Subscribe
Share
Share
Embed
As a small business owner, you need to be a lot of things to make your business go—but you don't have to be a marketer alone. Join host Dave Charest, Director of Small Business Success at Constant Contact, and Kelsi Carter, Brand Production Coordinator, as they explore what it really takes to market your business. Even if marketing's not your thing! You'll hear from small business leaders just like you along with industry experts as they share their stories, challenges, and best advice to get real results. This is the Be a Marketer podcast! New episodes every Thursday!
Dave Charest: Today on episode 27 of the Be a Marketer podcast, it's all about how to keep your constant contact account and more secure. This is the Be a Marketer podcast.
Dave Charest: My name is Dave Charest, director of small business success at Constant Contact, and I've been helping small business owners like you make sense of online marketing for over 16 years. You can be a marketer, and I'm here to help. Well, friend, thanks for joining me for another episode of the Be a Marketer podcast. A little something different today. If you're anything like me, you're probably juggling multiple passwords across the various online sites and services. I mean, it's got to be more than 100 that I can imagine right now. You know, it's also likely that you're getting bombarded with phishing attempts to steal your information. And as a business owner, you've probably got a few added things to worry about here, where your employees may have access to your accounts and they're on your networks, and they're also getting targeted for things. It can be really brutal out there. And so today we wanted to focus an episode on what you could do to help keep your accounts more secure, including your constant contact account. And so our guest today has some recommendations for you. Well, friend, today's guest is Sam Silberman, constant contacts director of security operations. Now, Sam and his team are focused on anything cybersecurity related. He spends his days worrying about people breaking into our network and bad actors who try to abuse our system to send spam from our customer accounts. Basically, he wants to stop anyone from doing anything that hurts our reputation as a sender or. Or that of our customers. But cybersecurity, of course, goes beyond just constant contact. And so you may wonder, what can you do to keep your accounts secure? Well, let's go to Sam and pick up the conversation there.
Sam Silberman: It's something we've been thinking about for quite a long time, and in the earlier days, it was all about passwords, right? You pick a stronger password, and it's always a challenge because people have to remember their passwords, so they want to pick something that's easy to remember. Maybe it's a password they use on multiple sites, and it's their favorite one. And they'll pick a favorite sports team, a pet who knows, a parent or a kid, and maybe change a couple things about it so it makes it unique. The problem, of course, is a lot of those passwords are guessable, and maybe not as guessable as. As using just straight red socks. Would be a pretty guessable password. But the actors, the bad guys, they try all sorts of different combinations to get into people's accounts and passwords, and they have long lists of popular passwords and they will just target accounts and say, oh, let's try these 10,000 passwords over a period of time and one of them hit and then they get into your account. This has been happening for a while. Anything you could do to make the security of your account stronger is a good thing. A stronger password is always helpful, but sometimes that's not enough. Passwords get stolen. Like you put your password on post it and someone takes it, well, they're going to be able to get into your account. There are probably additional things that you could do to help protect your account beyond just a stronger password.
Dave Charest: So what are some of those other things then?
Sam Silberman: So one great thing to do today is use some sort of multi factor authentication. So that's a fancy term. Multi factor means it's a secondary thing that you have to approve to show that this is your account. Very popular ones is like an SMS message to your phone or an app on your phone that you read a number off of it and then you enter that into as a secondary login authentication. And so it's literally multi or two factors, right? Your password factor, and you have your phone factor, and it makes it much more difficult for a bad actor to get into your account because they have to compromise two things, and it's harder to compromise your phone than it would be to compromise maybe something else to get your password, or they have to do two things, right? So that's hard. Not, I would like to say it's impossible, but nothing's impossible. But it's certainly a lot harder and makes you a harder target. So maybe they'll move away from you and target someone else instead.
Dave Charest: So I'd imagine also when we're thinking about just like your constant contact, how in particular, so obviously, like, you have a strong password. I mean, maybe we can talk a little bit more about that in a minute. But then also the multi factor that you're mentioning, which constant contact now provides for people. What about just the idea of making sure that you're setting up users within your account? If multiple people are logging into that versus sharing a singular account, I got to imagine that would be helpful.
