Every business website contains sensitive data including customer information, and every business owner has a legal obligation to protect that data by preventing security breaches. If you think your business website is simply not worth the hacking effort, think again. Data theft is not the only thing on hackers’ minds. There are many hackers out there driven by an appetite for havoc, as well as those who want to use your server for various purposes.
The damage caused by online threats and hacks can never be completely undone. A cyberattack can cost your business thousands or even hundreds of thousands of dollars to rectify Maintain your website’s security to show cybercriminals that your website is not an easy target.
Keep it Updated and Patched
The internet is constantly evolving, which means that security gaps happen regularly. Software updates and patches are your first line of defense. Most hacking is done through automated scripts that crawl the internet in search of software security weaknesses that can be easily exploited. While targeted handpicked attacks usually bring in bigger prizes, automated ones offer more opportunities for hackers due to their ease of access and wider reach. This means that most cyberattacks occur because of insecure, outdated software.
You can never know if a certain update contains a vulnerability patch or security enhancement, so it’s important to install updates as soon as they come out. Hackers can scan thousands of sites per hour. If you don’t update your patches immediately you run the risk of bots finding and exploiting a vulnerability in your system
The admin-level of your business website funnels important information and keeps it safe from hackers. Prevent search engines from indexing your admin pages. This will make them much harder to find by hackers. You simply need to use the robots.txt file.
The next step is to set boundaries regarding your employees permissions. If they’re plugging personal devices into the network, each one needs to be scanned for malware every time it’s attached. Logins should be set to expire after short periods of inactivity, and the number of login attempts should be limited within a certain time, even in case of password resets. Don’t send credentials via email.
Take Passwords Seriously
People are usually aware of basic stuff. Passwords should never be written down and need to be changed frequently. But 80% of hacks occur due to weak passwords and more than half of internet users still use one password for multiple, if not all logins. Hackers can run 420 billion simple password combinations per minute using a $300 graphics card, meaning that having eight-character lowercase passwords is practically the same as having none at all.
You need to use strong passwords. Using some special characters is not enough, you need to aim for gibberish. The reason is that algorithms will first test through common words and passwords.. Password-cracking programs need only minutes to guess millions of standard passwords. That’s why you need to use random passwords or passphrases. If you can easily pronounce your passwords, they’re not strong enough.
Password managers can be really helpful and are available for both online and offline use. They store your passwords in an encrypted format and help you generate random passwords with the click of a button. You can boost encryption even further by ‘salting’ the passwords.
Keep in mind that all this won’t mean a thing if you enable auto-fill for forms. Your business website will be vulnerable the moment someone’s phone or computer gets stolen.
Now that you’ve established access control, it’s time to establish traffic control. This is where a web application firewall (WAF) comes in. WAFs can be hardware, software or even cloud based. Cloud-based varieties are popular because of their modest subscription fees and plug-and-play models. Once installed, WAF will become a gateway for all incoming traffic, set between the data connection and your server, reading all data passing through. It blocks hacking attempts and filters out unwanted traffic including malicious bots and spammers.
In addition to protecting your website from corrupted data, you also need to protect the personal information of your users and clients. This information can be read in transit between your database and website, so you need to use the encrypted SSL protocol which will prevent all unauthorised access.
Try to Avoid File Uploads
This is probably the most neglected line of defense for small business owners since file uploads can contain malicious scripts that can get through even the most thorough system checks. If that script gets executed on your server, your website will open up completely to hackers. Every upload is a great risk, even a simple change of avatar.
If your business requires you to have a file upload form, you need to treat each upload with suspicion. Rename each file on upload to make sure it has the right extension. Store all the files outside the root directory and use a script to prevent direct access. This way users won’t be able to execute the files they’ve uploaded.
If possible, don’t use your own web server to run your database. This prevents direct access to the database server by external people, lessening the risk of data exposure.
The Internet is an ever-evolving landscape and website security is equally complex and prone to changes. The steps above represent the framework for crucial security principles but are not solutions that you can simply set and forget. The point is to combine them for a systematic approach and to treat them as a continuous process of constant risk assessment.
“The opinions expressed by BizWitty Contributors are their own, not those of BizCover and should not be relied upon in place of appropriate professional advice. Please read our full disclaimer."