Are you interested? Call us!

Ti abbiamo interessato? Contattaci!

Zainteresowaliśmy Cię? Odezwij się!

Check what we have been living lately

Scoprite con cosa abbiamo vissuto di recente

Sprawdź, czym ostatnio żyjemy

Do you want to know our offer and talk about the needs of your business? Write to us, we will surely find the best solution.

Leave a number. We will call you back within 30 minutes.

Chcesz poznać nasza ofertę i porozmawiać na temat potrzeb Twojego biznesu? Napisz do nas, na pewno znajdziemy najlepsze rozwiązanie.

Zostaw numer. Oddzwonimy w przeciągu 30 minut.

We bring value by using the best, the most reliable technologies available on the eCommerce market. Our team makes sure that our clients have the ability to achieve their business goals in a way that is safe, predictable and at the highest level.
We have been operating since 2011, and our team consists of 80 people whose competences and knowledge are certified. Our goal is to always achieve the goal, and our know-how is the selection, implementation and development of the best and the most reliable eCommerce technologies. The success in Europe, Asia and North America, along with our experience in numerous industries and in various business models have established our position in the eCommerce world. However, as we believe that the only constant is change, we remain one step ahead at all times, following global trends in the online sales market.

This website uses cookies. By staying on this website, you consent to the use of cookies. Find out more on the <a href="/en/privacy-policy"> website </a>.

Monogo has joined the elite club of Business Gazelles, a group of the most dynamically developing polish companies.

Business Gazelle 2022 for Monogo

Featured products:

<a href="tel:+48531338668">+48 531 338 668</a> <a href="mailto:hello@monogo.pl">hello@monogo.pl</a>

Monogo

Lublin (HQ)

Aleje Jerozolimskie 181, 4th floor Poland

Warsaw

Parkland, 7527 NW 61st Ter, Florida USA

Florida, USA

Parkland, 7527 NW 61st Ter, Florida Usa

<a href="tel:+48531338668">+48 531 338 668</a> <a href="mailto:hello@monogo.pl">hello@monogo.pl</a>

About Monogo

E-Commerce

AI AND AUTOMATION

CLOUD INFRASTRUCTURE

KNOWLEDGE BASE

KONWLEDGE BASE

Questo sito web utilizza i cookie. Restando su questo sito acconsenti all'utilizzo dei cookie. Scopri di più sul sito web <a href="/en/privacy-policy"> </a>.

Prodotti sponsorizzati:

AI E AUTOMAZIONE

Monogo - umow bezplatną rozmowe - kontakt

Kiedy PWA, a kiedy Aplikacja Mobilna w e-commerce?

In the last article, we talked about eCommerce security in a technical context. Today we will focus on the human and organisational part.

core/paragraph

In the last article, we talked about eCommerce security in a technical context. Today we will focus on the human and organisational part.

When taking on a new team member, he/she will receive, among other things, health and safety training. Health and Safety should not only relate to the workplace, but also the employee's interaction with the systems in your organisation. We will discuss some of the basics today that may be helpful. However, we won't be focusing on processes and procedures, these too are important, but without knowing what they are for, they are mostly quickly forgotten or even ignored.

When taking on a new team member, he/she will receive, among other things, health and safety training. Health and Safety should not only relate to the workplace, but also the employee's interaction with the systems in your organisation. We will discuss some of the basics today that may be helpful. However, we won't be focusing on processes and procedures, these too are important, but without knowing what they are for, they are mostly quickly forgotten or even ignored.

Every employee, when coming to work, is equipped with a computer or other device that allows them to work. How should such a device be prepared at a minimum?

Every employee, when coming to work, is equipped with a computer or other device that allows them to work. How should such a device be prepared at a minimum?

