Are you interested? Call us!

Check what we have been living lately

Do you want to know our offer and talk about the needs of your business? Write to us, we will surely find the best solution.

Leave a number. We will call you back within 30 minutes.

Monogo - e- commerce done right

We bring value by using the best, the most reliable technologies available on the eCommerce market. Our team makes sure that our clients have the ability to achieve their business goals in a way that is safe, predictable and at the highest level.
We have been operating since 2011, and our team consists of 80 people whose competences and knowledge are certified. Our goal is to always achieve the goal, and our know-how is the selection, implementation and development of the best and the most reliable eCommerce technologies. The success in Europe, Asia and North America, along with our experience in numerous industries and in various business models have established our position in the eCommerce world. However, as we believe that the only constant is change, we remain one step ahead at all times, following global trends in the online sales market.

This website uses cookies. By staying on this website, you consent to the use of cookies. Find out more <a href="/privacy-policy/">here</a>.

Featured products:

<a href="tel:+48531338668">+48 531 338 668</a> <a href="mailto:hello@monogo.pl">hello@monogo.pl</a>

Monogo

Lublin (HQ)

Warsaw

Stanisława Małachowskiego 18/5 Poland

Wrocław

Parkland, 7527 NW 61st Ter, Florida Usa

Florida, USA

<a href="tel:+531338668">+48 531 338 668</a> <a href="mailto:hello@monogo.pl">hello@monogo.pl</a>

About Monogo

E-Commerce

AI AND AUTOMATION

CLOUD INFRASTRUCTURE

KNOWLEDGE BASE

As Secure As Possible

When starting work, every employee is provided with a computer or another device that allows them to work. What are the minimum requirements so that such a device is properly prepared?

core/paragraph

When starting work, every employee is provided with a computer or another device that allows them to work. What are the minimum requirements so that such a device is properly prepared?

Devices in your organization If your organization allows devices to be taken outside the premises (home office, business trips), you need to ask yourself the following questions: What happens if the device is lost or stolen? Do the data and permissions stored on the computer allow direct access to the company’s confidential data? By using encryption on workstation drives, we make it much more difficult (for those who have “found” the device) to access the data stored on them. Whenever a device is lost, such a situation must be reported immediately. In larger organizations, systems such as MDM (Mobile Device Management) are often used. Such systems make it possible to enforce, for example, disk encryption policies, password length and quality, as well as to request locking of a device or even wiping a disk in justified cases – all that can be done remotely.&nbsp; It is common for employees to use their own mobile devices (smartphone/tablet) connected to the company’s network while at work and Bring Your Own Device (BYOD) is a popular trend. It definitely makes it easier and simpler to perform daily duties, however, those benefits go hand in hand with security risks. Private devices should meet all the conditions required of the company’s devices (encryption, controlled access, wipeability, anti-virus scanning). Anti-virus software that can detect malware is standard today, and I won’t go into details here. Employees need to know and accept the risk that their private data can be potentially deleted from their devices, or they should not bring their own devices to work. At this point, I simply must mention another category of devices that is often overlooked, even though they can potentially poke a huge hole in the security of an organization. I’m talking here about office equipment such as network printers, scanners, routers, or network disks. There have been cases of attacks on company networks using bugs in printer firmware. It is important to remember to configure them correctly, not to connect such devices to public network, and to install updates periodically.

Devices in your organization If your organization allows devices to be taken outside the premises (home office, business trips), you need to ask yourself the following questions: What happens if the device is lost or stolen? Do the data and permissions stored on the computer allow direct access to the company’s confidential data? By using encryption on workstation drives, we make it much more difficult (for those who have “found” the device) to access the data stored on them. Whenever a device is lost, such a situation must be reported immediately. In larger organizations, systems such as MDM (Mobile Device Management) are often used. Such systems make it possible to enforce, for example, disk encryption policies, password length and quality, as well as to request locking of a device or even wiping a disk in justified cases – all that can be done remotely.&nbsp; It is common for employees to use their own mobile devices (smartphone/tablet) connected to the company’s network while at work and Bring Your Own Device (BYOD) is a popular trend. It definitely makes it easier and simpler to perform daily duties, however, those benefits go hand in hand with security risks. Private devices should meet all the conditions required of the company’s devices (encryption, controlled access, wipeability, anti-virus scanning). Anti-virus software that can detect malware is standard today, and I won’t go into details here. Employees need to know and accept the risk that their private data can be potentially deleted from their devices, or they should not bring their own devices to work. At this point, I simply must mention another category of devices that is often overlooked, even though they can potentially poke a huge hole in the security of an organization. I’m talking here about office equipment such as network printers, scanners, routers, or network disks. There have been cases of attacks on company networks using bugs in printer firmware. It is important to remember to configure them correctly, not to connect such devices to public network, and to install updates periodically.

