Protect your brand

Public services (websites, email) are exposed to threats that can disrupt business operations and damage their reputation.

Examples of risks that public websites may face include:

1. Attackers can make a company’s website inaccessible. This paralyses, for example, an e-commerce company and also disrupts the work of many other businesses because customers may not get the information they need from the website.
2. Attackers can gain access to website management and steal, for example, company customer data, which may result in reputational damage and GDPR fines.
3. Attacks can make the content of the website inappropriate (e.g. offensive), which may once again interfere with the work of the company and damage its reputation.
4. Attackers can install software on a website that infects visitors with malware. This will lead to a situation where the company’s customers will start avoiding the website, even after it is fixed.

When social network accounts are taken over by attackers, it can result in reputational damage (inappropriate posts, insulting customers, etc.) as well as financial damage for the company if the accounts are linked to payments (for example, credit card information is included to buy Facebook ads, which attackers can access). In addition to the company’s own social network accounts, the accounts of the company’s management and key employees should also be protected.

If the company’s email service lacks proper protection, attackers can exploit business email addresses to scam employees or partners or to send spam. Emails sent from an unprotected domain may also get caught in the spam filter of an email server and not reach the recipient. This can lead to both reputational damage and financial losses.

The first step in protecting the company against threats is to be aware that they exist. There are a number of actions that companies can take to protect themselves against threats.

Attacks on public services usually exploit vulnerabilities in the software of the service (e.g. a website or an email server), weak security settings, overly simple or leaked passwords, etc. There are tools to automatically detect security vulnerabilities. Such tools scan public services and generate comprehensive reports of detected security vulnerabilities. Once they are detected, the IT department or service provider should remove them. You will then need to run a new scan and check whether the security flaws previously detected have been resolved. They need to be scanned on a regular basis (e.g. once a month) to consistently detect and eliminate new vulnerabilities.

To protect public services, the security vulnerabilities identified must be addressed. It is also important that the software of the websites or the email server is up to date. Both the service server and the service’s own software must be updated.

To protect your domain, ensure that the contact details listed in the domain registry for domain management are accurate and up to date. CERT-EE monitors the .ee domain space and sends notifications to the owners of pages with critical security flaws or compromised pages. Accurate data ensures that notifications reach their destination on time.

To protect the email service, the IT department or service provider must make the following configurations:

1. To protect the data exchange between mail servers, you must enable TLS support for the SMTP protocol, use POP3s and IMAPS protocols, and disable support for unencrypted POP3 and IMAP protocols on the server side. It is important to use only trusted certificates issued to the correct FQDN (fully qualified domain name) for email server services, and the certificate should also be allowed to be used for email protection;
2. In order to prevent attackers from freely using company email addresses, an SPF protocol (Sender Policy Framework) should be created in the DNS, stating which email servers can send messages under the company’s email domain. When using mass email senders (such as Smaily, MailChimp, etc.), they should not be added to the SPF record; instead, DKIM should be used. Otherwise, it may happen that all users of the same service can send emails on behalf of someone else.
3. In order to authenticate the company’s email server, it is also possible to configure DKIM (DomainKeys Identified Mail). DKIM signs the email messages leaving the server, while other email servers check that the signature is valid.
4. DMARC (Domain-based Message Authentication, Reporting and Conformance) distributes a policy to email servers via DNS that says what should be checked in an email from that domain and how the email server should handle it. DMARC uses SPF and DKIM to verify compliance with its policies. With DMARC, it is possible to receive a report on whether someone has attempted to send emails from locations that are not authorised.

Social network accounts, such as X, LinkedIn, Facebook, Instagram, etc., are often attacked. The company’s management and key employee accounts are also at risk and must be protected in the same way.

To protect your company’s social media accounts, you should take the following steps, which are not complicated at all, but will significantly increase security:

1. Create a corporate social media policy. Among other things, the rules should cover:
   • which social media channels (platforms, accounts, and pages) the organisation uses and their intended purposes;
   • which employees have access to the account, including their roles and permissions;
   • the procedures for maintaining back-up access to accounts;
   • the process for transferring access when roles change or employees leave;
   • expectations for employee conduct on social media.
2. Use strong passwords and update them whenever an employee with access to company accounts leaves the organisation.
3. Turn on multi-factor authentication.
4. Regularly check existing social media accounts. Always remove access for staff who no longer need it.
5. Check the account settings. From time to time, platforms may update their privacy settings or the existing settings may change.
6. If accounts are not actively used, they should still be protected and monitored in the same way as actively used accounts to detect possible takeovers.
7. If you use an external service provider to manage your platforms, ensure that your organisation retains full ownership of all accounts and content through a clear agreement.