Sam Silberman: Of course, we added multi user capabilities many years ago, and it was a little slow to be adopted because people did share their password with all their coworkers, their friends, their relatives, whoever needed access to the account because it was easier, right? It was convenient. And the nice thing about having multi user is, well, one, you can limit the other user's access to the account if you, you know, you don't necessarily want to give full access to an employee if all they're going to do is create emails for you. Right? So if you want, you know, and obviously you don't want to give someone access to the sensitive billing information on your account if they don't need it. So having ability to not just create multi user, but create different roles for that user is super helpful and more secure. But since you have multiple users, they could each have their own second factor and their own password as well, which is key. Now, no one shares the same password. If someone, hopefully never happens. But if someone loses their password to a bad actor, then they're only targeting that account and not everybody's account on that shared account. And if they have a multi factor, then it's much harder for them to get compromised in the first place. So everyone has their own phone, they have their own second factor, their own password, much more secure.
Dave Charest: Yeah. And the users thing too. I mean, even unfortunately it happens. You get somebody that you have to let go, you've got a disgruntled employee, and if they have access to that, you always run into that situation. You see this happen on like, I'm thinking of social media sites all the time where someone's given, though, they have the control of the account and then they leave, and then it's people going, I don't know what to do now. It's that type of thing. And I think that's what's good about also making sure people have their own kind of access because then you can remove them easily without actually losing access to the full account. I want to talk a little bit about passwords here because obviously that's just the ground zero of things. What do people really need to consider when it comes to passwords?
Sam Silberman: So. Well, first of all, like I previously said, pick something that's relatively strong, has lots of, you know, it's a lot longer in size, right? So a lot of people, you know, if they have a six or eight character password, that can be guessable, right? Having a 15 character password, much better. The longer the password, the harder it is to guess. Depending on the system. Sometimes you might not want to have, like, if you have to type in a very long password, that's problematic because, I mean, as a security professional, I have a very long password, so it is very hard to guess. And the only way you can probably, hopefully the only way someone would get it is if they monitored my keystrokes. And that would be one way to get it. Unusual for most people, but there's some randomness in it. It's not necessarily all words, something I've memorized very hard to do. What's much easier is to use something like a password manager. There are a lot of great password managers on the market. They do different things depending on what your needs are. But one great thing about them is they can generate a really complicated password with random numbers and characters and remember it for you. Remembers your login, remembers the website you're going, it does all sorts of nice things, and then you don't have to worry about it anymore. The trick is you need to then remember a single password, what they call master password for that password manager or password vault, and then as long as that, and that could be the complicated super password that I like to use. And you remember that, then you're okay as long as no one gets that password, right, right.
Dave Charest: Yeah. Well, then you're in for it, right. I guess. Because that gives you access to everything, right. Or whatever you have in that manager. Right.
Sam Silberman: Well, one nice thing is in some cases, these password vaults also allow a second factor. So now I have a complicated password. I also have my phone that I need to get that password manager of that vault. And between the two, it makes it that much more difficult for someone to break in and get that data.
Dave Charest: Yeah. Maybe we can talk a little bit or you can shed some insight on, because I think maybe people know this, maybe people don't. But when we're talking about guessing the password, it's not like we're saying scary Bob is sitting in the corner going like, hmm, one, one, one. They have advanced computer systems that actually try to guess these passwords. Am I off on that or is that true?
Sam Silberman: There's a couple of ways to hack passwords. The way that I think is a little more common, though there's probably others, is they get common passwords that people use. They then target individuals, they find out your username, and then they just play passwords slowly over time to try different combinations. And there are some names for these, but essentially they're just big lists of people's passwords. And they may not know your password. Right. But they will say, if I have the top 10,000 passwords or something like that, I'll try all the different kinds and see which one works. And they're patient. These actors take months or years to try to hack people they might not be targeting you personally, they might just be kind of targeting random people and you happen to can be caught in their net, but over time they get. So they get enough people's accounts that they could do something bad, right? So that's the thing that we see in the industry. When you hear about people getting compromised, this is one avenue that people get compromised.
