Digital Fortresses: Your Guide to Online Security

(0:02 – 0:14)

Welcome to the Proof Point Podcast, where we decode digital success one click at a time. We share key takeaways fueled by data and insights that your team can implement today to drive growth. Now, let’s get started.

(0:21 – 0:43) 

This is Stacy Porter Bilger, your host for the Proof Point Podcast, where I feature B2B and D2C businesses and thought leaders, sharing marketing, data tactics, sales strategies, and leadership insights that will kickstart your growth in this rapidly changing digital space. This episode is brought to you by Proof Digital. Proof Digital is a strategic and creative performance marketing agency.

(0:45 – 1:15) 

We partner with companies to create data-fueled marketing sales funnels. Before I introduce our guest today, I’m gonna give a shout out to Andrea Brummett with ReadyHR for connecting me nearly five years ago to our guest, Paul Miller. Paul is a member of our team here at Proof Digital, and I’ve had the pleasure of working with him during those five years and really just kind of blessed to have him in my life.

(1:19 – 1:41) 

So let me just do a quick intro of Paul. Paul is a man of many interests in the tech world, including but not limited to audio production, video production, cybersecurity, e-commerce, and web development. His favorite means to disconnect would be a cool night, a campfire, and stars clearly visible in the evening sky.

(1:44 – 2:01) 

That’s a good day. Paul has worked here at Proof Digital for five years and is our web development project coordinator and security guru. He has many hats at Proof and is our resident expert on web hosting, again, on security best practices.

(2:03 – 2:10) 

And Paul, thanks for joining me today. Oh, thanks for having me. For five years here at Proof.

(2:10 – 2:12)

 Yes. Hello. We’ve had a good time.

(2:15 – 2:51) 

And today’s topic really is security. And it is sometimes an overwhelming, ongoing task. We deal with it all the time, weekly if not daily from a standpoint of helping keep our clients’ websites secure, helping our clients deal with the fact when their identities have been stolen, dealing with the fact of the bad guys throwing malware on somebody’s site that they didn’t save their passwords correctly sometimes.

(2:54 – 3:06) 

So we’re gonna cover today maybe some top security tips that our listeners can take away and implement themselves. Again, it’s overwhelming. And so that’s the topic.

(3:09 – 3:20) 

Paul, thanks for coming on. Yeah, yeah, no problem. Yeah, this is a lot of my day to day in terms of when I’m not doing client work, I have to kind of audit and maintain some activities I see online.

(3:22 – 3:38) 

Usually I get little alerts that there’s a lot of logging attempts or there’s something a little nefarious happening. So I have to block traffic or update plugins if I get vulnerability alerts, et cetera. So it’s something that on a day-to-day basis, I have to keep an eye on.

(3:42 – 3:53) 

Yeah, and it’s challenging because not only do you get ahead  then the bad guys come up with a new way to go around you. And it’s an ongoing piece. And there’s new things that come in.

(4:00 – 4:12) 

I think we had somebody who thought they had malware on their site. And well, it wasn’t necessarily they had malware on their site but it was somebody added a plugin that we didn’t add. And there was a password vulnerability.

(4:15 – 4:43)

 And then it starts sending out crazy emails to clients and things. So you just, and it’s also on, we work on protocols on our end but everybody’s got to work on protocols on their end so that they follow the best way to stay safe and limit the cost to their business because security is expensive. Absolutely, and that’s the thing too because it’s one of those situations where you think things are safe and you’ve got kind of a system under control.

(4:47 – 5:16) 

And then next thing you know, the hackers and the bad guys find a more sophisticated way to find a barrier of entry and infiltrate it essentially. So with that said, it passed malware sweeps and looked like business as usual, but come to find out it was wanting to mine cryptocurrency and do a lot of nefarious activity that’s not ethical. And luckily we caught it in enough time that it didn’t do any blacklisting or cause any severe ill effects, but had it gone unnoticed, who knows what could have happened.

(5:20 – 5:26) 

That’s right, that’s right. Let’s talk about those, some best practices. Let’s talk, let’s hit on a few here that everybody should be doing.

(5:28 – 5:57) 

So let’s talk about 2FA. Now I’m using an acronym there. So let’s talk about, or MFA.

