Select Page

The Digital Forum Summary – 2nd November 2016

Digital Forum Logo

Great to see everyone at the last event. Summary notes for reference.

Hope to see you at the next event –  https://www.contradodigital.com/event/digital-forum-7th-december-2016/ Book now to avoid disappointment.

The Digital Forum Summary – 5th October 2016

The Digital Forum Summary – 5th October 2016

Great to see everyone at the last event. Summary notes for reference.

 

 

Hope to see you at the next Digital Forum on 2nd November 2016. Book now to avoid disappointment.

The Digital Forum Summary – 7th September 2016

The Digital Forum Summary – 7th September 2016

Great to see everyone at the event. Summary notes for reference.

 

 

Hope to see you at the next Digital Forum on 5th October 2016. Book now to avoid disappointment.

Using Google Analytics to Track your Digital Marketing Campaigns Accurately at MWUG September 2015

Slides from our talk at Manchester WordPress User Group in September 2015;

Additional Notes

In addition to the slides, additional comments & resources mentioned;

  • Use UTM Tracking Parameters on everything
  • Google has a UTM URL Builder which can be found here, https://support.google.com/analytics/answer/1033867?hl=en, but we prefer ours here, https://www.contradodigital.com/resources/social-media-tracking-tool/
  • Use Event Tracking on everything that someone does on the website that isn’t a page view. This will provide awesome insights into how your website visitors are behaving. Things like social media links, clicking to download, using Yoast SEO Plugin to track outbound links once the setup is configured correctly. Likewise for any mailto: and tel: links to track when customers are using click-to-email and click-to-call technologies.
  • Set up goal tracking for everything!
  • Set up Goal Funnels, particularly if you are an ecommerce website
  • Set up Site Search within the Google Analytics settings, for WordPress the default query string parameter is ‘s’ for search URLs. Try here, http://search.contrado.digital/utm for an example.
  • The tracking pixel technology which can be used on all normal emails is Sidekick from Hubspot, really cool technology.
  • Use the Network report at Audience > Technology > Network to see which companies have been looking at your website. Most importantly, seeing which companies are looking at your website along with a quick Google search for “{Company Name} Contact Details” means you never have to pay for some of the extortionate service that are available offering this data at a premium
  • If your website still isn’t responsive, then compare the conversion rates for mobile visitors with non-mobile visitors. Imagine a world when mobile customers are converting at the same level as desktop visitors and you can calculate the value it brings to have your website responsive and mobile friendly.
  • Track offline activities using smart redirects such as contradodigital.com/offer1 which 301 redirects to a UTM’d URL such as www.contradodigital.com/?utm_source=something&utm_medium=something-else&utm_campaign=something-else. Allowing you to track the return on your investment from a print based campaign all the way through to website traffic and ultimately sales or enquiries. All of this data will show within the Acquisition > Campaigns > All Campaigns report within Google Analytics
  • Google Analytics uses Last Click Attribution by default. Understand the full conversion funnel and user journey with Assisted Conversions.
  • Use Intelligence Events to set up alerts for when significant events happen within your Google Analytics data. This can help to identify problems on your website before they become an enormous issue.
  • Use Real Time Data to see what is happening on your website right now. This is seriously cool for data geeks like myself.
  • Use Advanced Segments to filter your Google Analytics data while you are browsing the different reports.
  • Always have a Raw Data profile and Filtered Data profile within your Google Analytics setup for accurate reporting.
  • Use Filtered Profiles if you want to permanently filter out the data from your Google Analytics reports. Use Advanced Segments if you only want to filter the data temporarily.
  • When you are using Google AdWords, make sure you link your Google AdWords & Google Analytics accounts together to avoid your paid search traffic appearing as organic search traffic within Google Analytics.
  • Referral spam is an enormous problem in Google Analytics at the minute so use these handy filters to remove future referral spam for good, https://www.contradodigital.com/resources/block-referrer-spam-google-analytics/. Generally speaking, any .htaccess or plugin based solution to referral spam doesn’t work that good as most Google Analytics spam is currently sent directly to Google Analytics and the bots never even visit your website.
  • Use Virtual Page View tracking if using AJAX or redirect the user to a thank you page after they have submitted a form so you can track the full conversion funnel within the Funnel Visualisation report. This is possible within Contact Form 7 or Gravity Forms plugins for WordPress.
  • Handy plugin for debugging your Google Analytics setup is Google Analytics Debugger for Google Chrome which can be found here, https://chrome.google.com/webstore/detail/google-analytics-debugger/jnkmfdileelhofjcijamephohjechhna?hl=en
  • Mailchimp can cause a few problems within your Google Analytics data if you don’t set this up right. Keep an eye on this and configure the settings to suit your needs.
  • When two links on a page point to the same location, use Enhanced Link Attribution to separate out which link users are clicking on. To do this, view the Property Settings within the Administration area and turn on Enhanced Link Attribution. Once this is turned on, when you view your In-Page Analytics report, you will be able to see which links people are clicking on.

