Ask Us Anything: Securing Your Business For the New Normal

Highlighted
Community Manager

Maintaining solid privacy practices to secure customer and lead data is a fundamental way to grow your business while building trust and goodwill.

 

As companies shift to adjust to new business realities, security remains an important topic to address internally and a key part of assessing the tools and processes your business uses.

 

With that in mind, we’ll be focusing on Security the week of August 24th as part of Adapt 2020, an educational series designed to help you navigate strategic shifts in today’s environment.

 

To make sure we can offer the best content possible, we’d like to know:

  • What questions do you have about best practices for securing your online business processes?
  • What training would you like to implement internally to ensure your colleagues are following best practices?
  • What resources would you like HubSpot to share so that you feel prepared to tackle security?

 

We’ll be gathering your questions to share out in Adapt 2020 training and content later this month. 


We are excited to announce that the Community will be launching a weekly newsletter on November 2, 2020!
Sign up today!
Reply
0 Upvotes
5 Replies 5
Highlighted
HubSpot Employee
HubSpot Employee

Hi all, I'm the product manager for HubSpot's Login Security team. I'm looking forward to answering your questions on this!

Highlighted
Occasional Contributor

Can you tell us more about 2FA? I feel like I should know everything about that at this point, but an overview would be great! 

 

Also, what advice do you have for someone looking to create a secure website? What are the best practices we should be using from day one? Also, what are the most common mistakes "security rookies" make? 

 

Thanks for putting this together!

Highlighted
HubSpot Employee
HubSpot Employee

@Carolyn_M those are great questions!

 

I think the way you feel about 2FA is probably the way a lot of people feel, honestly. It's mentioned pretty often, across plenty of different websites, so you always feel like you should know all about it (& maybe you assume everyone else knows, but you're out of the loop & feel bad asking someone a "basic" question). It's ubiquitous, but also a bit esoteric.

 

So, two-factor authentication (or multi-factor authentication) is using multiple "factors" to log into an account you own. For a long time, most website log ins functioned on a single factor--passwords. You'd put in your email or username, like "ryan@hubspot.com" & you'd put in your password, "password123" (well, hopefully it wasn't that...) & you'd be passed into your account. MFA is adding another factor, & ideally it's both something you know (a password, the first factor) & something you have (your phone, or iPad, or a security key; the second factor.) This means that a bad actor trying to get into your account needs two things to break in, instead of just one. It vastly reduces the chances of someone getting in when they shouldn't. Especially because it's very unlikely that the person will have both your password, & a physical device you own.

 

Bad actors can successfully snag a password to an account via phishing, but they can't easily wander over & grab your phone off of your desk. 2FA is also more secure than other additional knowledge challenges. In the past, you might have needed to enter your password & say, your mother's maiden name to access secure accounts. That seems like a good check, but it's actually just two challenges of the same knowledge type--two things you know. & with the advent of social media, a savvy bad guy can often get the answers to common security questions from your Facebook or Instagram profiles, so two knowledge checks isn't very secure. A knowledge check in combination with a device check is really hard for most bad folks to work around. & most of them are playing a volume game--your account is one of a few hundred thousand they're going to try to break into today, so if yours is much more difficult than others, it's also safer.

 

I hope that was a helpful overview! To your other questions: a more secure website is a big thing right now. Website security is a bit out of my wheelhouse, but things like setting a content security policy & minimum TLS version for your website can be very helpful. You can do these things with HubSpot CMS!

 

For common mistakes that security rookies make, I think the biggest thing is that most people think that security is really scary & complicated. It can be overwhelming to figure out where to start with keeping yourself safe. &, like with anything, when you try to start learning, it's easy to realize how much you don't know. That's overwhelming, so it's then easy to bury your head in the sand & not actually take the first steps. So, I think the most important general advice I can give is:

 

  1. Doing the basics is usually really easy, & keeps you much, much safer than doing nothing. Those basics are: use 2FA everywhere it's available to you, use a password manager to create & store unique passwords, & make sure that your employees are doing the same.
  2. Be suspicious. It's more important to be suspicious of things than it is to be informed about them, I think. I'm pretty informed about the latest in scams & security issues around the web, but the bad folks are always innovating & trying to come up with a hot new way to get at your data. A healthy skepticism of anything that doesn't look or feel right goes a long way to keeping you safe.
  3. Be careful of where you store sensitive data. This means don't write your password down on a post-it, but it also means don't share your password or HubSpot API key or other sensitive info anywhere that is accessible to lots of people.

