete the credentials after sending. For example, in Teams and Skype, you can click the three dots to the right of your message and select “delete/remove”.
- Never provide your password to anyone asking for it.
- Beware of phishing e-mails trying to steal your personal information or credentials. If you are not expecting an email from someone and are not sure about it, ask your IT department for assistance.
In addition to all these tips, it’s important for your programming team to continue secure coding training each year keeping their certification up to date. It is also a requirement for passing the annual PCI Audit. Many banks have joined in and are now requiring that all merchants take a PCI Self-Assessment Questionnaire (SAQ). Taking the time to complete a SAQ is helpful because it is a useful tool in making your organization and your program more secure. The good news is it doesn’t take long to complete. It’s also a nice tool to have in place especially since it’s now a requirement for many banks. Keeping all these security tools up to date can seem like a lot of work. This work is so worth it. It provides you with confidence allowing you to relax under your network security blanket.