fbpx

Digital Security

5 Overlooked Keys to Protect Your Business Online

Digital Security – 5 Keys to Protect Your Business

When we think of digital security and protecting our online business, the first thing that comes to mind may be firewalls, anti-virus software, anti-malware software, securing WordPress and other commonly discussed security measures. While these are all legitimate security concerns, here are 5 keys to secure your digital business that tend to get overlooked but are critically important.
Verify Domain Ownership

Verify domain ownership

If you have an existing domain name, verify that you are listed as the owner.
Your domain name must be listed with the domain name registrar where your domain name is registered.

IMPORTANT: This may or may not be where you purchased the domain. It’s quite common for some web hosting services to sell you a domain name but actually register it somewhere else.

You MUST verify ownership of your domain. You can do this using any web browser and going to the following url. whois.icann.org
whois results

If your are purchasing a new domain, do it yourself to insure that you are the registered owner.

If someone else registered your domain for you, verify ownership NOW!

Sadly, there are some unscrupulous web designers/developers/webmasters who, if left to do the buying, will, unbeknownst to you,  register the domain in their own name. If, at some point they disappear, you may find it difficult if not impossible to gain control. Should you decide to fire them, they may even hold your domain for ransom.

Remember this, it’s not who pays for the domain, who owns it, it’s who is listed as the registered owner. There may be exceptions, for example, if the domain name is a registered trademark. But for most business owners, failure to ensure they are listed as the registered owner can prove a nightmare.

Domain Privacy – You can use a domain privacy service to keep your contact information from being displayed in the public whois database. However, this technically makes that service the owner and they license the domain back to you.

Although, this may seem routine, it does open the possibility for disputes and possible litigation should your domain registration get hacked. The hacker could change all contact info, move the domain and use the privacy service to prevent you from discovering the identity of the hacker. The odds of this scenario may seem remote but it is possible and in fact has been documented as happening.

The downside of having your personal contact info revealed publicly is your address will be displayed as well as your contact email, which could result in that email address receiving spam. Consequently, you may want to consider dedicating an email address solely to this function.

Verify Domain Ownership

Verify domain ownership

If you have an existing domain name, verify that you are listed as the owner.
Your domain name must be listed with the domain name registrar where your domain name is registered.

IMPORTANT: This may or may not be where you purchased the domain. It’s quite common for some web hosting services to sell you a domain name but actually register it somewhere else.

You MUST verify ownership of your domain. You can do this using any web browser and going to the following url. whois.icann.org
whois results

If your are purchasing a new domain, do it yourself to insure that you are the registered owner.

If someone else registered your domain for you, verify ownership NOW!

Sadly, there are some unscrupulous web designers/developers/webmasters who, if left to do the buying, will, unbeknownst to you,  register the domain in their own name. If, at some point they disappear, you may find it difficult if not impossible to gain control. Should you decide to fire them, they may even hold your domain for ransom.

Remember this, it’s not who pays for the domain, who owns it, it’s who is listed as the registered owner. There may be exceptions, for example, if the domain name is a registered trademark. But for most business owners, failure to ensure they are listed as the registered owner can prove a nightmare.

Domain Privacy – You can use a domain privacy service to keep your contact information from being displayed in the public whois database. However, this technically makes that service the owner and they license the domain back to you.

Although, this may seem routine, it does open the possibility for disputes and possible litigation should your domain registration get hacked. The hacker could change all contact info, move the domain and use the privacy service to prevent you from discovering the identity of the hacker. The odds of this scenario may seem remote but it is possible and in fact has been documented as happening.

The downside of having your personal contact info revealed publicly is your address will be displayed as well as your contact email, which could result in that email address receiving spam. Consequently, you may want to consider dedicating an email address solely to this function.

Protect domain recordsProtect Your Domain Records

Think of DNS (Domain Name System) as the internet phone book. When someone decides to visit yoursite.com, a lookup in the internet’s phone book tells the browser where yoursite.com is located.