(5:39 – 5:57) 

What are those two? What are those two things? Just kind of go through what that number one thing you should be doing on all of your accounts, even though it’s a pain in the butt. Yes, two-factor authentication, or multi-factor authentication. It is a nice way of keeping things in checks and balances with your login.

(5:58 – 6:36) 

You log into an account, it’s gonna send you a text message  with a six or seven digit code depending upon the protocol, or you could use Google Authenticator and have to use the Authenticator code that’s actually synced with that particular account settings, or you might get an email and have to click the link for verification. There’s a few different ways you can employ that method. I personally prefer either the authenticator or the text account, because the chances of somebody getting my authentic account I feel is a lot lower, or smoothing my text and my cell phone number essentially is likely low too, because I’m out in the rural area.

(6:38 – 6:50) 

But at the end of the day, I see it immediately, I can log in. And also, if somebody’s trying to tamper with my account, I’ll see that 2FA and know to go in and update my password immediately. That’s happened a few times, particularly with my personal Gmail.

(6:52 – 7:04) 

Yeah. I use both text and those apps that serve as that multi-factor authentication tool. I will tell you, I know it is a hassle, I realize.

(7:09 – 7:20) 

Paul, I can’t even tell you how many accounts we have in our company, a lot, a lot, a lot, a lot. And hundreds, hundreds, hundreds. And we have to do the two-step across the board.

(7:25 – 7:42)

It just is part of our process. And we have a couple of people, me included being one of those people who get those texts or to help verify just to make sure we’re staying safe. Checks and balances.

(7:43 – 7:52) 

Checks and balances. And this is part of the process. And it really, if I picked anything, there’s other things I would pick, but if I picked anything on our list today, I would put that number one.

(7:54 – 8:12)

Yeah, absolutely. Over and over again with an exclamation mark on, do it. Especially any bank accounts, any email accounts, anything with any financial information, anything with your kids’ information, schools, colleges, stuff, you need to be doing two-step or multi-step.

(8:16 – 8:21) 

Absolutely. Over and over. I just wish somebody would hack and pay off my mortgage, but that’s wishful thinking.

(8:24 – 8:49) 

Yes, yes. And to be truthful, I’m talking about banking. We have extra security and extra protocols on our bank account, but just last week we had someone who was just doing the charge of a penny or doing something multiple times or doing a deposit of a penny just to see if they can’t get into the account.

(8:53 – 9:14) 

We put extra protocols of even those systems that those transactions are not going through with until approval is made. And so depending on your banking setup, I would recommend even going to that level because they try everything. Yeah.

(9:14 – 9:33) 

And even as a sidebar outside of the web and tech world, I am meticulous about checking gas station pumps, even the tap-to-pay, because there are people that will put a little cap on top of those payment points that you can easily pull off and that’s skimming your information as well. It is. So it’s unfortunate, but you just have to keep an eye on all those things.

(9:36 – 9:49) 

Yeah. The next piece that we do cover is, and we have, there’s passwords storing services. I know you’ve worked, we’ve had various ones and we’ve kind of upgraded recently to one 1Password.

(9:54 – 10:08) 

What do password storing services do for clients or companies? Depending upon which one you go with, there are a lot of tools and kind of a wealth of information that you need to get from these tools. One, it stores your password. So you can make long, complex passwords.

(10:11 – 10:20) 

That’s a number two exclamation point, most important thing. Make a password that you cannot remember. That way you don’t ever risk it being easy enough for somebody to sign in.

(10:22 – 10:27) 

Right. And break in. Also, these password keepers can run an audit and let you know, hey, you’re using way too many same password on.

(10:31 – 10:41) 

Yeah. You need to change these and let you know kind of some trends and behaviors that you need to modify to help increase your security. Those are the two main components that I really enjoy about one password.

(10:43 – 11:09) 

Also, it’s really easy to have on your phone and even on as a desktop extension, I can use my little fingerprint to log right in and get my password quickly, log in and don’t have to worry about typing 32, however many characters depending upon the account. Yeah. Certain computers do a better, a really good job and browsers do a good job of only going through your fingerprint to log into certain accounts.