Dave Charest: So passwords, of course, are one thing. Also you have to worry about. We're talking about email and how easy it is to contact people. You've also got people emailing you and trying to do things with like phishing scams and those types of things. What can you tell us about fishing with a ph for those of you playing along at home?
Sam Silberman: So, you know, phishing is one of those things I've been around for a really long time. Fishing, or we call it social engineering, is really where people, someone is trying to trick you to do something you didn't intend to do, right. And it could be anything. But like with email, phishing seems to be, hey, I want to get access to something you have, or you have something I want, and I need to trick you to give me the secrets or credentials or something so I could get it right. And so one of the more common phishing emails we see are things like bank phishing or website phishing. You know, Amazon, Facebook, different popular websites saying, pretending to be, hey, I'm popular website, something's wrong with your account, you need to click here and fix it, or this is the great part, your account's going to go away. Like we're going to delete it. This is a great fish, right? And so what happens is it hits a bunch of buttons, something that's important to you, someone's telling you something wrong and it's going to go away unless you take immediate action. That's a classic fish because you don't have enough time to think about, hey, should I ask someone about this? Is this unusual? Oh, no, I better do something right away or my account goes away. And that would be really bad. All my photos are in that account, my bank records. Who knows what it is in there. I need to do something quick. So you click on the link, and typically that link takes you to a page, a different page, which says, okay, give me valuable information about you, so I, the bad actor, can then use it against you later. Right? That's a typical fish. There are instances where you click on a link and it asks you to install software or something that might try to compromise your machine. Those are more rare, but it does happen, but typically when you do that, there's get warning boxes and so again they're probably asking you, hey, this is important. Your account's going to go away. Something bad is going to happen unless you install this software. And then once that software is installed, they compromise your computer and then that's not so good.
Dave Charest: So I guess what are some of the things that people need to look out for then to, I mean sometimes I feel like it's blatantly obvious, right? But then they're getting more advanced with these things too, and they're better and better. I mean, you'll know more than I would, right? But because sometimes it feels like, okay, really, I don't understand how this even works on somebody, but I, apparently it does or else they wouldn't be doing it, right. So what are some of the things that people should be looking for to know? Like, hey, that's probably a phishing attempt.
Sam Silberman: You know, I love to have a silver bullet and say, you can look for these things, you'll never get tricked. But we all get tricked, I get tricked, we're all susceptible to this. It's sort of our human nature. Right? But the things that I certainly look for when I'm looking at, you know, an email and going, hmm, that, that seems unusual is, well, 01:00 a.m. i expecting this? Is this something that I'm expecting? Right? People get all sorts of emails for stuff that they're not expecting and some of it is legitimate marketing communication. Some of it may be something a little more questionable. Am I expecting it? Is this normal? One, two, are they asking me to do something that is urgent, something that I have to react quickly? And whenever anybody asks you that in email, pause and think about, hmm, why am I getting this right? Does that make sense? And three, are they asking me for information or asking me to do something I don't normally do? So like I said, they could ask you for your bank information. Why is the bank asking me for my bank information if they already know it? Why are they asking me for my password here? This doesn't make sense to me. Even in cases where you have multi factor authentication, sometimes they're like, hey, can you tell us the, we're not asking for your password, but can you verify the number on your phone, which is your multi factor code, just so we can verify zoo, which really means, no, we already have your password and we need that code to log in. So things like that, unusual hasn't happened to me before. I always pause and go, hmm, what does this mean? And frankly, sometimes it's okay to do nothing. Sometimes it's okay. I'm going to pause. If it's that important, maybe they'll call me. Maybe I will call them. I have the phone number to that site or that bank. I'll call them and say, hey, am I supposed to be getting this? That's what we call using a different channel of communication. They send you an email, call them up on the phone, but don't use the phone number they send you. That might be that.
