I own an established web design company in Ocean County for the last 25 years. We have, in that time, added a data center to house our own servers and established ourselves in the internet marketing workplace. We have a rich background in this area. NetCetra, LLC has completed thousands of web site designs and currently hosts that many web sites and business servers for various companies. I have never, in all those years, witnessed the magnitude of what the Lazars went through more than a few times. Costs for web sites have fluctuated in the past few years Companies like Go Daddy, who offer low cost sites and hosting to start, are counting on a degree of sophistication from the client or their web designer. Using a business email address with your domain address adds credibility to your business. We offer mail server addresses for this purpose. I always advise my clients to have a third-party email address like G Mail to add security. Unfortunately, the Lazars contracted off shore. The pricing was too cheap and there was realistically not enough time to be ready for their busiest selling period. Unless you already have an established presence on the internet, you will not be able to develop even a local presence without using “pay per click”. Present day requirements of security certificates, ecommerce carts, ADA requirements and many more aspects, depending on your site mission, cannot be done cheaply, securely and quickly anymore.
I recently spoke to Melanie Willoughby, Executive Director of the New Jersey Business Action Center. This is a state run organization to help businesses in NJ.
She was kind enough to send the following information to help with any questions.
On our team it would be Bill and for the U.S. DOC it would be North and South offices all info below.
South is anyone in Hunterdon, Mercer, Middlesex Counties and below.
Mr. William E. SPEAR
International Business Advocate
NJ Business Action Center
Trenton, NJ 08625-0820 USA
P: 609-777-4125 F: 609-292-5509
Susan Widmer, Director
U.S. Commercial Service, Northern New Jersey
U.S. Department of Commerce | International Trade Administration
Tel: 973-645-4682 ext. 216
Janice C. Barlow
Sr. International Trade Specialist
U.S. Department of Commerce/U.S. Commercial Service
997 Lenox Drive, Building 3 – Suite 111
Lawrenceville, NJ 08628
They seem eager to get answers.
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 25 2018.
The first question we are asked is:
Does this apply to me?
The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Penalties if you are not complaint will reach 4% of your global business.
What it covers:
Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
If this applies to you then please visit, https://www.eugdpr.org/eugdpr.org.html. Google has already sent message to many businesses. Everyone is trying to get the word out to be sure they are compliant.
Cyber Security & Big Data Analytics
I recently attended a symposium on “New Strategies for Encryption and Protection against Data Breaches”. The keynote speaker was: Steve Lutinski, Director, Cyber Security Services, Verizon Enterprise Solutions. Steve introduced Verizon’s DBIR Report (Data Breach Investigation Report) for 2017. You may view it here: https://www.verizonenterprise.com/verizon-insights-lab/dbir/.
Some of the points that were brought out by Steve were based on mid to large size companies but the same points remain for all size businesses.
- It takes 208 days for a company to discover a data breach.
- 82% of bad actors (data hackers) hack in in minutes.
The three most vulnerable areas according to the report are:
Who – 71% External Hackers (data mining)
What – 56% Personal
Why – 45% Money (Intellectual Property)
How – 67% Breaches
- Health Care
Who – 32% *External Hackers
What – 69% Medical Records
Why – 64% Financial
How – 81% Breaches
*Most breaches are from internal people – 68%
- Public Sector
Ransom Wear Attacks Are #1 among All Industries
2015 – 1000 Attacks
2017 – 8000+ Attacks
26% of all Security Incidents Were DOS Attacks
Human error is still the number one cause for hackers breaching web sites, mail servers and data bases. Verizon is going to be pushing two step verification for every level.
Google and Google Chrome is going to start to block http in the next several months. Certificates for https will be mandatory in order to be found in the Google searches.
EU Compliance Evolves. General Data Protection Regulation (GDPR) proposed by the European Commission will strengthen and unify data protection for individuals within the European Union (EU), whilst addressing the export of personal data outside the EU. This will effect American companies within the next 100 days.
Verizon is recommending that when possible even in local communities, IT personnel should, PREPARE – be PROACTIVE – PARTNER with fellow companies and professionals.