However, these digital communications between name servers can be intercepted and you might be directed to a spoofed site. To prevent this from happening, a digital signature can be place in the communicated data to verify the destination site.

The protocol used to sign your DNS records is called DNSSEC, Domain Name System Security Extensions.

Implementing DNSSEC requires the addition of new DNS records. Check with your domain registrar (where your domain was registered) to see if they support DNSSEC and their procedure to implement.

If you use the free Cloudflare service (I recommend you do) then the process becomes much simpler as described here: How do I turn on DNSSEC? If you would rather have this done for you, consider taking advantage of my Speed Booster Max special.

Domain Locking: Registrar Lock (client) vs Registry Lock (server)

Registrar Lock – A registrar lock is a security setting within your registrar’s dashboard that helps to prevent unauthorized transfers of your domain. It also prevents deletion of the name and changes to the domain contact details. Locking or unlocking is accomplished by logging into the domain account and manually changing the setting.

Registry locking is put in place to prevent “domain hijacking” and accomplishes the same as the registrar lock but happens at the registry level vs just the registrar level. Locking at this level requires additional authentication and verification steps and may include offline action as well as online. While this provides a higher degree of security, it also adds an “annoyance” factor as changes to dns records take longer and require the registry to perform the lock/unlock, possibly delaying legitimate changes.

To check your domain for domain locking, Cloudflare provides a free scan to check your registrar and domain security

On the results page you can also click “View your full Whois record”. Look for Domain Status entries and a link to the explanation for each status as follows:

Registrar Lock (client):
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited

NOTE: If you don’t have direct access to your registrar lock status, contact your registrar to set any or all of the above.

Registry Lock (client + server):
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited

Protect domain recordsProtect Your Domain Records

Think of DNS (Domain Name System) as the internet phone book. When someone decides to visit yoursite.com, a lookup in the internet’s phone book tells the browser where yoursite.com is located.

However, these digital communications between name servers can be intercepted and you might be directed to a spoofed site. To prevent this from happening, a digital signature can be place in the communicated data to verify the destination site.

The protocol used to sign your DNS records is called DNSSEC, Domain Name System Security Extensions.

Implementing DNSSEC requires the addition of new DNS records. Check with your domain registrar (where your domain was registered) to see if they support DNSSEC and their procedure to implement.

If you use the free Cloudflare service (I recommend you do) then the process becomes much simpler as described here: How do I turn on DNSSEC? If you would rather have this done for you, consider taking advantage of my Speed Booster Max special.

Domain Locking: Registrar Lock (client) vs Registry Lock (server)

Registrar Lock – A registrar lock is a security setting within your registrar’s dashboard that helps to prevent unauthorized transfers of your domain. It also prevents deletion of the name and changes to the domain contact details. Locking or unlocking is accomplished by logging into the domain account and manually changing the setting.

Registry locking is put in place to prevent “domain hijacking” and accomplishes the same as the registrar lock but happens at the registry level vs just the registrar level. Locking at this level requires additional authentication and verification steps and may include offline action as well as online. While this provides a higher degree of security, it also adds an “annoyance” factor as changes to dns records take longer and require the registry to perform the lock/unlock, possibly delaying legitimate changes.

To check your domain for domain locking, Cloudflare provides a free scan to check your registrar and domain security

On the results page you can also click “View your full Whois record”. Look for Domain Status entries and a link to the explanation for each status as follows:

Registrar Lock (client):
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited

NOTE: If you don’t have direct access to your registrar lock status, contact your registrar to set any or all of the above.

Registry Lock (client + server):
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited

protect your websiteSecure DNS Records Management

TIP: Download a copy of your DNS records for each domain you own. If the download is in Bind format (txt file), you’ll be able to open it in Excel. Make it a practice to keep a backup copy and check to verify all records. There are many legitimate operations which may require changes or updates to your DNS records. These may leave behind orphaned records that are no longer needed. You can either remove them manually within the registrar dashboard or change them offline and import them back via your dashboard. Manuals updates are safer and can be targeted only to the records that need updating. Check with your registrar about their process for exporting a copy of your records. If you use Cloudflare, this becomes a simple “Click to Export” operation.

