Aug 17, 2020 9:35 AM
Maintaining solid privacy practices to secure customer and lead data is a fundamental way to grow your business while building trust and goodwill.
As companies shift to adjust to new business realities, security remains an important topic to address internally and a key part of assessing the tools and processes your business uses.
With that in mind, we’ll be focusing on Security the week of August 24th as part of Adapt 2020, an educational series designed to help you navigate strategic shifts in today’s environment.
To make sure we can offer the best content possible, we’d like to know:
We’ll be gathering your questions to share out in Adapt 2020 training and content later this month.
Aug 17, 2020 4:04 PM
Can you tell us more about 2FA? I feel like I should know everything about that at this point, but an overview would be great!
Also, what advice do you have for someone looking to create a secure website? What are the best practices we should be using from day one? Also, what are the most common mistakes "security rookies" make?
Thanks for putting this together!
Aug 28, 2020 5:06 PM
@Carolyn_M those are great questions!
I think the way you feel about 2FA is probably the way a lot of people feel, honestly. It's mentioned pretty often, across plenty of different websites, so you always feel like you should know all about it (& maybe you assume everyone else knows, but you're out of the loop & feel bad asking someone a "basic" question). It's ubiquitous, but also a bit esoteric.
So, two-factor authentication (or multi-factor authentication) is using multiple "factors" to log into an account you own. For a long time, most website log ins functioned on a single factor--passwords. You'd put in your email or username, like "email@example.com" & you'd put in your password, "password123" (well, hopefully it wasn't that...) & you'd be passed into your account. MFA is adding another factor, & ideally it's both something you know (a password, the first factor) & something you have (your phone, or iPad, or a security key; the second factor.) This means that a bad actor trying to get into your account needs two things to break in, instead of just one. It vastly reduces the chances of someone getting in when they shouldn't. Especially because it's very unlikely that the person will have both your password, & a physical device you own.
Bad actors can successfully snag a password to an account via phishing, but they can't easily wander over & grab your phone off of your desk. 2FA is also more secure than other additional knowledge challenges. In the past, you might have needed to enter your password & say, your mother's maiden name to access secure accounts. That seems like a good check, but it's actually just two challenges of the same knowledge type--two things you know. & with the advent of social media, a savvy bad guy can often get the answers to common security questions from your Facebook or Instagram profiles, so two knowledge checks isn't very secure. A knowledge check in combination with a device check is really hard for most bad folks to work around. & most of them are playing a volume game--your account is one of a few hundred thousand they're going to try to break into today, so if yours is much more difficult than others, it's also safer.
I hope that was a helpful overview! To your other questions: a more secure website is a big thing right now. Website security is a bit out of my wheelhouse, but things like setting a content security policy & minimum TLS version for your website can be very helpful. You can do these things with HubSpot CMS!
For common mistakes that security rookies make, I think the biggest thing is that most people think that security is really scary & complicated. It can be overwhelming to figure out where to start with keeping yourself safe. &, like with anything, when you try to start learning, it's easy to realize how much you don't know. That's overwhelming, so it's then easy to bury your head in the sand & not actually take the first steps. So, I think the most important general advice I can give is:
I hope those tips were helpful!
Aug 28, 2020 5:28 PM - edited Aug 28, 2020 5:30 PM
@VanessaR that's a great question as well. Phishing is a big risk right now for every business--during the pandemic, there's been a massive uptick in fraudulent email activity, & phishing can be an extremely lucrative enterprise.
For some context, it's important to understand who phishers are & why they want your information. I think there's a still common public perception that cybercrime is done by some nerd, or group of nerds, in a basement, trying to attack you or your business specifically. I'm allowed to say this because I'm a nerd who lives in a garden level apartment, by the way, so don't feel like I'm unfairly attacking my own people here.
That's not really who the phishers are these days. It's a big venue for organized crime, & it's usually a lot more like an office job or work-from-home gig than you'd expect. These folks might work a regular 9-5 cadence, but their jobs are stealing data. Another big component to avoiding phishing is to understand that phishing is usually a volume game. As I mentioned above, phishers are usually working off of a large dataset of known information--they have, say, a list of 100k emails laying around. They want to send phish to all of those email addresses. Ideally, they'll do this from a trusted source, like a business email address you recognize, & in some way that they know makes you more likely to click on the message. Maybe they send an email titled "Your Invoice" where the goal is to get you to say "I wasn't expecting an invoice!" so you want to figure out what this is about immediately. They're betting that sense of urgency means you'll click the phish and enter a username or password before realizing that the email isn't legitimate.
So, if you think about phishing being both a volume-based thing & a very profitable thing, the best advice I can give about avoiding phishing boils down to two points:
Hope this was some helpful information!