A company’s domain name remains one of the major unseen issues facing a lot of businesses on line. I am still amazed how many businesses are not truly in control of their domain names. They think that they are because their web site comes up and that they see the domain they picked a few years ago. But who actually owns the domain name and who gets emailed when it is time to be renewed? This is such a big problem that it has actually developed into a cottage industry. The most common issue happens when the web designer is given permission to register the domain name. Most businesses do not understand it, don’t want to understand it and just let the designer handle it. Most of the time, they get it right but not all the time. The more inexperienced designers put their own information in the registration and figure they will change it after they finish designing the site or do not even know how to do it correctly. So, the site is completed and it is up and running. A few years later it goes down because the email address associated with the site is not businesses and but the designer, who either is not in business anymore, changed their email address or does not respond to that email address. It happens all the time.
The owner of a domain name should have:
• The name of the registrant company it was registered with
• A user and password to get into the control panel of that company
The minimum a business should have is a current breakout of the “Whois” information. This information shows:
• The Registering Company
• When it was purchased
• When it expires
• The Registrant (owner of the domain)
• The Administrative Contact (controller of the domain name, 1st. level)
• The Technical Contact (controller of the domain name, 2nd. Level)
• Domain Name Servers Addresses (Where the site is hosted)
The contact information should have current addresses, phone numbers and email addresses. Most registrations companies send out “review info” notices every two years. This is where the problem generally occurs. When it is wrong, that is when email notifications, for review and 45 days before domain name expirations, are sent out. If they are not responded to in a timely manner they are then picked up by companies that will sell it back to you at very high rates. Generally this happens when the site goes down and the business cannot figure out who has control of the domain name. Again, this is a common problem.
The best way to avoid this situation is to be involved in the sign up of your domain name. If you already have a domain name then go to internic.com and go to their link, “whois” and look up your domain name. It will give you the name of the registering company. Go to registering company and go to their web site “whois”. At that point, if you do not agreed results, call that company’s support phone number. They will walk you through the procedure to reclaim your domain name. Do not wait till your site goes down. Also, make sure to privatize your domain name in the “whois” so you are not overwhelmed with sales calls and emails.
NetCetra is a little different than most web design, hosting and marketing companies. We handle domain registration through Open SRS. So, we control the entire process. Our clients can contact us to fix any issue with their domain name.
All this information is very helpful when companies receive fake notices that their domain name is expiring and they include an invoice which is a total fraud.
Know Your Domain Name
Based on our support logs from clients regarding their email and web site access support requests, every month should be Nation Cyber Security Awareness Month. Some folks still don’t understand that you cannot use simple passwords anymore. Most good programs will not allow you to do that. They are now asking you to include upper case as well as lower case letters, numbers and symbols.
Here are some quick tips:
- Use a password generator – There are very good free programs that will add good passwords and store them for you
- Change your password regularly – Many programs are now requiring this. Another good reason to getting a password program.
- Do not Keep Using the same few passwords
- Do not write passwords down in a file
- Do not let browsers keep your passwords – This is a very easy hack for experienced tech people
- Be very careful with secret questions – Do not pick easy questions then you are asking for trouble.
- Do not use public terminals – a major mistake this where spying is always happening
- Always shut your browsers when left idle. Shut down your PC when not active.
This may seem like an inconvenience but avoiding that first major hack is pretty important and can be very costly.
I am asked this question almost every week. It is really small business data breach insurance. All the publicity regarding hacked servers in the news media has spooked a lot of people. It seems just about everyone in this day and age uses the internet to promote their business and or products and services. That alone will not require any insurance. But if you are collecting client information and storing it on a PC or server in your office that has a vulnerability issues written all over it.
You might think that most data breaches are caused by hackers or malicious attacks. But more than half of data breaches are caused by system glitches and human error.
- An employee mistakenly sends a batch of personnel files to the wrong email address.
- A credit card company calls to inform you that credit cards used at your business were compromised through your point of sale system.
- While on business travel you lose your cell phone, which has sensitive customer information stored in your email’s Inbox.
Data that is maintained in a cloud environment is somewhat safer. You are relying on that vendor to have the correct security. Once again, this should not be taken for grant it. You should be discussing the software you have or are about to invest in with an internet specialist or your IT professional.