Here’s a common scenario. business owner hires web designer to either build a new website or fix an existing site.

In the case of a new site, the owner allows the designer to purchase the domain name and configure dns for the new site.

Or in the case of an existing site, the new designer convinces the owner that they can get a better web hosting deal along with getting the domain name.

PROBLEM
The domain records management resides with the domain registrar and in order to manage the dns records, the designer needs the login information to the registrar dashboard which also gives them ACCESS TO THE DOMAIN REGISTRATION records. Now they have the ability to change the DOMAIN OWNERSHIP record!

Now there are indeed legitimate reasons you as the owner may need to hand off the management of DNS, e.g. configuring email records, forwarding name servers, etc.. So how to you give someone management access without giving them the keys to the kingdom?

There are a couple options; the first is to separate the location of the dns records management from the domain registrar.

For example, you could secure hosting for the website somewhere other than the domain registrar and transfer dns management to the web host. Or, even better, you could take advantage of a third party dns management platform such as Cloudflare. Now your web guy/gal only needs login info for that platform and not your domain registrar.

And yes, they could still cause problems by locking you out of the dns management platform or changing dns records to point away from your server. But in that case, you login to your domain registrar (to which they do NOT have access) and remove the forwarding of your name servers (where dns management happens). Now you have regained control of your dns records without exposing your domain ownership to unnecessary risk.

The second option depends on your domain registrar. Some registrars provide an option to share limited access to your DNS management console. Here is a screenshot from namecheap.com, which provides a sharing option by designating a “domain manager”. Once you designate a manager, you can further configure what the manager can and can’t do.
Here is a screenshot of the permissions area.

domain manager permissionsYou will need to check with your domain registrar for similar functionality.

My recommendation is to use Cloudflare as the DNS management user interface is far superior plus you get all the additional security and performance benefits that Cloudflare provides.

DNS records management access – Enable two factor authentication for domain management access. If you designate a domain manager, insist that they do the same. This additional layer of security helps protect against unauthorized access. Not all two factor authentication is created equal so here’s a brief breakdown of the most common methods:

login verification code is sent to owners phone via

SMS –  text message. Better than no two factor at all but considered weak security due to sms messages being easily intercepted.

Email – slightly better security than sms but still weak.

Authenticator app – better than email considered most secure. Login verification code generated via an authenticator app (desktop and/or mobile device) and code is manually entered.

Authenticator “one button” app – same security as authenticator app but does not require entering code, using a one button tap to approve/deny.

Bottom line – any two factor is better than none but always choose the most secure method when available.

protect your websiteSecure DNS Records Management

TIP: Download a copy of your DNS records for each domain you own. If the download is in Bind format (txt file), you’ll be able to open it in Excel. Make it a practice to keep a backup copy and check to verify all records. There are many legitimate operations which may require changes or updates to your DNS records. These may leave behind orphaned records that are no longer needed. You can either remove them manually within the registrar dashboard or change them offline and import them back via your dashboard. Manuals updates are safer and can be targeted only to the records that need updating. Check with your registrar about their process for exporting a copy of your records. If you use Cloudflare, this becomes a simple “Click to Export” operation.

Here’s a common scenario. business owner hires web designer to either build a new website or fix an existing site.

In the case of a new site, the owner allows the designer to purchase the domain name and configure dns for the new site.

Or in the case of an existing site, the new designer convinces the owner that they can get a better web hosting deal along with getting the domain name.

PROBLEM
The domain records management resides with the domain registrar and in order to manage the dns records, the designer needs the login information to the registrar dashboard which also gives them ACCESS TO THE DOMAIN REGISTRATION records. Now they have the ability to change the DOMAIN OWNERSHIP record!

Now there are indeed legitimate reasons you as the owner may need to hand off the management of DNS, e.g. configuring email records, forwarding name servers, etc.. So how to you give someone management access without giving them the keys to the kingdom?

