Skip to main content

Securing your Ometria accounts

Andrew Akehurst-Ryan
  • Updated

This guide describes some of the most common security threats and how you can use Ometria's features to best protect your accounts.

Common threats

Evidence from across the industry shows that the most common factors in unauthorised access include:

Weak passwords 

Many people use simple passwords like "123456" or "password" because they're easy to remember. 

However, these are also easy for attackers to guess. 

Using common words or simple patterns makes it easier for someone to break into your accounts. 

Similarly, using information publicly available about you online is risky, e.g. the names of pets you've posted about on social media.

Reusing passwords

If you use the same password for multiple accounts, an attacker only needs to steal it once to access all your accounts.

For example, if one website you use gets hacked, the attacker can try that password on your other accounts too.

Risky password handling

If you store a password somewhere insecure or enter it into a system in an insecure location where people can see what you’re typing, an attacker can learn your password.

Scams

Attackers often use fake emails or websites that look legitimate to trick you into giving them your password. 

For example, you might receive a “phishing” email that looks like it's from Ometria, asking you to log in, but if you enter your password on the fake site, the attacker gets it.

Unauthorised email access

If an attacker can gain access to your email inbox, they can read any information sent to you and also attempt password resets to gain access to your accounts.

Security measures

While there’s no such thing as perfect security, there are plenty of things you can do to reduce your level of risk. 

Here are some of the ways you can do so, making the most of Ometria’s security features.

Passwords

See also: Passwords

Ometria requires all passwords to be at least 15 characters long. 

The minimum length was increased in 2023 but we didn’t force everyone to change their existing passwords at that time.

  • If your password is less than 15 characters long, consider changing it.
  • Your Ometria administrators can also reset passwords if you wish to force people to change their passwords.

Ometria checks passwords against public lists of passwords involved in data breaches and rejects those we know have been leaked. 

To reduce the chance of one data breach exposing other data, consider setting a unique password for each system or service that you use.

  • Consider using an approach like “three random words” to create passwords which are memorable to you and difficult for others to guess.
  • Alternatively, a password manager tool can help you to keep track of multiple unique passwords - ask your IT team for advice.
  • Use a service like Have I Been Pwned to check whether your email address has appeared in any data breaches and change any passwords which have been leaked.

Take care to avoid disclosing your password accidentally.

  • Avoid writing down your password.
  • Be aware of your surroundings when logging in. Although Ometria never displays passwords on the screen, someone could watch you enter your password and learn it that way.

Ometria helps you by using ReCAPTCHA and rate limiting of login attempts to make automated random password guessing more difficult. 

However, choosing good passwords and keeping them safe still matters.

Single Sign-On (SSO)

Ometria supports single sign-on as an alternative login method.

Advantages of single sign-on include:

  • Faster and more convenient login. If you’re already logged into your SSO identity provider, you don’t need to log in again.
  • Fewer passwords to remember across your business.
  • Easier off-boarding of leavers, as it can be done centrally in the SSO identity provider.
  • Support for additional login security features in your identity provider, such as:
    • Alternative authentication methods, e.g. passkeys.
    • Additional types of multi-factor authentication, e.g. time-based one-time codes and hardware keys.
    • Enforcing custom password policies for length, complexity, change frequency* and reuse.
    • Consistency with company wide rules.
Note: Ometria doesn't support password expiry. This complies with UK National Cyber Security Centre (NCSC) guidance.

Consider whether SSO would be suitable for your needs and, if so, which identity provider features would be helpful. 

If you want to enable SSO, raise a request with the Ometria Support Team.

Make sure to use an identity provider supported by Ometria. Refer to the SSO documentation for more details.

Multi-factor authentication

Consider enabling multi-factor authentication (MFA) as an extra layer of defence, so that knowledge of your password is not the only thing preventing unauthorised access.

If you chose to set up SSO, you might already have MFA enabled through your identity provider. 

If SSO is not technically an option for you, enabling MFA for your Ometria accounts is a very quick and effective way of strengthening your account security.

Least privilege access

Make sure that only the right people have access to your systems and data. 

Also, grant only the minimum level of access necessary for each person to do their job. 

This matters because:

  • If an existing employee tries to do something harmful (whether on purpose or by accident), a lower level of permissions helps to limit the impact.

If an attacker is able to log in as an employee, their actions would be limited.

Consider scheduling a periodic (e.g. quarterly) review of the users who have access to Ometria (and other applications too). 

Remove anyone who should no longer have access and consider reducing the permissions granted to users who have more permissions than they need.

Make sure that access is revoked as soon as someone leaves. Don’t forget contractors and consultants too!

Reserve the Admin role for a small set of the most trusted users. 

Most users should have the User or CRM role instead.

See also: User permissisions

For users with the User role, reconsider their permissions. 

All permissions matter, but here are some of the most powerful permissions and their key risks:

  1. Access settings (can change account-wide settings)
  2. Anonymise contact (can cause data loss)
  3. Can delete contacts (can cause data loss)
  4. Can export data (can exfiltrate data)
  5. Can publish automation campaigns (can send messages to customers)
  6. Can schedule broadcast campaigns (can send messages to customers)
  7. Manage webhook connections (can exfiltrate data)

Signs of attack

It's important to be able to identify unusual and suspicious activity and respond appropriately. 

Here are some items to consider; this is not a complete list and should be part of your broader security approach.

Training

Training in cyber security basics is important. 

Your company will likely provide training on these topics. 

In particular, learn how to recognise scams (such as phishing).

Recognising suspicious messages

Scam messages or calls claiming to be from Ometria likely indicate an attack, and you should consider warning your colleagues if you notice something suspicious.Ometria will email you from ometria.com email addresses, using technologies such as DKIM to identify our messages as genuine. 

If you receive a suspicious message claiming to be from Ometria, please forward it to security@ometria.com.

Audit logs

Check your Ometria audit logs periodically for suspicious activity, especially the authentication events. Some things to watch out for include:

  • Multiple failed logins for the same user: People sometimes mistype their password, but repeated failures might indicate an attack.
  • Password change events: People sometimes forget their passwords, though this is less likely if using a password manager.
  • Failed MFA events: These might indicate that an attacker knows the user’s password but is unable to complete the multi-factor authentication step.
  • Logins from a different country than usual: Especially if this happens too fast to be explained by normal travel. Sometimes this can happen if the user is using a VPN and changes to a different server.

It isn’t always clear that you are under attack. 

If you aren’t sure whether an audit log event is a concern, consider contacting the user by a trusted method to ask if they are having problems or whether anything has changed.Compromised access

If you suspect that a user’s Ometria access was compromised:

  • Consider resetting the user’s password. It’s only safe to do this if the user’s email inbox is secure against the attacker.
  • Consider reducing the user’s access or temporarily removing the user from the account until the incident is under control.
  • Review the audit logs showing the actions performed by the user. Some actions which might be a concern include:
    • Creating or deleting users. Attackers often add extra users to maintain system access in case their original user is revoked, or they might try to stop other people accessing the application.
    • Adding or removing permissions.
    • Data exports.
    • Creating, viewing or revoking API keys. Consider any API key created or viewed by the user as compromised: revoke and replace it.
    • Creating, updating or deleting connections. Connections could be used to exfiltrate data.
    • Modifying account settings.

If you need help with a security incident, you can contact the Ometria Support team.

Related articles

Comments

0 comments

Article is closed for comments.