I hope those tips were helpful!

Reply
0 Upvotes
Highlighted
Regular Visitor

What can we do to prevent phishing attacks? I feel like we get a new sketchy email in our team inbox every day.

Highlighted
HubSpot Employee
HubSpot Employee

@VanessaR that's a great question as well. Phishing is a big risk right now for every business--during the pandemic, there's been a massive uptick in fraudulent email activity, & phishing can be an extremely lucrative enterprise.

 

For some context, it's important to understand who phishers are & why they want your information. I think there's a still common public perception that cybercrime is done by some nerd, or group of nerds, in a basement, trying to attack you or your business specifically. I'm allowed to say this because I'm a nerd who lives in a garden level apartment, by the way, so don't feel like I'm unfairly attacking my own people here.

 

That's not really who the phishers are these days. It's a big venue for organized crime, & it's usually a lot more like an office job or work-from-home gig than you'd expect. These folks might work a regular 9-5 cadence, but their jobs are stealing data. Another big component to avoiding phishing is to understand that phishing is usually a volume game. As I mentioned above, phishers are usually working off of a large dataset of known information--they have, say, a list of 100k emails laying around. They want to send phish to all of those email addresses. Ideally, they'll do this from a trusted source, like a business email address you recognize, & in some way that they know makes you more likely to click on the message. Maybe they send an email titled "Your Invoice" where the goal is to get you to say "I wasn't expecting an invoice!" so you want to figure out what this is about immediately. They're betting that sense of urgency means you'll click the phish and enter a username or password before realizing that the email isn't legitimate.

 

So, if you think about phishing being both a volume-based thing & a very profitable thing, the best advice I can give about avoiding phishing boils down to two points:

  1. Many phishers are not going to send sophisticated, incredibly believable emails. It's a volume game, so they won't spend a ton of time painstakingly crafting a message. So, read the email carefully before clicking--does it contain typos, odd characters, or other inconsistencies? Did you expect to receive it?
  2. As I mentioned above, be suspicious. A phisher wants to prey on your sense of urgency. Slow down. Nothing happening in your inbox should be so urgent that vetting its legitimacy will ruin you. Many phishers use this kind of tactic to convince you to act rashly. The same tactic is present in all of those phone scams where someone asks you to, say, call a number immediately to pay a debt or be arrested. If you're not sure something is legitimate, reach out through another communication channel to verify.
  3. Make sure that even if a phisher gets your credentials, that's not enough. Enable 2FA on all of your online accounts. As I mentioned, I think I'm pretty good at spotting phishy emails! I can't tell you that if I got a thousand of them, I wouldn't be fooled by one. So, make sure that even if a phisher gets your password, that's not enough information to get into your accounts. If they get your password but still need your 2FA code, you're much safer than otherwise. Don't give out your 2FA or other access code or password to anyone, even folks who claim to work for the business that called or emailed you.
  4. Consider sending around some resources to your team on how to identify phishing, too. There are plenty on the web, & they'll teach team members how to be suspicious of the right things.
  5. Use a password manager to create strong passwords, & don't reuse passwords across multiple websites. This way, even if a phisher gets your, say, Yahoo.com password, they can't then use that password to log into HubSpot or Gmail or Outlook. This will limit the blast radius if you fall victim to phishing.
  6. Enter your team email on haveibeenpwned.com. You can get alerts if the email address shows up in a public password breach. If it does, don't panic! Just make sure you change the passwords for the service associated with that email address, especially if the password was shared across multiple sites.

Hope this was some helpful information!

Reply
0 Upvotes