The bigger your company gets and the more money passes through your operation, the bigger the threats. You need to consider them. But if you use e-mail or have a company Web site, there are two items of particular interest: breadcrumbs and hijacking.
Leaving breadcrumbs
I happily live in the world of nerds – as a nerd myself. We have our own language, and don’t you know it. When Hansel and Gretel wanted to be sure they wouldn’t get lost in the forest, they left behind breadcrumbs to mark their path. It didn’t work too well for them, but nerds still use that term to describe all the little bits you leave behind when you are traveling the Internet and the Web. The bad nerds don’t want you to know about it.
These days you really can’t do business without visiting any number of Web sites every day. I am sure you buy plenty of things directly from a Web storefront and more every day. Every visit to your favorite site leaves breadcrumbs.
The Web log for that site has recorded your presence, your computer address, and can follow other breadcrumbs right back to you. (And of course, the same is true for every visitor to your Web site. I covered how to capitalize on that fact in an article in the May 2006 issue of Upsize, called Web Sites I).
Each e-mail that you send leaves similar crumbs in similar places all around the Internet. What you may not know is that the e-mail you sent from downtown Minneapolis to your customer in Bloomington likely traveled through Chicago to get there. The whole while it hopped from one computer to another leaving those crumbs.
About hijacking
You’ll just have to take my word for it: The bad nerds use breadcrumbs for hijacking. Hijacking has many forms but it generally involves convincing you that you have visited a trusted location or sent an e-mail to a trusted recipient when, in fact, you have not.
That banking Web site that seems to have sent you a friendly e-mail – maybe was hijacked. Or that customer service center e-mail address, to which you just sent your user name and password – maybe was hijacked. And the information you sent was hijacked right along with it.
It is bad when the site you wanted to visit has been hijacked. Some of your personal or company information may fall into the wrong hands. But it is much, much, much worse when your own company Web site has been hijacked.
When your site is purloined in this way, your customers, partners, vendors or prospects are led to believe that they are engaged on your site, reading your product literature or signing up for your seminar.
But they are, in fact, doing all those same things with someone else entirely, and not a friendly someone else. When it all goes bad and that prospect finally realizes they have been hoodwinked, they will blame you.
Don’t let it happen
Thereare two sides to protect: your company site or e-mail server and thosethat you visit. You need to prevent yourself from being subject tohijacking and prevent your company from being hijacked.
The only way to be sure you’ve caught everything is to engage in adetailed security review of your site, operational processes, e-mailservice, and related IT items. You really should consider getting thatdone. But in the meantime, consider these things.
E-mail links are bad.
Never follow a link directly from an e-mail that requests yourassistance in an important matter. Do not visit that link to updateyour contact information with your lender. Do not click on the linkthat asks you to restore your lost password on eBay. Reputable serviceswill find a way to get that done without relying on an insecuremechanism.
Similarly, do not ask your customers or partners to click on links inthe e-mails that you send. You don’t want them to get used to doingthat or they will happily do so even when the e-mail didn’t come fromyou. The easiest way to hijack is to use these embedded e-mail links.Stay as far away from them as possible.
Bulk e-mail gets you in trouble.
Do not use your own e-mail servers and your own domain name(you@your-domain.com) as outbound sources for bulk e-mail campaigns. Ifyou must use bulk campaigns, do so only with a reputable vendor.
Launching a campaign from your own domain is a guarantee of two things:Your company will be placed on an anti-spam list blocking your e-mailsfrom your customers, and some of those bulk e-mails will travel to thebad guys whose names are placed on bulk lists for just that reason. Nowthey can find you; now they can attack.
Protect your Web site.
If your Web site allows visitors to log in to gain special privileges(track orders, make new orders, etc.), always require extraverification steps that are repeated when you take a protected action(such as completing an order).
When your customer has clicked on the “Place My Order” button, ask themagain for the password. Ask them for at least one other piece ofinformation only they would know (such as a customer ID or billing Zipcode).
Do not send private data via e-mail.
Bottom line: E-mail is not secure. Don?t send passwords, credit cardnumbers, Social Security numbers or account numbers via e-mail. Don?tsend attached documents that contain private data. Even if the intendedrecipient receives it whole, you will never know who else has a copy.Do. Not. Send. Private. Data. Via. E-mail.
Protect your brand.
Your domain name and e-mail addresses all represent part of your brand.Outsiders wishing to verify the nature of e-mails received from you cando some checking. Visitors to your Web site can do some checking. Theywill check with the registrar of your domain name(www.your-company.com: your-company.com is your domain name).
The information stored with your domain registration not only containscontact and company information, but also points visitors to otherdata. If you’ve never seen this stuff, you ought to. It is entirelypossible that the contact listed for your company is someone you’venever heard of at a phone number in another state. How are theyanswering that phone?
The bigger you get, the more business you do, and the more fun you arehaving, the better target you become. In order to avoid lying awakeevery night, check into some of these things now, before you gethijacked by the breadcrumbs.
Kirk Hoaglund,
Clientek:
612.379.1440, ext. 101
kirk.hoaglund@clientek.com
www.clientek.com