There are a couple options; the first is to separate the location of the dns records management from the domain registrar.

For example, you could secure hosting for the website somewhere other than the domain registrar and transfer dns management to the web host. Or, even better, you could take advantage of a third party dns management platform such as Cloudflare. Now your web guy/gal only needs login info for that platform and not your domain registrar.

And yes, they could still cause problems by locking you out of the dns management platform or changing dns records to point away from your server. But in that case, you login to your domain registrar (to which they do NOT have access) and remove the forwarding of your name servers (where dns management happens). Now you have regained control of your dns records without exposing your domain ownership to unnecessary risk.

The second option depends on your domain registrar. Some registrars provide an option to share limited access to your DNS management console. Here is a screenshot from namecheap.com, which provides a sharing option by designating a “domain manager”. Once you designate a manager, you can further configure what the manager can and can’t do.
Here is a screenshot of the permissions area.

domain manager permissionsYou will need to check with your domain registrar for similar functionality.

My recommendation is to use Cloudflare as the DNS management user interface is far superior plus you get all the additional security and performance benefits that Cloudflare provides.

DNS records management access – Enable two factor authentication for domain management access. If you designate a domain manager, insist that they do the same. This additional layer of security helps protect against unauthorized access. Not all two factor authentication is created equal so here’s a brief breakdown of the most common methods:

login verification code is sent to owners phone via

SMS –  text message. Better than no two factor at all but considered weak security due to sms messages being easily intercepted.

Email – slightly better security than sms but still weak.

Authenticator app – better than email considered most secure. Login verification code generated via an authenticator app (desktop and/or mobile device) and code is manually entered.

Authenticator “one button” app – same security as authenticator app but does not require entering code, using a one button tap to approve/deny.

Bottom line – any two factor is better than none but always choose the most secure method when available.

Claim Your Online BrandEstablish your online “Business Profile”

Your online business profile may be the first contact a prospective customer has with your business. It’s critical to insure that first impression is the one you want for your business and your brand. Start that process by creating a consistent business profile on these major networks:

Google My Business

If your business is brick and mortar, be sure to claim a Google My Business listing. Make sure you select the proper category for your business and avoid any categories that are not relevant. Uploads photos of your business and your employees and fill out your business info as much as possible.

TIP: Make sure that your business NAP (name, address, phone number) is accurate and consistent across all your web properties, including your website.

Facebook

Don’t confuse your Facebook personal profile with your Facebook business page. Promoting your business via your personal Facebook account is technically against Facebook’s TOS. Your profile is restricted to 5,000 friends maximum and by default, any posts you make will be shown to a segment of them at any time. All posts on your Facebook page are public and can be viewed by anyone, even if they don’t have a Facebook account. While organic reach for Facebook page posts continues to plummet, you will need a Facebook page if you decide to run Facebook ads in the main news feed. And for larger companies with a dedicated team to keep their page updated and their audience engaged, organic ROI may still be possible. But make no mistake, for business, it’s pay to play and done right the there are huge returns to be had with Facebook ads.

Instagram

With over 800 million active users as of September 2017, Instagram puts a visual face to your brand. Although the target age group is 18 to 34, the demographic continues to expand and brands and businesses have discovered that engagement on Instagram surpassess Facebook.

Twitter

Although it may not have the glitzy huge numbers of a LinkedIn, Facebook or even Instagram, Twitter can still be valuable for your business. And with a minimum of characters allowed, it can require a smaller time investment than most of the other networks. Create and optimize your account, find your ideal market, establish relationships and share your successes and failures to develop your “tribe”.

LinkedIn

Make sure your LinkedIn personal profile is optimized as Google treats this as a highly authoritative source and will rank it high in the serps! Sadly, LinkedIn severely reduced the utility of LinkedIn company pages for small business when they reduced it to basically just another post feed. Still, it’s free, so consider it worth at least a small investment of time.

