SafetyDetectives spoke with Christopher Richmond, founder of CR Software Solution. We talked about what services his company offers, securing custom software from hackers, staying one step ahead of the latest cybersecurity threats, and he gave some excellent online security tips.
Hi Christopher, what led you to start your own software development and digital marketing agency?
I started CR Software Solutions during my senior year of college, after noticing a need for a more custom approach to web development. Drag and drop website builders and WordPress templates are great for some businesses, but others need custom, outside-of-the-box solutions that most web agencies simply do not offer. I coupled my love for programming and desire to work for myself and created an agency that was founded on this premise – the premise of offering completely custom solutions and never utilizing templates. We started with website design and development and quickly expanded our service list to include web applications and now digital marketing and branding as well.
What are some of the main services that CR Software Solutions offers?
Our services can be split into two distinct categories. We have the development side and the digital marketing and branding side. On the development side of things, we have:
- Custom websites that we design and build from scratch without the use of website builders or third-party platforms
- Web applications are designed to automate and accomplish business tasks, house custom BI (business intelligence) dashboards and reporting, and much more.
On the digital marketing and branding side, we have:
- Search Engine Optimization (SEO)
- Google Ad campaign management
- Logo design
- Branding style guide development.
I see that you create custom software for your clients, is there a fear that hackers could access company data or client data through them? If so, what types of preventative measures do you take?
I think it’d be silly to say that there is never any fear of hackers accessing company or client data. However, that fear is what drives us to take our security seriously and ensure we are taking all necessary precautions. Some of the preventive measures we take might vary from project to project depending on requirements; however, as a baseline, we always do the following:
- Encrypt any sensitive data that’s a part of the application (employee information, passwords, credit card info, etc.)
- Serialize all user inputs
- Set up an authentication wall and user validation to block any outsiders from obtaining sensitive information via an API endpoint
- Enable 2FA (two factor authentication) for the hosting account where the project files are housed
- Set up application and database logging to track any malicious access attempts
- Educate our clients on the importance of strong passwords and general cybersecurity
Do you have any tips or best practices for improving online security around a website to protect it from hackers?
There are a number of things that can be done.
- First and foremost, ensure that your website has an active SSL certificate. If it doesn’t, you’ll see a “not secure” warning on the left side of the browser bar next to your domain name.
- If you have an employee login portion of the website, utilize 2FA and strong passwords that are changed every few months
- If you’re collecting information from users on your website via a form, make sure that you are serializing user input. Never attempt to store user input from site forms into your database without validating and checking the input to ensure it’s not malicious. Hackers can utilize a practice known as SQL injection to gain access to your database and the information that is stored there through form fields.
- If you’re storing sensitive data, ensure that the data is encrypted and not stored in plain text.
- Consider utilizing the services of professional security firms out there. You can have your current security practices audited to make sure you’re doing everything you can, you can have disaster plans drafted and put into place, and much more. In our current online environment, it’s much better to be prepared and proactive than reactive.
- Ensure that employees in your organization are only able to access the information that they should have access to – set up permissions.
What are some of the biggest online threats that target the websites of small and medium businesses?
The biggest online threat today for small and medium sized businesses is largely social engineering and phishing scams. When people think of hackers, they typically think of someone writing malicious code and accessing sensitive and confidential company information that way. More often than not, however, hackers will gain access to company information and infrastructure utilizing actual employee login information. They’re able to get this login information typically through a practice called phishing. We’ve all gotten those scam emails before that have some urgent text asking you to click the button below to take some necessary action. This is known as phishing. While 90% of the time, you can tell most of these are scams or malicious in nature, some of them can be quite convincing and get employees to give up their information. Once that happens, then it’s all too easy for the hacker to access sensitive company data – they simply walk through the front door undetected. That’s why two-factor authentication for all employee accounts is so important, as well as restricting employee access to only what’s necessary.
With phishing attempts and online fraud on the rise, how can users spot an imposter or scammy website?
There are a couple of things to look for. First, since we were just talking about phishing. If you see an email that’s asking you to click a button or visit a link, and something seems off to you – don’t click on the link. In your email application, you should be able to hover over the link text to reveal which site the link will take you to. If you don’t recognize the website address, it’s best not to click on it. Now, if you’re on a website already and fear that it might be an imposter site, you should first check the URL or domain name. If they are attempting to impersonate an existing company or brand, check if there are any slight spelling errors in the URL (i.e., an extra or swapped out letter). Also, check the actual page content; does the language seem off or unprofessional? These can all be indications that you are on an imposter or scam website.
Finally, while this is not necessarily an indication that you are on an imposter site, I would always check the SSL certificate status on the left side of the browser bar. If the site has a lock icon, then you know the site has an active SSL certificate. However, if the site says “Not Secure” or has a warning icon, then I would refrain from entering sensitive data on the website like home address, credit card info, etc.
As technology improves, so do the hackers and scammers; how do you stay one step ahead to create a safe environment for your clients?
It’s tough, right? A lot of times when vulnerabilities are discovered, or new scams come about, the cyber security community is reactive in trying to patch up these vulnerabilities or spread awareness about a new scam. So, I don’t think there will ever be a foolproof way to stay ahead of hackers and scammers. There are a number of things you can do to ensure that your company is more proactive than reactive, however. Here are some of the things we do:
- Use strong passwords and change them every few months
- Enable 2FA for all of our accounts and encourage our clients to do the same
- Educate our employees on what to look for with phishing schemes and how to avoid clicking on malicious links
- Keep up with current events and trends. Be aware of what’s going on out there right now and what to look for
- Utilize professional services