With thanks to Andreas Andrews for making such meticulous notes of my ramblings J

Any questions, leave a comment or drop me an email.

Google Grow Local Party April 2015

 

20150423_200447

Last week we were invited to a party Google was throwing for those involved in the recent Grow Local campaign which was designed to help businesses get on board with Google AdWords. Held at Europe’s largest multi-arts and conference venue, the Barbican in London. We had a great evening full of goodies, entertainment and a bit of technology, naturally.

 

 

Google Cardboard

We got our hands on our own Google Cardboard Virtual Reality system. And yes, it is just a piece of cardboard, but it is a cool piece of cardboard. The pack comes in flat-pack mode and allows you to place your smartphone into the device and be truly immersed in a virtual world. Hold the device and look in any direction and control your movements inside the virtual world. Ride on virtual rollercoasters, view museum exhibits, walk around stately homes, fly over Chicago or get immersed in a Paul McCartney concert (if that’s your thing…). Our custom paint job on the Google Cardboard leaves a little to be desired…

 

 

Cyber Security Conference 2015

We recently attended the Cyber Security Conference which was looking at the enormous problem that is cyber security, or should I say cyber crime. Cyber security is a bigger issue than most businesses realise, with central government classifying cyber security as a Tier 1 threat, the same level as terrorism. Yet we will see many businesses not taking adequate steps to secure their businesses. At Contrado Digital, our focus is on digital marketing, websites and other online topics. These naturally are open to many of the issues related to cyber security which often aren’t in the realms of the traditional IT Support type companies who manage the physical security related to network routing and more. There is naturally a cross over between the two areas, which is why we have started to cover this area a little more recently as it is an area that is not understood that well by most businesses, particularly those within the SME bracket.

 

csc-logo

 

Security Investment

One phrase that you should really think about is this; Good security will cost you, bad security will cost you more. This is one that resonated with me at the conference as I can relate to this on many occasions when businesses have come to us with problems related to security. On many occasions we hear businesses say things along the lines of “We don’t have access to our own website, webserver or social media accounts and the web developer has gone AWOL, what can we do?” This is security and is a big risk for your business.

Coming back to the phrase, good security will cost you, bad security will cost you more, what can you realistically do in this situation? Well, you have to start again in many instances which is a much more costly approach than simply getting the right processes and training in place within your business from the start. This specific example is the reason why we have put together a free resource for keeping tracking of your digital assets with our Digital Assets Tracker document.

Going beyond the basics, it is hugely important to look at the training requirements within your organisation and invest in a creating a security culture. To the point whereby local IT support company Holker IT have recently launched a campaign to educate businesses with their Think Before You Click campaign. So many issues related to security are human error due to lack of knowledge, so make sure your staff have been trained up and are aware of the latest security threats that could cause a serious problem for your business.

 

Planning for Problems

No system is infallible, this is an unfortunate fact of life when dealing with computer systems, programs, hardware and processes reliant on human input. So what are your plans for when something does happen? What, you don’t have any? Far too many businesses don’t have any serious plans in place for when cyber security issues arise and simply have the opinion that it will never happen to them. I’m sure the people involved with the recent celebrity scandal thought the same…

The reality is that something will happen and you need to plan for when this does and put in procedures that can mitigate against issues. This broadly falls into three categories;

  • How will you deter it?
  • How will you detect it?
  • How will you respond to it?