(11:10 – 11:24) 

And that’s a really good, another way to do it. Let’s talk about passwords a little bit. I’m going to share a screen here a little bit, but in a second, we would get clients who would share accounts with us and their password was password.

(11:26 – 11:38) 

Yep. Or their company’s name, or if you’re personal and people use their birth date or their kid’s names or bad idea. Very much so.

(11:39 – 11:45) 

And to that—bad idea. Yeah. Because you see all the time, there’s memes on Facebook and it’s like, share your pet’s name or all these little tidbits.

(11:49 – 12:03) 

And it’s ways for them to fish for security password verification info. Like what was going to be your first pet? What street did you grow up on? Things like that. So I don’t play that game ever, but at the end of the day, that’s something that people don’t even think about.

(12:05 – 12:14)

And it’s a simple way for somebody to jump in and get your stuff. Well, we had this floating around our company. I wanted to share it with folks because I think this is so interesting.

(12:17 – 12:29) 

You log into a site and they want you to have a number, a lowercase, an uppercase. And there’s a reason for that. I mean, there’s data behind the madness of why you have to have those things and passwords.

(12:32 – 12:40) 

So if you don’t have, if you only have numbers only, they can hack that instantly. Yes. If you have lower cases, they can hack that instantly.

(12:44 – 12:58) 

It takes them 32 minutes. If you have, you know, 11 lowercase only, 11, you know, 32 minutes, they can hack it. If you only had lowercase.

(13:01 – 13:37) 

If you had upper, lower case symbols and numbers, but you only had nine characters, it’d take them six hours and they would hack it. So that’s why, you know, more and more companies, and as you should, have long passwords. I think it might take, if you had say 12 characters and you had numbers, upper, lower letters and symbols, it might take somebody, you know, three years to crack it.

(13:40 – 13:57) 

So it’s just the scientists, scientific piece behind creating passwords. So long and diverse in numbers and upper and lower case and symbols, the better. Yes.

(13:58 – 14:01) 

Robust is key. That’s the key word there. Yeah.

(14:01 – 14:23) 

So that’s a really good graphic to kind of emphasize why you have to do all those extra things. And then why having a password system, like a one password storing service is important because you’re not going to remember those. At least I’m not going to remember those.

(14:26 – 14:50) 

Yes. Thankfully, in many ways, you know, like with all of our sites, we have tools in place that are smart at seeing traffic come in, especially at what you call a brute force level, where a bot is sending existing username and passwords and testing those combinations or running numerically, alphanumerically, I should say, up the line with those passwords. So if it sees it start to happen, it immediately puts a halt to it and unblocks that IP.

(14:55 – 15:12) 

But that doesn’t mean that they won’t use a VPN and try another IP and get rid of it. And like you said, on our sites, we put all those things in place as best we can, but a few things could happen. One is they create an account themselves because they have access to their websites as they should to update those.

(15:14 – 15:23) 

And their password is weak. Yes. So that means they could get hacked still, even despite our firewalls in which we put in place.

(15:28 – 15:39) 

Another thing they might do, and you can reinforce this, is they might share their passwords over email or text. How do you feel about that, Paul? Not good, honestly. In my youth, that was something I foolishly did.

(15:43 – 16:01) 

I’m knocking on wood that I never saw any ill effects of that. I’ve since moved on to other banking organizations and things like that. But at the end of the day, the problem is they can sweep an email account and look for certain dialogue around username, password, and drill into those threads and find it.

(16:05 – 16:24) 

One organization I was with said always, if you’re going to do that, make it an image so it’s impossible to scan for. But even that, I don’t feel comfortable. There are tools like onetimesecret.com where you can actually create a URL with that information in it, and it burns once you close it, meaning it deletes it completely.

(16:25 – 16:39) 

So it’s a one-time use, get the information, shut it down, and then it’s gone. So things like that can really make sure that you’re not passing info back and forth carelessly. That’s the key word.

(16:40 – 16:56) 

Yeah, and if you have the tool like 1Password like we use, you can share passwords within those tools. (We share all our passwords for our team in 1Password, and we have different vaults for different passwords. That’s another good way, but one-time password is one way.