Dave Charest: Yeah. All right, let's say whatever. Sometimes things happen. You get to this point. What happens if someone clicks a link, does the thing. And this is, I guess let's look at this two ways. It's not only just the business owner, but you may have employees that are on your systems and they might do that as well. What do you do in that situation? If I'm an employee either or if you end up clicking a link, what are you in for at that point?
Sam Silberman: It sort of depends. I think the first thing is anyone could click on a link. It might be something that they need more training on or more education. Mistakes happen, first of all. Second, figure out what they did. I know in my line of work when I hear someone clicked on the link, I want to know what happened next. I just clicked on the link. I got this page, closed the browser, I ran away. Okay, maybe that's okay. It asked me for information I did or didn't put information in. If they did reveal personal information, then you might need to take appropriate action with the bank or what other site that you're talking to or if there's a credit issue, I have to call the credit card company and put freezes on things. None of that's good. But that's for personal stuff, for business stuff, right. Its important to identify what is it that the employee gave up and make sure that assess the impact. Just like if its the bank account, if its this, make sure that the entities that would be impacted by knowing that information are made aware. So if its like a bank thing, call the bank, tell them, hey, this happened, and they will be more than happy to advise you of what to do. They could put holds on your accounts temporarily. They could do all sorts of things, but the last thing you want to do is just say, maybe nothing happened. We'll hope for the best.
Dave Charest: Let's just see.
Sam Silberman: Because hopefully nothing happens. But on the case and the chance that something happens, you might have had an opportunity to stop it.
Dave Charest: Gotcha. I want to talk about another thing. Here that I guess you really don't even really think about. But wifi people are now hacking into wifi systems and doing all of those type of things. And now particularly both one thing at the office, but now a lot of people working from home, so you've got to deal with that as well. And so what can people do to make sure that they're keeping their wifi safe and secure?
Sam Silberman: That's a really hard problem because everyone has different Wi Fi equipment, they have different home routers, they have stuff that they bought ten years ago or longer that still works and that works and they're happy with it. The problem is, wi fis are kind of like cars, I like to say. So there are definitely people who like new cars. They'll keep cars a couple years, and then when the things start going wrong or they have to take them to the shop, they're like, you know, I'm not good at going to mechanic, right? So I'm going to sell my car and buy a new one that doesn't have problems, right? So you have that group of people, then you have people like, well, I know how to change my, I know how to fix smarter things. I could handle this. And they could keep the car a number more years. And then there are people like, I could fix my own brakes, I can change the shocks if I could. Like, I could do timing belts, I can do all those things. I could keep that car 1520 years and it'll work great. Right now I'm a collector or whatever, even longer, right? If you're not the kind of person who likes to change timing belts and fix the brakes, you're going to get rid of your car much sooner, or you get a different card that doesn't have a problem there. Your Wifi router is the same thing. They're the same kind of problem. Routers work great for a number of years, and then they need updates. There's regular software updates on these routers. Not that many people update their software. You change your oil, you update the software on the router. If you could do that, you could keep the router longer because it'll always be up to date. At some point, the manufacturers stop issuing these updates because it varies greatly depending on the product. When they stop updating their software, their end of life, the router, it's really time to get a new router because what happens is these bad actors run around looking for the old routers and they have vulnerabilities. And the older the router, the more likely there's something in it they could take advantage of. Now, again, it's unlikely anyone will target you or me based on the router, but there are people that run around scanning the Internet looking for these routers, and as soon as they find one that they know has a problem, they're going to attack it and use it for bad things. Maybe not attack you, maybe attack someone else, but whatever it is, you really don't want them on your router.
Dave Charest: Yeah. Aside from updating the router, I think you're running into another situation here where make sure you're using a password, make sure you're doing those types of things and not just letting people join the network. Is that correct?
