When it comes to common web attacks, there are a lot of nasties out there. And even though we know they’re out there, it can be difficult to quantify something we can’t see. But when these “nasties” turn into something that’s tangible, well, it’s usually too late. Your system, your security, and your business’ livelihood is already at risk. And these days, if you’re not prepared, the effects can be devastating.
No matter how your WebEOC system is hosted, both Critchlow and Intermedix strongly encourage all clients to implement industry-standard best practices when it comes to keeping their WebEOC systems secure.
Below are five security practices all WebEOC administrators should implement on a regular basis to ensure your system is secure against web attacks:
ONE. Update, update, update.
When a new version of a product is released, more often than not it will include improved security measures. It’s always important to keep your online platforms up-to-date. That goes for WebEOC, as well as any other operating systems or software products installed on your servers.
TWO. Put your auditor hat on.
WebEOC is at its best when the information on it is valid and correct. That means reviewing user accounts on a regular basis. Depending on the size of your organisation or the number of users you have in the system, this could be a monthly or quarterly exercise for administrators.
You want to make sure that all user accounts are, well, accounted for – that they’re appropriately accessible and relevant to people still working within the organisation; or that they’re disabled or revoked when a user is no longer with the company or no longer needs access.
THREE. Don’t let user accounts fall through the cracks.
If you have users that access WebEOC infrequently, or only need access for specific projects or tasks now and then, the recommended suggestion is to set them up with time-limited accounts. This ensures that the user’s account is enabled only for the duration of the task.
It’s also a good idea to set expiration dates for accounts – if a user hasn’t logged in for a while or no longer needs access, an expiration date will ensure that their account doesn’t fall through the cracks, remaining open and live when it’s not needed.
Time limits and expiration dates are a great way to maintain control and awareness for administrators over the system.
FOUR. Make the audit log your “go-to” on a regular basis.
The WebEOC audit log contains valuable information about user access, login attempts, changes to data, and account locks, as well as many other things. This is where you’ll be able to see any abnormal login activity and any patterns that point to anything malicious going on in the background.
Things to look for are failed login attempts under odd-looking usernames, unusual login times, a number of failed attempts, or irregular data changes.
Monitoring the audit log regularly will give administrators a better feel for what’s going on within the system, when to escalate any issues, and ensure that only authorised changes are occurring.
FIVE. ALWAYS access WebEOC over a secure browser connection.
It goes without saying that one of the key parts in keeping your WebEOC system safe is ensuring all users access it only through a secure browser. Intermedix recommend TLS 1.1 or later as it encrypts sensitive data before sending it from the user to the WebEOC server over the internet, therefore minimising the possibility of this data being intercepted or inspected while in transit.
These security practices should be regulars on your to-do list. Things as simple as keeping your browser updated or auditing user accounts frequently can be the things that stand between your WebEOC system and malicious activity that can put your business at significant risk.
If you’ve got any questions about the above list or are experiencing an issue, get in touch. We’re always here to help.