These are the major networks. If you decide to further expand your online presence, here are others worth considering Instagram for BusinessYouTube.

What should be included in your online business profile? At a minimum, the business name, address and phone number, a.k.a NAP. Be sure to include your logo whenever possible, along with photos of your business if you have a public accessible address.

Claim Your Online BrandEstablish your online “Business Profile”

Your online business profile may be the first contact a prospective customer has with your business. It’s critical to insure that first impression is the one you want for your business and your brand. Start that process by creating a consistent business profile on these major networks:

Google My Business

If your business is brick and mortar, be sure to claim a Google My Business listing. Make sure you select the proper category for your business and avoid any categories that are not relevant. Uploads photos of your business and your employees and fill out your business info as much as possible.

TIP: Make sure that your business NAP (name, address, phone number) is accurate and consistent across all your web properties, including your website.

Facebook

Don’t confuse your Facebook personal profile with your Facebook business page. Promoting your business via your personal Facebook account is technically against Facebook’s TOS. Your profile is restricted to 5,000 friends maximum and by default, any posts you make will be shown to a segment of them at any time. All posts on your Facebook page are public and can be viewed by anyone, even if they don’t have a Facebook account. While organic reach for Facebook page posts continues to plummet, you will need a Facebook page if you decide to run Facebook ads in the main news feed. And for larger companies with a dedicated team to keep their page updated and their audience engaged, organic ROI may still be possible. But make no mistake, for business, it’s pay to play and done right the there are huge returns to be had with Facebook ads.

Twitter

Although it may not have the glitzy huge numbers of a LinkedIn, Facebook or even Instagram, Twitter can still be valuable for your business. And with a minimum of characters allowed, it can require a smaller time investment than most of the other networks. Create and optimize your account, find your ideal market, establish relationships and share your successes and failures to develop your “tribe”.

LinkedIn

Make sure your LinkedIn personal profile is optimized as Google treats this as a highly authoritative source and will rank it high in the serps! Sadly, LinkedIn severely reduced the utility of LinkedIn company pages for small business when they reduced it to basically just another post feed. Still, it’s free, so consider it worth at least a small investment of time.

These are the major networks. If you decide to further expand your online presence, here are others worth considering Instagram for BusinessYouTube.

What should be included in your online business profile? At a minimum, the business name, address and phone number, a.k.a NAP. Be sure to include your logo whenever possible, along with photos of your business if you have a public accessible address.

Promote Your Business Brand Online

Promote Your Business Online

Promotion = Protection

Do this on a regular basis – Search for your business name (and any variations).

Ideally, what you’ll see on the first page of results are all positive results. The best way to ensure those results are positive is to control as many of them as possible, i.e. your website and your social profiles (see Key 4). If not, then you have work to do.

When someone searches for your business/brand online you want control over what they find. Most users will not dig deeper than the first or second pages of search results.

So the more spots you occupy on these pages, the better experience you’ll be presenting to your prospective customers, clients, vendors, etc.

SEO – Optimize your website for the search engines, Google in particular since it accounts for around 80% of all searches. Start with optimizing for your local geographic area. Local searches tend to be more buyer centric than global search.

Think local first. Even if your target market is not local, you can still begin by focusing on local search engine optimization (SEO), then move on to national and international SEO if that’s appropriate. Local searchers have a higher degree of buyer intent and Google is pushing mobile big time. In fact, they’ve stated that search will soon be based on their mobile index. Here are some stats via this infographic from Go-Globe to further illustrate the importance of a local first promotional approach.

local seo stats infographic

Click to Enlarge

 

 

Paid Ads (PPC) – PPC allows you to drive targeted traffic to a landing page of your choice, increasing exposure, not just to your offer but also to your brand. Most purchases do not happen on the first touch but after several engagements with your business, thus increasing the exposure of your brand in a highly targeted and controlled manner.

If you don’t occupy this online real estate, there is a good chance your competition (or disgruntled clients) will!

Promote Your Business Brand Online

Promote Your Business Online

Promotion = Protection

Do this on a regular basis – Search for your business name (and any variations).