Sam Silberman: I think it depends if you're home. First of all, I would say you should always have some sort of password on the router. Obviously, if you have to get into the configuration settings, the admin settings, change that password. Absolutely. When you get it, change it, write it down, put that password somewhere in a safe place, and yes, make it a little more complex for the home wifi. It sort of depends on what you use it for. If you're in an environment where you don't have too many devices on your network, having a reasonable password just so people won't drive by and get on your network is probably okay. I have no guarantees. But if you have a lot of important computers in your network, and many of us do, I mean, we have our dvrs, we have other computers, we have printers. There's your refrigerator, your washing machine. Toasters now have Wi Fi. I mean, it just goes on and on. You probably don't want people sniffing your network looking for ways to compromise those devices. Even though it sounds crazy that someone would compromise your refrigerator, people try. It's crazy, right? But this is the new world we live in. Everything we have, our phones hook up to our home routers, right? Everything we have are hooking up these things. So having a password is important because you just don't want people wandering into your house. Just like you lock your door, you should lock your router. But that said, some of these routers are very complicated, and they have some really great settings, and you can have guest networks. So separate your guest traffic from your home traffic. You know what? Your guests rummaging through your personal devices, they have those kinds of things too. There are advanced settings, not always needed, but I certainly do that. So that way people who need Wifi, they have access and they don't have to. I don't have to worry about them snooping around, right?
Dave Charest: Right. Sam, as we wrap up here, anything else you wanted to add for people to just, in terms of just thinking about security in general or what they should be on the lookout for?
Sam Silberman: Well, so for over the years, we've always looked at our customers and saying how could we help their security? And I think, you know, we keep coming back to passwords. And two factor, if you could do these things, it really does up your game and keeps people from trying to get into your accounts. One thing we didn't talk about that I like to bring up is that your personal email account, we talk about, you know, contact, talk about banks, talk about all these other services. One of the most important accounts you have is, believe it or not, your email account because that's the place that all the other accounts are connected to. So if you're going to take anything away from this conversation, look at your personal email account and figure out how do I best make that thing secure. Please use a complicated password. Please use second factor authentication on those things. Make it as strong as you are willing to go for, because if someone gets into that, then they could move laterally into other accounts. They can get at your bank, or it's easier to get to your bank, it's easier to get in your social media, it's easier to get in the contact if they compromise your email account. So if you take anything away from this conversation, please look at that and find ways to make that more secure. Two, factor authentication on the email count is a must these days.
Dave Charest: Well, friend, let's recap some items from that discussion. Number one, use strong passwords and multi factor authentication. Now it's tempting to pick passwords that are easy to remember, but that means they're also easy to guess. And so you'll want to use longer passwords to make them harder to guess. Now, in addition to that strong password, you'll also want to use multi factor authentication when possible to add a layer of security. This way, a login needs to be confirmed before accessing your account. And yes, you can do this for your constant contact. Number two, create user profiles for your constant contact account. You can add users to your account to collaborate with you in your marketing efforts. You can add account managers and campaign creators that have varying access levels, neither of which includes access to your billing information or has the ability to make purchases. You can find more details about that in the show notes. And lastly, of course, beware of phishing scams. These scams, typically through email, try to trick you into doing something you didn't intend to do now to gain access to your accounts. These messages focus on things you care about, telling you something's wrong, and that your account will go away if you don't take immediate action. Well, if something seems a little fishy, it probably is. So take a moment and then go directly to the source to check the validity of the request. Now here's your action item for today. If you haven't done so already, enroll in multi factor authentication for your constant contact account. You can add this extra layer of security by setting this up. This way, you can reduce the chances of bad actors accessing your contact information and using your account to send spam. I'll include a link to the knowledge Base article in the show. Notes I hope you enjoyed this episode of the Be a Marketer podcast. If you have questions or feedback, I'd love to hear from you. You can email me directly at dave dot charestonstantcontact.com. if you did enjoy today's episode, please take a moment to leave a us a review. Your honest feedback will help other small business marketers like yourself find the show. Well, friend, I hope you enjoy the rest of your day and continued success to you and your business.