Thinking through the potential problems that could occur and planning for this will mean you have a much more secure business, lower your chances of financial and reputational damage along with allowing you to focus on what is important, growing your business.

Let’s look at a few examples to put things into perspective.

 

Distributed Denial of Service (DDoS) Attack

A cyber criminal has decided to attack your website with a Distributed Denial of Service attack (DDoS) and your website is no longer accessible. Read up about an example a while ago that we had to deal with. This was only a small scale attack in the grand scheme of things, what if it had been bigger?

How will you deter it? – While you cannot control if someone has decided they are going to attack your website, you can put in place measures to pro-actively block attacks. For example, with WordPress, there are plugins such as Limit Login Attempts and Akismet that will help to deter DDoS attacks which should be installed along with other professional security plugins which we also use.

How will you detect it? – What systems have you got in place to detect when this is happening? Or do you simply find out when you happen to check your website and realise that it is not working? How many enquiries or lost ecommerce sales have you had during this time? Any reputable web hosting company will have pro-active monitoring in place to alert you to when your server falls over due to hugely increased loads, allowing you to respond in a timely manner and deal with the issue promptly.

How will you respond to it? – What are you actually going to do to stop the attack? Simply sit it out and watch it unfold until it hopefully stops? If your web server has already fallen over, then there is little you can do until you can gain access again. Depending on the technical configurations you have in place along with the nature of the attack, it may be possible to divert traffic to another server, allowing you to get access to your main server and implement security changes such as blocking all traffic from a certain IP address or a group of IP addresses. Then once the change has been made, you can redirect all traffic back to your main server which should reduce the load and allow your websites to function normally again. Again, certain hosting companies pro-actively monitor for DDoS attacks and intervene by automatically blocking suspicious traffic on the network level before they even get to your web server which is great.

 

WordPress Brute Force Password Hacking

A cyber criminal has decided to hack into your website by guessing your administrator password. They have wrote a basic computer programme which loops through common passwords before running through a password generator script in a logical order to find your password.

How will you deter it? – There are plugins available for WordPress which will automatically block anyone who attempts to login to your website using the ‘Admin’ username which is the WordPress default. You should always be using a unique Administrator username which isn’t ‘Admin’ or ‘Administrator’. Pick something unique for you which is hard to guess. This means that any hacker has to guess both the username and password which is exponentially more difficult. In addition, certain plugins will automatically block IP addresses from accessing your website if they guess any password incorrectly a set number of times.

How will you detect it? – There are plugins available for WordPress that will automatically send you an email when an IP address has been blocked from logging in to your website due to too many failed login attempts. This can alert you to a problem and can help to highlight the start/stop of any attack that is happening.

How will you respond to it? – Responding to a hacking attempt which is aiming to guess your password is about being pro-active. If you have a password which is ‘password123’ then this isn’t the most secure password in the world and could be cracked by a computer programme within minutes. Always make sure you are using strong usernames and passwords for your WordPress websites to avoid vulnerabilities.

 

WordPress Plugin Vulnerability Exploits

A cyber criminal has noticed that you are running your website from the world’s most popular content management system WordPress and has decided that you are a good target. They know that many WordPress website owners don’t update their plugins and patch security holes regularly so have decided that you would be a good target for hacking into. After all, they already have a list of what has been patched by comparing the older versions of plugins to the latest versions of plugins so they have an easy shopping list of exploits to try and hack into your website with.

How will you deter it? – What activities are you doing to avoid leaving your WordPress website open to vulnerability exploits? You are keeping all of your plugins, themes and WordPress core up to date, right? This is the absolute minimum that you should be doing to avoid cyber criminals taking over your website. You really need to be thinking about subscribing to a service that will detect threats in real time which will keep you much safer.