(17:00 – 17:12)

Again, if somebody has to send something via text or email, again, we advise against it, make it an image. But that is still not great. Right, yeah.

(17:13 – 17:34) 

So any way to encrypt the information is the most important component to that piece of conversation, essentially. It is. And we continue to work through those pieces and those challenges, but the bad guys are always looking for ways, always looking for ways.

(17:36 – 18:11) 

Yes, they are. You know, the other thing we deal with on a daily basis is those suspicious emails that we get. Can you talk a little bit about that and what you’re seeing? Yeah, so with that is sometimes spoofing is a key thing where somebody’s email gets cloned or spoofed to look like it’s from somebody that you trust in your organization or a partner, and they’ll send over a PDF or a file with some instructions for you to touch base or review it and follow up.

(18:13 – 18:50) 

And then when you open it, boom, it’s infected with malware. It can sweep through your whole network if you’re not careful and then start intercepting information company-wide or wreaking havoc with identities and start causing issues where you start seeing nefarious transactions or skimming and things of that sort. One organization I worked with, anecdotally speaking, if I can talk, sorry, we had a CEO, his email got spoofed and it got sent to our accounts payable team saying, we have this invoice that we need to pay that’s going out to China.

(18:51 – 18:54) 

We’re ordering supplies. She didn’t think anything of it, paid it. It was a hefty five-digit fee, and that money was gone.

(18:59 – 19:17)

He’s like, no, I did not send that email, but it has his signature, spoke like him, all of that. So those kinds of things are certainly possible. So if you get a weird feeling in your gut about it, always check with the person via phone or in person if you can, and you say, just wanted to double check, for this email sent by you because that prevents a lot of issues in the future.

(19:21 – 19:34) 

And they’ll use the individual’s name. So Paul, I’m sure you’ve got an email that says my name on it. It goes to you and say, hey, Paul, will you do this for me? And it says, it looks like it’s from me, but if you look at the email address, it’s not me.

(19:41 –  20:03) 

Yeah. So looking at the email address is really important as just to make sure that’s not the, I mean, there’s lots of things you need to look at, but when it looks like it’s coming from your boss, make sure it’s actually your boss’s email address or whoever’s email address, because they will do that a lot to make it look like it’s coming from somebody on your team. Because they’ll look on your site, they’ll pull their name.

(20:06 – 20:11) 

And the bottom line is don’t click on anything. Yep. Absolutely.

(20:11 – 20:27) 

And if they say, hey, can you text me? I have an important task for you. Don’t do that. They’re fishing for some extra details so that way they can dig in with it.

(20:19 – 20:27) 

And we don’t want that to happen either. Right, right. And there are things that you can work with your company on to make sure that you’re blocking.

(20:29 – 20:46) 

It’s a balancing act when you’re blocking some of these spam and these IP addresses, because you also have clients who email you. And the more blocks you put in place, that impacts your communication with all. So it’s a balancing act.

(20:48 – 20:58) 

Yeah. Bottom line is in training your employees to not click on anything unless they’re confident on who it’s from. Checking email addresses on those pieces.

(21:01 – 21:16) 

And I’ve been guilty even on social and I know a lot about this. Somebody’s like, hey, I’m so sad about this. Somebody might post something on their social and they’re like, oh, it’s terrible that what happened. And I click and I wanted to see what happened and it was not. Yeah. Not real.

(21:17 – 21:23) 

Yeah. And I’m seeing a new one too where they’re posting viral content they’ve stolen from somebody else, like on TikTok, for example. Yeah.

(21:23 – 21:33) 

It’s a Facebook video and you click on it so you can actually credit, because it’s long and you want to kind of scroll through it. But then it tries to forward you to a page. I actually, my malware scanner on my phone was like, hey, we caught this for you.

(21:35 – 21:37) 

Go back. That kind of thing. So, now I know I’m not messing with that.

(21:41 – 22:07) 

But it looks so legit that the usability is just standard and they’re looking for sophisticated ways to sneak in. You mentioned you had a malware scanner on your phone. What is that? With mine, it’s basically, and with my phone, it’s kind of like the Avast tool, but it actually, when I installed, when I activated my phone, and that’s the key word, it actually came with it.