core/column

core/image

<figure class="wp-block-image size-full"><img src="https://backend.monogo.us/wp-content/uploads/2022/10/shodan-1-1.png" alt="" class="wp-image-1235"/><figcaption>At the time this post was published, nearly 50,000 publicly available HP devices had been found on the global web, including in Poland.</figcaption></figure>

core/columns

Password policy Some argue that passwords should be changed monthly. Others say that passwords should not be rotated, but they should be long, complicated, and saved in applications like Password Manager. It is important to remember that in most cases a password is just a string of letters and characters that can be copied. Of course, there are devices equipped with fingerprint scanners, facial recognition, or allowing you to log in using keys and certificates. &nbsp; Regardless of your organization’s policy, it makes sense to use two-factor authentication wherever possible. Two Factor Authentication (2FA, TFA) is an additional method of user verification. It can take the form of an additional app on the phone that generates temporary strings, a dedicated USB dongle, or even a simple text message sent to an authorized device when logging in.

Password policy Some argue that passwords should be changed monthly. Others say that passwords should not be rotated, but they should be long, complicated, and saved in applications like Password Manager. It is important to remember that in most cases a password is just a string of letters and characters that can be copied. Of course, there are devices equipped with fingerprint scanners, facial recognition, or allowing you to log in using keys and certificates. &nbsp; Regardless of your organization’s policy, it makes sense to use two-factor authentication wherever possible. Two Factor Authentication (2FA, TFA) is an additional method of user verification. It can take the form of an additional app on the phone that generates temporary strings, a dedicated USB dongle, or even a simple text message sent to an authorized device when logging in.

<figure class="wp-block-image size-full"><img src="https://backend.monogo.us/wp-content/uploads/2022/10/yubi.jpeg" alt="" class="wp-image-1236"/><figcaption>2FA YubiKey dongles</figcaption></figure>

The two-factor authentication mechanism provides an additional layer of security, even in the event of a password leak.&nbsp;Most apps allow the use of 2FA, but it is disabled by default. If you use social networks, shop online, use instant messaging apps or regular e-mail, check if and how 2FA can be connected to your account.&nbsp;

The two-factor authentication mechanism provides an additional layer of security, even in the event of a password leak.&nbsp;Most apps allow the use of 2FA, but it is disabled by default. If you use social networks, shop online, use instant messaging apps or regular e-mail, check if and how 2FA can be connected to your account.&nbsp;

<figure class="wp-block-image size-full"><img src="https://backend.monogo.us/wp-content/uploads/2022/10/magento-2fa.png" alt="" class="wp-image-1237"/><figcaption>Magento also has a two-factor login mechanism</figcaption></figure>

An additional way to improve security when logging in is the Single Sign On (SSO) mechanism. It allows you to log in to platform X by authenticating on platform Y, for example, you can log into your Messenger with a Google or Microsoft account. It is then important for the Google account to be made as secure as possible, for example with the 2FA mechanism mentioned above. Access control Each user with access to a particular system should be granted appropriate permissions. Two years ago, one of our clients hired a small copywriting company for a project.&nbsp; An account was created in the administration panel, but without restricting access to resources. Therefore, copywriters had access to orders, the list of clients, their sale history, but also the system configuration. And the whole thing would have gone unnoticed by the client, had it not been for the fact that, through a copywriter’s infected system, eCommerce login details were leaked. Malicious scripts were added to the shop’s configuration with the aim to steal credit card details during purchases. The system had no security monitoring and the malicious scripts were detected by the QA team during routine regression testing.&nbsp; At the client’s request, a full analysis was carried out after the incident, the results of which were reported to the safety officer. Luckily, no harm was done as a result of that incident, but the organization had to implement procedures to prevent such events in the future. When configuring any accesses, it is a good practice to use the minimum possible level of permissions and to periodically (for example, quarterly) audit accesses internally. Inactive or no longer needed accounts should be deleted regularly. If possible, it is also advisable to log information on who has changed what and when in the system. Social engineering It is said that the weakest link in security is the human factor between the keyboard and the monitor.&nbsp; Social engineering is an attempt to take advantage of people by appealing to their curiosity, desire to help, and sometimes to their vanity and greed. The aim is to induce them to disclose specific information, login data, to install malware, or simply – to blackmail them. Here are a few examples of situations when someone might want to obtain information about us or the organization: Impersonating an employee, a CEO, a client; Messages informing you that no payment for a service was received; Messages informing you about a potential win in a contest; Malicious attachments sent under false pretenses (for example, payroll) A ladder method is a particular example of manipulation. All you need to do is put on a vest and hold a ladder in your hand, and you can go almost everywhere. Who would have thought that the maintenance worker who has come to fix something is only pretending? Obviously, we got a bit carried away here, especially when we talk about facilities with the right security measures being implemented. However, it shows you how we all think. It is important to remember that there is no fire-proof way to protect ourselves against social engineering; common sense and staying on top of the trends are the best solutions. Medium and large organizations also carry out periodic employee awareness tests. For example, e-mails with deliberately introduced errors in names, typos, but also ones containing a link or a form are pre-prepared. The test involves counting the number of reports from employees about a potential attack, and the number of people who were conned. Based on the reports, additional training sessions are later carried out. Risk registers Conducting an analysis of potential IT risks in an organization is the first step to effective security management. Appropriate monitoring, continuous identification of new risks, appropriate protection methods, and security procedures and policies are the foundations of an organization’s risk register. All security procedures should be updated periodically and adapted to current risks. Frequently, the risk register is also a component of the GDPR policy in organizations. Takeaway There may be claims that security in an organization means a reduction in privacy or even surveillance of employees. Well-constructed policies, appropriate levels of access, and, above all, knowledge are not designed to control each and every employee, but to raise their awareness and, ultimately, that of the entire organization.&nbsp;