Devices in the organisation and security risk

core/heading

<h3>Devices in the organisation and security risk</h3>

If your organisation allows you to take equipment outside the company (home office, business trips), you need to ask yourself questions:

If your organisation allows you to take equipment outside the company (home office, business trips), you need to ask yourself questions:

core/list

<ul><li>What happens if the equipment is lost/stolen? </li><li>Do the data and permissions stored on the computer allow direct access to confidential company data?</li></ul>

By using workstation disk encryption, we make it much more difficult (for the people who 'found' the equipment) to access the data stored there. Any loss of hardware should be reported immediately. In larger organisations, MDM (Mobile Device Management) type systems are often used. This class of systems allows, among other things, the enforcement of disk encryption policies, length and quality of passwords, as well as the remote request to lock the device or even wipe the disk in justified cases.

By using workstation disk encryption, we make it much more difficult (for the people who 'found' the equipment) to access the data stored there. Any loss of hardware should be reported immediately. In larger organisations, MDM (Mobile Device Management) type systems are often used. This class of systems allows, among other things, the enforcement of disk encryption policies, length and quality of passwords, as well as the remote request to lock the device or even wipe the disk in justified cases.

It is often the case that employees in the workplace use their own mobile devices (smartphone/tablet) connected to the company network. Bring Your Own Device (BYOD) is a popular trend. It is a definite simplification and simplification of everyday duties. However, along with the benefit comes a security risk. Private devices should meet all the conditions given to corporate devices (encryption, controlled access, wipeability, anti-virus scanning). The aforementioned malware-detecting antiviruses are standard today and we will not focus on them today. Employees should be aware of and accept the potential deletion of private data from their device, or not bring their own devices to work.

It is often the case that employees in the workplace use their own mobile devices (smartphone/tablet) connected to the company network. Bring Your Own Device (BYOD) is a popular trend. It is a definite simplification and simplification of everyday duties. However, along with the benefit comes a security risk. Private devices should meet all the conditions given to corporate devices (encryption, controlled access, wipeability, anti-virus scanning). The aforementioned malware-detecting antiviruses are standard today and we will not focus on them today. Employees should be aware of and accept the potential deletion of private data from their device, or not bring their own devices to work.

At this point, it is also worth mentioning another class of devices that are often overlooked but can represent a serious security hole in an organisation. We are talking about office devices such as network printers, scanners, routers or network drives. There have been cases of attacks on company networks using errors in the internal software of printers. It is important to remember to configure correctly, not expose devices to the public network, and to update periodically.

At this point, it is also worth mentioning another class of devices that are often overlooked but can represent a serious security hole in an organisation. We are talking about office devices such as network printers, scanners, routers or network drives. There have been cases of attacks on company networks using errors in the internal software of printers. It is important to remember to configure correctly, not expose devices to the public network, and to update periodically.

core/column

<figure class="wp-block-image size-full"><img src="https://backend.monogo.pl/wp-content/uploads/2022/07/shodan-1.png" alt="At the time of publication, nearly 50,000 publicly available HP devices had been found in the global network" class="wp-image-1330"/><figcaption>At the time of publication, nearly 50,000 publicly available HP devices had been found in the global network</figcaption></figure>

core/image

<figure class="wp-block-image size-full"><img src="https://backend.monogo.pl/wp-content/uploads/2022/07/shodan-1.png" alt="At the time of publication, nearly 50,000 publicly available HP devices had been found in the global network" class="wp-image-1330"/><figcaption>At the time of publication, nearly 50,000 publicly available HP devices had been found in the global network</figcaption></figure>

core/columns

<figure class="wp-block-image size-full"><img src="https://backend.monogo.pl/wp-content/uploads/2022/07/printers-pl.png" alt="Poland" class="wp-image-1331"/><figcaption>Also in Poland</figcaption></figure>

<h3>Password policy</h3>

Some argue that passwords should be changed monthly. Others that they should not be rotated, should be long, complex and saved in applications like Password Manager. Keep in mind that a password in most cases is just a string of letters and characters that can be copied somewhere. Of course, there are devices with fingerprint scanners, facial recognition, or login with keys and certificates.

Some argue that passwords should be changed monthly. Others that they should not be rotated, should be long, complex and saved in applications like Password Manager. Keep in mind that a password in most cases is just a string of letters and characters that can be copied somewhere. Of course, there are devices with fingerprint scanners, facial recognition, or login with keys and certificates.