(22:08 – 22:19) 

And so it does regular weekly sweeps and updates and lets me know activity that I’ve had. It kind of helps keep me in check. I’ve used my phone an hour and 30 minutes less this week than I did last week, that kind of thing too.

(22:21 – 22:34) 

But it does let me know if there’s any vulnerabilities I need to take care of. More often than not, it’s just, for me, it’s like some apps that run in the background, the caching, I have to flush it and it just optimizes my battery performance. So I’ll take it.

(22:34 – 22:49) 

As an Android user, I am a little more susceptible than iPhone for apps to be more nefarious. But typically, I do not install anything that I’m not real familiar with. I always check the reviews and I always check and make sure that it’s from credible organizations.

(22:52 – 23:13) 

But I don’t need the tools that are, like the social tool, people that wanna create images. I would rather use Canva than, say, some weird third party that I’m not real familiar with because those can really start infiltrating your critical information. Right, and to your point on, I mean, iPhone does a pretty good job of security, but it’s not 100%, but they invest in a lot.

(23:17 – 23:35) 

Android definitely has a little bit more vulnerability, but you can do some workarounds like you’re doing. So just staying on top of those things, work with your carriers on that. If you’re not a big company, I mean, if you’re a larger company, you should have your IT putting the antivirus stuff on your computer, every computer.

(23:37 – 24:04) 

But if you’re a smaller company, I mean, there’s a few, there’s Norton, there’s Avast, there’s a few others that are good to keep those updated on your computers. That’s an important step as well. Yes, and I should point out that with larger organizations, when they have the enterprise level solutions, they have a lot more strict policies that enforce users to adhere to certain standards for them to comply and maintain day-to-day operations.

(24:09 – 24:26) 

So with a smaller organization, you don’t really have those luxuries because you don’t have those paid tools that enforce it as heavily. But at the end of the day, we as a team, we wanna have each other’s back, so we strongly encourage these practices. Right, absolutely.

(24:30 – 25:07) 

Paul, what else do you wanna make sure that we hit on here today on helping? You know, one thing I wanna cover, I wanna cover a few things what we do for website safety. Now, if we’re not hosting your site, here’s some things that we do, right? We are, you need to be on a hosting service that you have firewalls in place, that you have malware scans ability. And also you have a team who actually is updating your plugins on a regular basis and backing up your site in case those bad guys come in that you have a backup so your business won’t be impacted.

(25:10 – 25:36) 

I think the big thing that when we inherit websites from other people is they’re not taking care of them. And that’s a piece that we tend to try to nip in the bud before we inherit the site would be making sure it’s updated, it’s current, we sweep it to make sure there’s no visible malware. Then also too, you wanna make sure that the site’s core is current and PHP software is current.

(25:40 – 25:47) 

All those little components can create little vulnerability. And one tool we use is WordFence. It’s a firewall security plugin for sites.

(25:50 – 26:08) 

It has a wealth of tools in it from firewall scanning, the brute force login attempt blocking. And another thing that it does that I really like is that when you do have plugins on your site, they will let you know critical alerts. Hey, there’s a plugin vulnerability.

(26:09 – 26:16) 

This one needs updated or this one’s outdated. It’s a medium risk or even low risks too. It wants to kind of keep a checks and balances for you that way.

(26:18 – 26:49) 

I always  go through and read those emails just to make sure they don’t pick up malware if there’s any as well. So it does give you a lot of kind of machine learning based tools within it without really having to be full on generative AI, but it does kind of do some protective trends and make sure that you’re safe. Right, the bad guys love sites that aren’t updated because that’s when plugins or software, or the themes are asked for an update.

(26:54 – 27:07) 

It’s typically because they see the bad guys find a way in, so it’s a patch. Most of those updates. And so I’ve seen sites where they have, oh, so many updates they’ve missed.

(27:10 – 27:28) 

And so the bad guys are just like chopping at the bit and say, okay, this site’s vulnerable, this site’s vulnerable because you don’t update. Same thing for browsers. If you don’t update your browser and you have an old browser, an old computer, they know how to hack older browsers more than they, because again, it’s the same rule.

