12 Ways to Protect your Affiliate Business From Cyber Attack
Posted by Peter Bassill on 06/09/202112 Ways to Protect your Affiliate Business From Cyber Attack. Cybercriminals are opportunists. They are ready to take advantage of any lapse in security they can identify. If Cybercriminals can gain access to your business, they will do so with the intent of making money somehow. That could be from encrypting all of your data and holding you to ransom or stealing your clients' data and then targetting them. The options for criminals are pretty spread.Securing your affiliate business is essential for looking after your clients, keeping out attackers and protecting your data. You can take several steps to protect your business, your clients, and your data from cybercriminals.
1. Passwords - but different
Having great passwords is a solid foundation. It is the same for everyone, from home to the small business and on to the enterprise. The UK National Cyber Security Center considers it imperative that they wrote in their Cyber Essentials Standard. But here is the difference. Stop with the complexity.
They also wrote an official guidance document on it, available here.
2. Goodbye Complex Passwords
Build your password from three or more words and ensure that the length is at least 14, ideally more than 16, characters. Doing this will provide you with a passphrase long enough to withstand all but the most dedicated password attacks.
Need a password policy? Or want to see an example password policy of one without complexity within it? We have just that here.
3. Goodbye monthly password changes
With a password that is 16+ characters long, stop worrying about password changes unless you believe the password is compromised. Set up monitoring to provide alerts for when an account on your domain is seen in a password dump.
4. Change Default Accounts
Device providers automatically assign a username and password to their devices. Cybercriminals can easily find these default passwords online, giving them a possible way in.Changing the username and password of the default accounts on the various devices on your network makes it more difficult for attackers to identify whose device it is and gain entry to the network. The criminals have sophisticated tools to test thousands of possible passwords and username combinations. For the admin/root level accounts, using a longer passphrase of 32 characters means you can effectively forget about attackers trying to guess those passwords.
5. Change your Default DNS servers
So this is something no one is talking about, changing your default DNS servers for your users. A straightforward way to add another layer of protection is by harnessing the power of the quad9 project (https://www.quad9.net/). Quad9 blocks lookups of malicious hostnames from an up-to-the-minute list of threats. This blocking action protects your computer, mobile device, or IoT systems against many threats such as malware, phishing, spyware, and botnets.
6. Use a VPN for remote work (Virtual Private Network)
A VPN protects your initial connection to the internet by encrypting the traffic between you and your VPN service. It also alters your visible IP address, giving you the identity of your VPN service. At ICE in London a few years back, we set up a trojan WiFi hotspot and recorded the number of operators who logged onto their backend platforms. During the event, we observed over 100 people logging into affiliate and platform backends. If we had been an attacker, we had access to all those platforms at an admin level.
We wrote a guide on how to use a VPN for better security a while ago. The link is here.
7. Only use HTTPS
I'm afraid the '90s are over. HTTP, the clear text web browsing protocol, should not be used for any form of browsing. Everything should be HTTPS, encrypted and secured.
8. Two-factor authentication everywhere
2FA, the big step. You have implemented 16 character long+ passphrases, and you are only changing the password when you suspect others know it. Layer over the top of that Two-factor authentication for access to your remote services, and the likelihood of an attacker gaining access through a compromised login is extremely low. Even if they know the username and the password, if you have 2FA in use everywhere, they will also need the token/phone/whatever.
9. WAF - Use a Web Application Firewall
If you are self-hosting your platform, as many operators do, use a web application firewall. I recommend Cloudflare. I get no kickback from them at all; they are just a great platform. Cheap and does the job very well.
10. Keep your devices up to date
IoT devices, such as wireless routers, cameras, etc., and your laptops, PCs, and servers, should all be updated to protect the security of your business.Like any other type of software, device firmware can contain vulnerabilities that hackers are keen to exploit. Most devices won't have the option of an auto-update, so you'll need to update the software to ensure your network is protected manually.To do this, you will need to sign up for update alerts from the manufacturers and software providers, so you know when new patches and firmware releases are available. Then, it is just a case of slotting those updates into your 14-day patching cycle.
11. Use Firewalls
WiFi and Broadband routers will contain a built-in network firewall to protect connections and prevent network attacks. Enable these to add a further layer of protection to your home security. All of your laptops and workstations should have local firewalls enabled on them too. It comes free with almost every endpoint protection package now, so turning it on is as simple as checking a box in the client.
12. Disable Remote Administration
Finally, disable remote administration services. There have been many vulnerabilities (security weaknesses) in remote administration functions published over the years. Remote administration services should either be turned off or restricted to known devices and should only ever be accessible from inside your network.