Whatever your organisation's policy is, it makes sense to use two-factor authentication wherever possible. Two Factor Authentication (2FA, TFA) is an additional method of user verification. This can be an additional application on the phone that generates temporary strings, a dedicated USB dongle, or even a simple text message sent to an authorised device when logging in.

Whatever your organisation's policy is, it makes sense to use two-factor authentication wherever possible. Two Factor Authentication (2FA, TFA) is an additional method of user verification. This can be an additional application on the phone that generates temporary strings, a dedicated USB dongle, or even a simple text message sent to an authorised device when logging in.

The two-factor authentication mechanism provides an extra layer of security, even in the event of a password leak. Most applications allow the use of 2FA, but it is disabled by default. If you use social networks, online shopping, instant messaging or regular email, check whether 2FA can be enabled and how it can be attached to your account

The two-factor authentication mechanism provides an extra layer of security, even in the event of a password leak. Most applications allow the use of 2FA, but it is disabled by default. If you use social networks, online shopping, instant messaging or regular email, check whether 2FA can be enabled and how it can be attached to your account

<figure class="wp-block-image size-full"><img src="https://backend.monogo.pl/wp-content/uploads/2022/08/magento-2fa.png" alt="Magento also has a two-factor login mechanism" class="wp-image-1345"/><figcaption>Magento also has a two-factor login mechanism</figcaption></figure>

An additional way to improve security when logging in is the Single Sign On (SSO) mechanism. It allows you to log in to platform X via authentication on platform Y, for example, logging into Messenger via a Google or Microsoft account. It is then important that the Google account is as secure as possible, for example with the aforementioned 2FA mechanism.

An additional way to improve security when logging in is the Single Sign On (SSO) mechanism. It allows you to log in to platform X via authentication on platform Y, for example, logging into Messenger via a Google or Microsoft account. It is then important that the Google account is as secure as possible, for example with the aforementioned 2FA mechanism.

Any user with access to a particular system should be assigned appropriate rights.

Any user with access to a particular system should be assigned appropriate rights.

Two years ago, at one of our clients, a small copywriting company was involved in a project.  An account was created in the administration panel, but without restricting access to resources. The copywriters therefore had access to orders, the list of customers, their sales history, but also the system configuration. And the whole thing would not have been noticed by the client, had it not been for the fact that, through the infected copywriter's system, the login data for eCommerce had leaked out. Malicious scripts were added to the shop configuration to steal credit card details during purchases. The system had no security monitoring, the malicious scripts were detected by the QA team during routine regression testing

Two years ago, at one of our clients, a small copywriting company was involved in a project. An account was created in the administration panel, but without restricting access to resources. The copywriters therefore had access to orders, the list of customers, their sales history, but also the system configuration. And the whole thing would not have been noticed by the client, had it not been for the fact that, through the infected copywriter's system, the login data for eCommerce had leaked out. Malicious scripts were added to the shop configuration to steal credit card details during purchases. The system had no security monitoring, the malicious scripts were detected by the QA team during routine regression testing

At the client's request, an entire analysis was carried out after the incident, the results of which were reported to the security inspector. Fortunately, no one was harmed by the incident, but the organisation had to implement steps to prevent this type of incident.

At the client's request, an entire analysis was carried out after the incident, the results of which were reported to the security inspector. Fortunately, no one was harmed by the incident, but the organisation had to implement steps to prevent this type of incident.

When configuring any accesses, it is good practice to use the minimum possible level of permissions and to periodically (for example, quarterly) audit accesses internally. Inactive or no longer needed accounts should be removed on an ongoing basis. If possible, it is also advisable to log information on who changed what and when in the system.

When configuring any accesses, it is good practice to use the minimum possible level of permissions and to periodically (for example, quarterly) audit accesses internally. Inactive or no longer needed accounts should be removed on an ongoing basis. If possible, it is also advisable to log information on who changed what and when in the system.