(27:31 – 27:50) 

Chrome, Safari, you name it, Firefox, they’re updating their browsers. A lot of times, yes, some of them are features, but a lot of times it’s because they’re fighting the bad guys and doing patches and vulnerabilities within those tools we use. Correct.

(27:51 – 28:03) 

And even to that point, some hackers will keep an outdated browser handy because it’s not supported anymore. And then they can find vulnerability by using that browser too. So it’s a twofold, you have to keep an eye.

(28:06 – 28:47) 

If I was the goalie playing soccer, I’d be going crazy because I’m trying to keep that net from getting scored on across the board. I like to kind of wrap things up with what are, from Paul, if you’re talking to our clients and those businesses who are out there just struggling through this issue, and it’s a little overwhelming, like you said, what are some point, a couple of points, or one point that you want to put across today? The biggest analogy with this, and security for me is almost like a baby in a crib. That’s your information, that’s your financial information, that’s your website data, that’s your customer’s data.

(28:51 – 29:26) 

And basically your passwords would be like hanging a fixture above the crib. You want to make sure that it’s secure and it’s not going to move or falter or have any instability whatsoever. So at that point, you want to make sure that you’re taking advantage of, again, to recap, secure passwords, complex passwords, a password keeper, multi-factor authentication across the board where possible, and then keeping everything current software-wise, be it your computer, your web browser, your network internally with your organization, your website, all of it, even your phone.

(29:30 – 29:45) 

And to that point, let’s talk about the phone real quick. We want to make sure that when you’re out in public that you’re not using public open Wi-Fi because that is an open source of getting information. You’d be surprised how easy it is for them to see what’s sweeping through the bandwidth to your device.

(29:49 – 30:03) 

If you have a VPN, you want to make sure to use it. If you carry a hotspot, like a separate device, you need Wi-Fi because signal’s rough, you can connect your phone to that Wi-Fi box. And that way you have your own individual privatized connection that they can’t intercept.

(30:05 – 30:14) 

Yeah, those are a couple of good points we didn’t hit on earlier. Really, don’t use free public Wi-Fi. Right. That’s a very good point.

(30:16 – 30:32) 

There are days when my daughter has library activities and I’m there with her and I’ll take my hotspot with me so I’m not on the Wi-Fi at the library itself and nobody can see what I’m up to and I can work safely, privately and be there. Yep, so I love it, Paul.

(30:35 – 30:54) 

Stay up to date, use complex passwords, absolutely do two-step verification. And then a few other nuggets that you mentioned. You have to do those or if not, you’re definitely, it’s going to happen.

(30:56 – 31:08) 

So it’s going to happen. Even if you do those, it might still happen, but if you do those, you’re ahead of the game. Yeah, there’s no guarantee that you’ll be 100% safe, but taking those actions will definitely help reduce that risk greatly.

(31:11 – 31:31) 

And at the end of the day, we’re all busy multitasking, something comes across your inbox and you open it, you’re stressed, double-check yourself, make sure that that is a legitimate email from somebody before you just blindly click on a PDF or a file because you just, you never know. Absolutely. Well, Paul, it’s been great talking with you here today.

(31:37 – 31:55) 

And thank you for being on the Proof Point Podcast and leaving those who listen and our clients feeling a little safer today. Absolutely, thanks for chatting. I’m really happy to talk about this stuff because I’m a tech nerd for one, and two, you just can’t be too safe out there these days.

(31:59 – 32:19) 

And that’s another point I want to make up for today. But before we take off, since 2021, the threat has increased by, I think it was between 13 and 21%, depending on tech type, I was reading an article this morning. And with the COVID lockdowns, that was a certain hotbed of activity, and it’s only been increasing since then.

(32:22 – 32:35) 

It has. So be safe out there, dot your I’s and cross your T’s when it comes to these practices. And if you have any questions on some of these pieces, we’re happy to help.

(32:37 – 32:39) 

Take care. Great. Thanks, Paul.

(32:40 – 32:42) 

Oh, thank you. Have a great day. You too. See ya. Bye-bye.

(32:44 – 32:48) 

Thanks for listening to the Proof of Point podcast. We’ll see you again next time. And be sure to click subscribe to get future episodes.