How will you detect it? – How will you detect if your website has been exploited? Often many website owners and businesses have no idea that their website has been infected by some malicious code that has been placed there which could be hiding in the background working away. When a cyber criminal exploits a vulnerability in your website, this usually isn’t about changing the visual appearance of your website, this is usually about hiding code away so that you think everything is fine. Again, there are many services available that will scan your core WordPress files for vulnerability exploits and raise a flag if a piece of unexpected code is found which is likely to be an exploit.

How will you respond to it? – Now you have managed to detect the problem, getting rid of the problem can be a whole other challenge. Depending on the complexity of the hijacked code will determine how easy or difficult this is to get rid of. Prevention is always better than dealing with these types of problems when they occur since many sophisticated pieces of code will hide their self from your view and only show to search engines and only under certain circumstances.

 

Summary Planning

The three examples above are just the basics when it comes to protecting your website from attacks. The real focus should be about planning for problems so your website doesn’t become one of the statistics around hacked websites.

Do not think that this will never happen to you, it will. Cyber criminals often don’t care about you or your website specifically, they simply create computer programmes which crawl the internet (in the same way Google does) to find all target websites (i.e. WordPress and others). Once they have found their targets, they simply automatically test each website for known vulnerabilities. At this level, which isn’t hard to achieve, hacking is basically a spectator sport. Press ‘go’ on your script and you just sit back and wait for a report to be generated for every websites in your target list (bearing in mind that WordPress powers over 23% of websites on the entire internet….that’s a lot of targets…) with a list of which vulnerabilities they are open to.

You cannot rely on any kind of enforcement here to get you out of a sticky situation. The unfortunate reality is that you are on your own (or getting help from us…). There are so many potential problems beyond the three examples above that people need to protect their website from this is an area that needs serious attention. With many hacking attempts coming from over-seas, there is very little jurisdiction that can help dealing with problems after they have occurred.

Thankfully we offer WordPress Security services which are designed to keep your website safe and secure so that you are prepared and don’t fall victim. Always think about any potential problem in relation to your own website and business; How will you deter it? How will you detect it? How will you respond to it? Reactive approaches are too late. Proactivity is key.

 

Scale of the Problem

A recent report from Trustwaves in the form of their Global Security Report found some interesting statistics including;

  • 45% of data thefts are for non-payment card data
  • Ecommerce made up 54% of assets targeted
  • Point of sale (POS) breaches accounted for 33% of investigations they did
  • Retail was the top compromised industry- likely due to the nature of data they keep about customers in databases
  • 85% of the exploits detected were from 3rd party plugins
  • Weak passwords contributed to 31% of breaches
  • 96% of investigated applications had one or more serious security vulnerabilities
  • Ecommerce and website breaches rose by 5% since 2012 – I believe this figure is hugely understated
  • The average number of vulnerabilities identified per application was 14
  • 100% of mobile applications tested contained at least one vulnerability
  • 71% of victims did not detect the breach their self
  • The average number of days from initial intrusion to detection was a whopping 87 days

When terms such as application, website, ecommerce etc. are used. This is often the same underlying programming languages and exploits that are being used in different ways. Do not think that these problems are isolated to a specific area.

Going beyond simply looking at the enormous numbers behind these problems. There are services available online including Shodan which has a fantastic blog covering lots of ‘interesting’ topics. The service classifies itself as ‘The search engine for internet-connected devices’. I.e. Internet of Things, Webcams, Buildings, Websites, Refrigerators, Power Plants and more. I’m not going to talk about the technologies behind how all of this works here as this gets a little geeky. What is important is that for only $9 / month, you can literally search the world of internet connected devices for vulnerabilities.

So again, are you confident that you are protected and have the right procedures in place?

 

Physical Hardware

There was a lot of talk at the conference along the lines of physical hardware security and network security. A little beyond our area of expertise, but a couple of interesting points around this which may resonate;

  • You need solutions at the network security level, not just software solutions. For example if you have a multi-site office, it was recommended that you look at using MPLS to protect your data in transit.
  • Your home broadband provider can see what devices you have connected to your router. If you regularly work from home or you have a home based business, you may prefer to keep your business hardware private from prying eyes. It was recommended to always have an additional router between the router provided by your ISP and your devices so that wandering eyes cannot see what is connected to your network from further afield. For example, imagine a call centre employee noticing that your house appears to have 15 iPads, 3 iMacs, 12 iPhones and 4 smart TVs all connected to the router you were provided (yes, you have a big house…). This would certainly be more of a target for thieves. Whereas if they only saw that 1 additional router was connected to the network then they would simply look elsewhere.