<h3>Social engineering</h3>

It is said that the weakest link in security is the bio-junction between the keyboard and the monitor

It is said that the weakest link in security is the bio-junction between the keyboard and the monitor

Sociotechnics is the attempt to exploit people by appealing to curiosity, a desire to help and sometimes vanity and greed. The aim is to get them to divulge certain information, login details, install malware or blackmail.

Sociotechnics is the attempt to exploit people by appealing to curiosity, a desire to help and sometimes vanity and greed. The aim is to get them to divulge certain information, login details, install malware or blackmail.

Examples of situations in which someone may want to obtain information about us or an organisation:

Examples of situations in which someone may want to obtain information about us or an organisation:

<ul><li>Impersonation of an employee, CEO, customer</li><li>Messages about non-payment for a service</li><li>Message about a potential win</li><li>Harmful attachments sent under false pretences (for example, payroll)</li></ul>

A particular example of manipulation is the ladder method. By simply wearing a waistcoat and holding a ladder in your hand, you can enter almost anywhere. Who would think that this is not a maintenance man who has come to fix something. Of course, this is a big exaggeration of the problem, especially in facilities with adequate security, but it shows how we think. It is important to remember that there is no sure-fire way to defend against social engineering, the best thing to do here will be common sense and continuous education.

A particular example of manipulation is the ladder method. By simply wearing a waistcoat and holding a ladder in your hand, you can enter almost anywhere. Who would think that this is not a maintenance man who has come to fix something. Of course, this is a big exaggeration of the problem, especially in facilities with adequate security, but it shows how we think. It is important to remember that there is no sure-fire way to defend against social engineering, the best thing to do here will be common sense and continuous education.

Medium and large organisations also perform periodic employee awareness surveys. For example, emails with deliberately introduced name errors, typos, but also a link or form are prepared. The number of reports from employees about potential attacks is examined, as is the number of people who have been fooled. Additional training is later carried out on the basis of the reports.

Medium and large organisations also perform periodic employee awareness surveys. For example, emails with deliberately introduced name errors, typos, but also a link or form are prepared. The number of reports from employees about potential attacks is examined, as is the number of people who have been fooled. Additional training is later carried out on the basis of the reports.

Conducting an analysis of potential IT risks in an organisation is the first step towards effective security management. Adequate monitoring, continuous identification of new risks, appropriate protection methods, and security procedures and policies are the building blocks of an organisation's risk register. All security procedures should be updated periodically and adapted to current risks. Often, the risk register is also a component of organisations' RODO policies.

Conducting an analysis of potential IT risks in an organisation is the first step towards effective security management. Adequate monitoring, continuous identification of new risks, appropriate protection methods, and security procedures and policies are the building blocks of an organisation's risk register. All security procedures should be updated periodically and adapted to current risks. Often, the risk register is also a component of organisations' RODO policies.

There may be claims that security in an organisation involves restricting the privacy or even surveillance of employees. Well-constructed policies, appropriate levels of access and, above all, knowledge, are not designed to track every employee, but to raise awareness and, ultimately, the entire organisation

There may be claims that security in an organisation involves restricting the privacy or even surveillance of employees. Well-constructed policies, appropriate levels of access and, above all, knowledge, are not designed to track every employee, but to raise awareness and, ultimately, the entire organisation

If you are interested in the topic of security in eCommerce systems, I invite you to my previous article <a href="http://monogo.pl/en/blog/as-secure-as-possible-2" target="_blank" rel="noreferrer noopener">As Secure As Possible</a>.

If you are interested in the topic of security in eCommerce systems, I invite you to my previous article <a href="http://monogo.pl/en/blog/as-secure-as-possible-2" target="_blank" rel="noreferrer noopener">As Secure As Possible</a>.

In the last article we talked about eCommerce security in a technical context. Today we will focus on the human and organizational part. 
No system can resist human errors caused by lack of knowledge, routine or deliberate actions to the detriment of the organization. People involved in eCommerce processes, even unknowingly, can open the gates to your business to harmful applications. Gates that should never be left unattended. In this article, I will take a closer look at the potential dangers from this side, and what you can do to minimize the risks. Because a skilled and informed staff is a major pillar of any business, not just eCommerce.

Man – the greatest security threat