Ideally, what you’ll see on the first page of results are all positive results. The best way to ensure those results are positive is to control as many of them as possible, i.e. your website and your social profiles (see Key 4). If not, then you have work to do.

When someone searches for your business/brand online you want control over what they find. Most users will not dig deeper than the first or second pages of search results.

So the more spots you occupy on these pages, the better experience you’ll be presenting to your prospective customers, clients, vendors, etc.

SEO – Optimize your website for the search engines, Google in particular since it accounts for around 80% of all searches. Start with optimizing for your local geographic area. Local searches tend to be more buyer centric than global search.

Think local first. Even if your target market is not local, you can still begin by focusing on local search engine optimization (SEO), then move on to national and international SEO if that’s appropriate. Local searchers have a higher degree of buyer intent and Google is pushing mobile big time. In fact, they’ve stated that search will soon be based on their mobile index. Here are some stats via this infographic from Go-Globe to further illustrate the importance of a local first promotional approach.

Paid Ads (PPC) – PPC allows you to drive targeted traffic to a landing page of your choice, increasing exposure, not just to your offer but also to your brand. Most purchases do not happen on the first touch but after several engagements with your business, thus increasing the exposure of your brand in a highly targeted and controlled manner.

If you don’t occupy this online real estate, there is a good chance your competition (or disgruntled clients) will!

Protect Your Website

Protect Your Website

Although not necessarily overlooked, protecting your website is obviously critical. What is often overlooked is the need to take a holistic view to securing your site. Unfortunately, for many, website security begins and ends with simply installing a security plugin. Follow these steps to fully protect your website.

  1. Avoid cheap shared hosting and make sure your site is on either a vps or dedicated server. Make sure YOU have root access.
  2. Install an SSL certificate for your domain. You no longer need to purchase a standard certificate as these certificates are now available for free from Let’s Encrypt or via cPanel/WHM AutoSSL.
  3.  Once your certificate is installed, change all internal links on your site to https:// from http://.
  4.  Redirect all http:// traffic to your site to https://. Be sure to include all image links as well.
  5.  If you install a CMS like WordPress, be sure to install a security plugin.
  6.  Make sure YOU always have the current username and password to log in.
  7. Never use plain insecure FTP to transfer files; use only SFTP.
  8.  For more in depth details on securing your site, check out this post Website Securiy – Hacker Proof Your Website.
Protect Your Website

Protect Your Website

Although not necessarily overlooked, protecting your website is obviously critical. What is often overlooked is the need to take a holistic view to securing your site. Unfortunately, for many website security begins and ends with simply installing a security plugin. Follow these steps to fully protect your website.

  1. Avoid cheap shared hosting and make sure your site is on either a vps or dedicated server. Make sure YOU have root access.
  2. Install an SSL certificate for your domain. You no longer need to purchase a standard certificate as these certificates are now available for free from Let’s Encrypt or via cPanel/WHM AutoSSL.
  3.  Once your certificate is installed, change all internal links on your site to https:// from http://.
  4.  Redirect all http:// traffic to your site to https://. Be sure to include all image links as well.
  5.  If you install a CMS like WordPress, be sure to install a security plugin.
  6.  Make sure YOU always have the current username and password to log in.
  7. Never use plain insecure FTP to transfer files; use only SFTP.
  8.  For more in depth details on securing your site, check out this post Website Securiy – Hacker Proof Your Website.
While there is no such thing as 100 per cent secure, implementing these 5 overlooked digital security keys in addition to your standard online security practices will greatly enhance the security of your online business.
CloudFlare Cloudflare Warp · Jump on the Internet fast lane by installing the WARP app. It's free and protects you from malware and Internet spies! #1dot1dot1dot1 1.1.1.1 — The free app that makes your Internet faster and safer. CloudFlare Warp+
Liquid Web Storm VPS

eclincher

eclincher social media management platforHarness the power of social media with the eclincher professional grade social media management platform.