An additional way to improve security when logging in is the Single Sign On (SSO) mechanism. It allows you to log in to platform X by authenticating on platform Y, for example, you can log into your Messenger with a Google or Microsoft account. It is then important for the Google account to be made as secure as possible, for example with the 2FA mechanism mentioned above. Access control Each user with access to a particular system should be granted appropriate permissions. Two years ago, one of our clients hired a small copywriting company for a project.&nbsp; An account was created in the administration panel, but without restricting access to resources. Therefore, copywriters had access to orders, the list of clients, their sale history, but also the system configuration. And the whole thing would have gone unnoticed by the client, had it not been for the fact that, through a copywriter’s infected system, eCommerce login details were leaked. Malicious scripts were added to the shop’s configuration with the aim to steal credit card details during purchases. The system had no security monitoring and the malicious scripts were detected by the QA team during routine regression testing.&nbsp; At the client’s request, a full analysis was carried out after the incident, the results of which were reported to the safety officer. Luckily, no harm was done as a result of that incident, but the organization had to implement procedures to prevent such events in the future. When configuring any accesses, it is a good practice to use the minimum possible level of permissions and to periodically (for example, quarterly) audit accesses internally. Inactive or no longer needed accounts should be deleted regularly. If possible, it is also advisable to log information on who has changed what and when in the system. Social engineering It is said that the weakest link in security is the human factor between the keyboard and the monitor.&nbsp; Social engineering is an attempt to take advantage of people by appealing to their curiosity, desire to help, and sometimes to their vanity and greed. The aim is to induce them to disclose specific information, login data, to install malware, or simply – to blackmail them. Here are a few examples of situations when someone might want to obtain information about us or the organization: Impersonating an employee, a CEO, a client; Messages informing you that no payment for a service was received; Messages informing you about a potential win in a contest; Malicious attachments sent under false pretenses (for example, payroll) A ladder method is a particular example of manipulation. All you need to do is put on a vest and hold a ladder in your hand, and you can go almost everywhere. Who would have thought that the maintenance worker who has come to fix something is only pretending? Obviously, we got a bit carried away here, especially when we talk about facilities with the right security measures being implemented. However, it shows you how we all think. It is important to remember that there is no fire-proof way to protect ourselves against social engineering; common sense and staying on top of the trends are the best solutions. Medium and large organizations also carry out periodic employee awareness tests. For example, e-mails with deliberately introduced errors in names, typos, but also ones containing a link or a form are pre-prepared. The test involves counting the number of reports from employees about a potential attack, and the number of people who were conned. Based on the reports, additional training sessions are later carried out. Risk registers Conducting an analysis of potential IT risks in an organization is the first step to effective security management. Appropriate monitoring, continuous identification of new risks, appropriate protection methods, and security procedures and policies are the foundations of an organization’s risk register. All security procedures should be updated periodically and adapted to current risks. Frequently, the risk register is also a component of the GDPR policy in organizations. Takeaway There may be claims that security in an organization means a reduction in privacy or even surveillance of employees. Well-constructed policies, appropriate levels of access, and, above all, knowledge are not designed to control each and every employee, but to raise their awareness and, ultimately, that of the entire organization.&nbsp;

In our last post, we discussed the issue of eCommerce security in a technical context. Today we will focus on the human and organizational side.

No system can survive human errors caused by lack of knowledge, groove, or deliberate actions to the detriment of the organization. People involved in eCommerce processes can let malicious apps inside your business, even unknowingly. They can open the gates that should never be left unguarded. In this post, I will take a closer look at the potential risks in this area and tell you what can be done to minimize the risks. As skilled and well-informed personnel is the key pillar of any business, not just eCommerce, when a new team member is employed, the onboarding process involves, but is not limited to, an occupational health & safety training. The training should cover not only the station where that team member will work, but also the employee’s interactions with your organization’s systems. Today we will discuss a few basic issues that may be helpful here. We will not focus on processes and procedures, though. They are important, but without knowing their purpose, they are often very quickly forgotten or even ignored.

Humans – the greatest threat to security