Here are some of issues that you must consider if a breach occurs:
- Breach notification to customers
- Credit card monitoring services
- Costs to retain a public relations consultant to help restore your reputation
- Consulting and forensic fees to identify and resolve the cause of a data breach
- Defense and settlement costs if you are sued for alleged failure to prevent unauthorized access to, or use of, personal information
You can probably get a get an “add on” to your business liability policy that will cover the above actions.
So my answer to the questions regarding a small business needing Cyber Insurance is most likely “yes” if you fit into the above description. If you are having a vendor handle one of these areas for you, I would discuss their plan of action for stopping problems and if a breach does happen what is their response.
It is only going to get more complicated and your business is going to more involved with data type tools and software.
I was amazed how many people never heard of the dark side of the internet when asked by a State of NJ Security officer at a recent seminar for small businesses on internet security. Going there is not advised but being aware of it and what it is is imperative. It is interesting to hear what people say or think when you mention this area of the internet. It is not dark but it is pretty scary to see what can be purchased and done there. I am especially talking to parents with kids in high school and beyond. The danger does not seem to disturb them the same way, so surfing around seems OK to them.
All it requires to get there is to go to torproject.org. It looks innocent enough. According to the home page everyone uses it. It was started by our government a few years ago to help people in suppressed countries view what the rest of the world saw on the internet. The problem is it not only hides those people but it hides terrorists, drug dealers, gun smugglers and pedophiles to name a few. Buying ransom wear to attack some business is a snap. Buy it there for $3 or 4 and you can even get someone, for part of the proceeds, who will set up the product to try and infest whoever you are after. They even have a rating system for every different malware that is offered. Comments about how good the software is, with rating system.
Would like to know where to buy a semiautomatic weapon? Not a problem. How about a great deal on legal and or illegal drugs. Paying too much for a prescription? They have the deals. They showed us one site that sold pot and guns. The main reason they cannot bust these sites very easily is the fact that they are up and then gone in a few days. Shipping is never a problem. Everything is shipped by the regulars like; UPS, Fed Ex and US Mail. Things are just packed in regular consumer boxes. Maybe a few boxes of laundry detergent that contain a broken down weapon are delivered to a person’s door.
We saw one search engine result that had 234 pedophile web sites available.
Dark, no, Scary, yes.
One thing that people use who go on this level of the internet is a flash drive with the programming and bit coin wallet on it. This way it is plugged in and no one knows you are using it. Nothing visible on your computer and they showed us a variety of flash drives that did not look like flash drives. One looked like a chap stick.
The US government started it and continues to support it as well as other countries and individuals. Be alert.
Worth the Time & Money?
You, as the owner of a domain name, should always be the registrant (owner) and the Admin Contact. The Technical Contact should be someone you trust as a second level administrator to assist you in making changes if you cannot. Even though the registrant is the owner, they do not have the ability to make changes.
The other question that is asked quite a bit is whether the name should be privatized for an additional cost. I use to tell clients it was not necessary but in recent years this has become a source for spammers email addresses. So my answer now is to spend the couple of extra dollars and privatize the name.
Most businesses do not change domain names very often. Even if they do, the domain name can be redirected to the new one so you do not lose a possible client. This is the reason I believe that when your domain name comes up for renewal, you should consider upping it for 5 – 10 years. You can always change the information such as the address of the business, email address or any other contact information. Most registrants use email address. This can be a problem if you are trying to edit your information and you no longer use the email address included in the document. Always maintain a current email address or expect problems if you need to make changes. Not all registrants use this form of ID but the majority do.
I would recommend that you review your information now even if you do not intend to make any changes just to be sure it is correct. There are two quick steps to this process if you do not know who your registrant is. The first thing to do is go to: www.internic.net and fill in their “whois” with your domain name. This will tell you who the registrant that controls the domain is. The second step is to go to that registrant and look for their “whois” link. Add your domain here as well and it will tell you all the important information. If you cannot see the information then contact their support team.
It will be well worth the time. Some clients lose control of their domain names when they have incorrect information and do not receive the notice that it is going to expire. Unfortunately, we get calls about this every month.