 

Information Governance Programme

While this may sound like the setup for much larger multi-national organisations, it is important to recognise the importance for all businesses large and small. Larger organisations often rely on smaller organisations as part of their supply chain in one way, shape or form which are often a target for attackers due to the often more relaxed approach to information security.

Recently central government made the new Cyber Essentials certification a mandatory requirement for anyone bidding for central government contracts which highlights the importance. From many speakers at the event from mammoth organisations and senior positions in government were reiterating the importance of security throughout the entire supply chain. To the point whereby many large organisations are putting together training programmes for their supply chain to educate them about the standards that they expect.

Information governance is not just data, it is a lot more than that. It includes areas such as;

  • Information risk management
  • Information management
  • Intellectual property
  • Knowledge management
  • ICT

All of which touch on some of the terms that you may be more familiar with; SaaS (Software as a Service), BYOD (Bring Your Own Devices), cloud, virtualisation, employees, customers, contractors, outsourced people/companies. Looking at this in more technical terms to see what areas are often attacked when you look at data assets;

  • Data at rest – For example data in the many databases you use within your business across multiple systems
  • Data in use – For example data that is stored in caches, security certificates, data in RAM
  • Data in motion – For example networked systems

A professor from Lancaster University talked through a range of the options hackers have to access systems ranging from the obvious technical areas such as HTTP, downloads/uploads, SQL injection to the ones people often don’t think about as much such as FTP clients, emails/webmail, instant messaging, peer-2-peer, file sharing, HTTPS, STFP, SSH, VPN, protocol tunnelling including DNS, HTTP, ICMP, Box, Dropbox, image steganography, VOIP, routing control packets and more. Some of these you will likely never have heard of if you aren’t that technical, but I guarantee that you will be using them in some way without even realising.

The graphic below from Lancaster University highlights some of the common methods used;

 

Data Exfiltration Methods Infographic

 

Again, all of these acronyms above are used by the many of the technologies that you use on a daily basis without even realising.

 

Summary

Cyber security is a serious problem. These are just some of the highlights from the excellent conference. Many other topics were discussed, although I feel that the people speaking about the more exciting topics would prefer if some of this information wasn’t boasted about so this has been left out for obvious reasons.

By far, the largest problem around cyber security at the moment which was reiterated by all at the event was around lack of education of the real problem that is out there. Many businesses simply have the opinion that it will never happen to them, or they are too small for people to care. This is simply not the case and I hope this blog post covering a small selection of the many exciting topics discussed will help to highlight some of the issues and what businesses can do to protect their-self online.

If you would like to discuss any website security related issues then get in touch or see how our website security audit could help. There are many aspects related to cyber security and we are by no means an expert on every aspect. With dealing predominantly with websites and online ‘things’ this is where our focus lies including details around specific technologies and systems. If you ask us about something that is a little outside of the scope of our expertise, then we can certainly put you in touch with one of our many contacts that are more suitable to support your business.

 

Resources, Sources and Further Reading

UK National Security Strategy:  https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/61936/national-security-strategy.pdf

UK Cyber Security Strategy: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf

HMG Security Policy Framework: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/316182/Security_Policy_Framework_-_web_-_April_2014.pdf

Introduction to Cyber Security course from the Open University: http://www.open.edu/openlearn/futurelearn/cyber-security

Cyber Streetwise: https://www.cyberstreetwise.com/

10 Steps to Cyber Security: http://www.gchq.gov.uk/press_and_media/news_and_features/Pages/Relaunch-10-Steps-to-Cyber-Security.aspx

Competitive analysis of the UK cyber security sector: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/259500/bis-13-1231-competitive-analysis-of-the-uk-cyber-security-sector.pdf

Information Security Breaches Survey 2014: http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf