In Part I, I went over some of the key security issues that business operators can be caught out with. These included issues such as Online Identity Theft, "Phishing" and Passwords. In this Part II article, the discussion on the topic continues with more IT security principles that cover protection of your domain names, cryptocurrency blackmail scams, viruses and some other general ways as to how to fortify your business against breaches.
Domain Name Theft
A domain name is a key asset of your business.
Losing control of your domain name to a third party is a very serious issue. At the very least you will lose access to your emails. Worst case scenario - you will loose your entire operations if your business model is built around the digital space.
There is a big security risk to losing your domain. The new registrant will be easily able to bind your domain to an email server, create new email accounts that match what you already had prior and start receiving emails for you and your staff. This means that a third party will have possible access to sensitive and private information. They will also attain the ability to recover passwords from digital services bound to your emails. It's a complete disaster to say the least.
Unfortunately, losing a domain name is not a good situation when it comes to recovery options and remedies.
There are 2 common types of domain names in play for businesses operating in Australia - local domain names administered by a not-for-profit agency known as auDA (.au Domain Administration Ltd) and Generic top-level domains. The former covers Australia-specific domain names such as (.com.au, .net.au, .org.au, .id.au, etc.) and the latter covers a very wide range of generic domain names (including .com, .net, .org, etc.).
Australia has a decent regulatory framework that describes as to how .au domain names are handled. This isn't to say that the recovery of a lost Australian domain name isn't a costly and complex legal matter. The theft of a Generic top-level domain is a much more serious issue than an .au domain name, as the latter requires an Australian legal entity to register and own it. This means that a typical .com.au domain is bound to an Australian Legal Entity such as a Trademark, a Trust, an ACN, an ABN - i.e. your .au domain name can't be taken out of Australia, and as such, there is a formal dispute process that can be carried out. On the other hand, a top-level .com or .net domain is not as heavily bound by the restrictions and regulations - as such, the recovery process is a dead end for most cases.
An important note is that eligibility criteria for Australian domain names is rather lax. Once your .au domain name is transferred to another owner, they will likely be an eligible entity and you will need to seek legal advice as to find the best way forward.
In either case, it's best to avoid this situation altogether and take steps to secure your domain name against theft:
1. The first step is to ensure that the login details to your domain name registrar (the company to which you pay your domain name registration fees and where your domain name is administered) are in good order. This means selecting a strong unique password and ensuring that these details are kept private. Do not give these details to anyone - even your web developer! If your web developer needs to change settings on your domain (e.g. updating name servers to move web/email hosting), ask them for instructions and carry out these actions on your account yourself.
2. The second step is to ensure that your domain name has correct registrant information on record - specifically the entry "Registrant Contact Email". This particular entry allows the recovery of a special code known as a "domain name password", which will allow a third party to transfer the domain to another registrar. You can lookup this record online at "whois.auda.org.au" for any Australian domain. Make sure you do not have a defunct email in your domain name records.
3. The third step is specific to Generic top-level domains such as .com and .net. These types of domain names offer an additional feature in that they can be "locked" - this limits the ability of a third party to carry out an unauthorised transfer of the domain from one registrar to another. You simply need to login into your Registrar's control panel and find a feature called "Enable Domain Lock" or similar.
Cryptocurrency Blackmail Scams
Cryptocurrency blackmail scams involve emails that claim that your data has been accessed and sensitive personal materials have been stolen and about to be made public. These emails are generally sent out en masse. They are genuine attempts to scam uninformed users out of their money.
The demand usually involves a request to pay the scammer a ransom in cryptocurrency such as Bitcoin. Please note that cryptocurrency transactions are very secure and non-reversible - if you do fall for this scam, you have virtually no recourse. There are no fail-safes such as chargebacks when it comes to most cryptocurrency transactions.
Sometimes these scammers manage to acquire old stolen passwords for specific online services, and use these as proof that they have indeed compromised your systems. This tactic does not indicate that they have full access to your systems - however, it means they managed to steal a piece of your personal information from a compromised database somewhere. This is why it is key to have good password management, and to create strong and unique passwords for all your accounts.
If you do receive these emails, ensure to double check the integrity and security of your IT systems. These types of emails are often filtered out by the more advanced SPAM filters used by cloud email hosting providers. If you are using a non-generic private email, there is a chance that you have never seen one of these scam attempts before.
Viruses are not quite the problem they use to be. Modern Operating Systems and Web Browsers are much more secure by design and it is unlikely that corporate employees will be carrying out dangereous tasks such as downloading and installing third party software. Most viruses nowadays seem to arrive as attachments through mass email - they are usually dealt with by the more sophisticated SPAM filters.
However, prevention is the best cure and steps still need to be taken to prevent dealing with problems down the track. There is plenty of client-side anti-virus software available - both free of charge and on paid subscription. If you are running an office with many workstations, it is best to ensure that every computer has up-to-date anti-virus software. Anti-virus software is cheap insurance against malfunctioning workstations, lost and compromised data, and hours of productivity lost.
An excellent way to prevent virus-related issues is to limit what your employees can and can not do on your systems. This brings me to the next topic ...
Minimise your employees as an IT security risk
Limiting what your employees can and can not do on your systems is an excellent way to prevent security breaches.
Here are some of the things you can do:
1. Disable USB ports on your company workstations. This will prevent your employees from plugging in USB drives and introducing unauthorised and unchecked files into your system. This also doubles as a measure to prevent IP theft.
2. Is all your work carried out online through a web browser and you have no proprietary business-specific software? Consider using an alternative Operating System with better inherent security features.
3. Grant your employees the minimum operating system and software privileges necessary to do their work.
4. Limiting Internet Access. While it is necessary to have unrestricted full access to the Internet for some job descriptions, such as Business Development Managers, there are jobs where it is simply not necessary for your employees to browse the Internet at all. This is a great way to improve productivity as well.
If you are interested to discuss how to make your business work online, please get in touch with us. We have plenty of experience running a variety of online projects and have the necessary technical expertise to build a custom digital solution for your business.