If you keep cash in your facility, do you lock it away? Or just leave it out in the open in the hopes that people will be honest?
Obviously, as a responsible businessperson, you make sure that the company’s assets are safe. And that same principle should be applied to your business website.
Cybersecurity is something that every small business owner needs to be aware of, especially if you have an application that touches the web, like WordPress, Magento, custom software or homegrown CRMs. There are a lot of security threats out there. Relying on a good-quality hosted website provider to help to mitigate your risks by keeping another set of eyes on your security can help. But it’s still important to know your risks.
Understanding the basic principles of web security can help you develop the best practices to make sure that you, your customers, and clients have a safe, reliable web experience.
Website Security Is A Process
First things first: we need to recognize that web security is a process. It’s tempting to view security as a one-and-done type of project. Do the right things at the outset and walk away confident in a job well done.
Unfortunately, cybersecurity isn’t as simple as locking your valuable data in a safe. Attackers are always changing tactics and learning new vulnerabilities in existing systems. Not to mention building databases full of usernames and passwords and automated tools to help them employ them.
So remember- all of these principles and practices should be continually assessed and re-evaluated to make sure that everything is up to current standards.
Areas Of Vulnerability
The second concept to understand when dealing with web security is to understand where your system is open to attack.
In general, it’s helpful to think of three levels of vulnerability in any system:
- The “equipment” level of your security. This level is concerned with issues like the security of your hosting servers or the core applications powering your website or business.
- The process level deals with how secure the connections are between elements of the system. How data gets accessed, by whom, what application programming interfaces (APIs) are in use, etc.
- Perhaps the most common level of vulnerability. Who is using the system and are they using safe practices when doing so?
Some Best Practices for Website Security
By understanding the areas in which attackers can gain access to a system, we can focus on the best practices to employ to make each level safer.
Securing Your Technology
Keep Software Updated
Keeping your software updated is a crucial step in ensuring that the technology you use is safe. The longer you let your software go between updates, the more time attackers have to find vulnerabilities in the applications. This can can have devastating effect… as WordPress discovered last year when tens of thousands of their websites were compromised. And WordPress powers 27% of the top 10 million websites in the world!
So when it comes to any type of software or program you use for your site, whether it’s a CMS, browser, router or virus protection software- keep it fresh. Regular updates mean greater safety.
Verify Themes And Plugins
As we discussed in our post on 10 common security threats, if a component of your site is at risk, your whole system is at risk. So when looking for themes and plugins for your site, make sure that what you have is reliable. Most WordPress vulnerabilities stem from themes and plugins!
When it comes to choosing themes and plugins, most people gravitate toward free, open-source options. After all, it’s hard to beat free. But the reality is that oftentimes free options aren’t maintained well, which can lead to huge vulnerabilities to your system. A compromised system has a much higher price tag than a verified plugin or theme.
That doesn’t mean free options are always compromised, or that paid options are always safe. But when choosing, make sure to check when the theme was last updated. If it hasn’t been updated in a long time, consider it a red flag.
Be sure that you pick plugins and themes that are compatible with your version of software. And know how much they can access! Always limit the access of themes and plugins to secure your data. If unsure about a plugin or theme, read reviews from developers.
Don’t Try And Set Up Your Own Server
Unless you have experience, trying to set up your own server can lead to a host of problems.
Setting up your own server is time consuming, and not necessarily cost effective. Which means that many companies rely on shared hosting- where multiple websites are run from a single server. Think of it as your website having roommates.
The problem with shared hosting? If one of your roommates lets in a burglar, it puts the whole house at risk. If one site on the server becomes compromised, your site is too.
If you do use shared hosting, make sure that you use a reliable service. They should be adept at watching for common security risks and know how to safeguard your site from them. Also, make sure that they have the right permission scheme on your server… if their answer is ‘777,’ you’d better watch out!
Be Aware Of Security Trends
Make sure you are staying up to date with the latest upgrades in security. Keep an eye on web security news and know the current trends.
If you stay updated on how your site stacks up with the industry as a whole, you can know where you’re vulnerable.
Perhaps the best way to stay updated? Work with a company who is watching this with you and can keep you abreast on what’s happening and what updates you should consider. If you are updating and upgrading automatically, it helps keep your system safe.
Implementing Secure Processes:
Least Privilege Principle:
When it comes to security issues of process, we’re talking about connections. Who has access to what.
The Least Privilege Principle is about only giving people (and programs) access to the resources they need for legitimate purposes… and nothing else.
This counters the risk of broken access control, and doesn’t allow for unauthorized access. Removing the access of a terminated employee, or a sunset contractor, is essential to keeping your system processes secure. The more loose ends are open out there, the more vulnerabilities to your system.
If it can be avoided, do not host multiple applications on the same server.
As with shared hosting, applications on the same server open each other up to the same vulnerability to attack. If you need multiple applications, make sure they are on their own servers, with their own accounts.
Back It Up:
Keeping regular, reliable backups of your information can be a last line of defense in case your system does happen to get compromised. So do not go skimpy on the backups. Be sure to backup all the crucial elements of your system. Don’t forget about the database.
Make sure you have a plan for how to recover your website from your backups in case it’s ever compromised. If working with a website provider, make sure that they have such a plan in place.
Make sure that your host enables logging. Being able to log errors and isolate elements of website behavior is crucial in spotting threats to a system before it’s too late.
Hand in hand, make sure that you are monitoring the logs consistently in order to spot any irregularities. Or make sure you’re working with someone who will.
Training Your Staff To Be Secure
How many people have one simple password that they use for everything?
Like it or not, those people compromise your systems in a major way.
Be sure to require strong passwords that aren’t easily broken by automated tools, using caps, numerals, and random characters. Also, make sure that passwords are changed or rotated on a regular basis. The longer you go without changing passwords, the more at risk your data becomes.
As username and passwords become easier and easier for attackers to mine through automated tools, the use of two-factor authentication (or 2FA,) software is a reliable way to add a layer of security to individual logins.
2FA software provides an extra step in the login process in which the individual requesting access to the system has to provide another piece of information to receive that access. This could be a physical piece of hardware, or the answer to a security question that only that person would know.
Keep Individual Software Updated:
Yes, it’s important to update your system’s software consistently. But as we’ve mentioned, a security system is only as good as its weakest link.
Are your people updating their software regularly? Or using old, compromised browsers? Make sure that everyone who has access to your sensitive data has updated, secure software to access it with.
Have A Security Policy:
You’d have a security policy for moving sensitive documents in your office. Make sure you have it for your website.
Work with someone who is a specialist in web security and develop a protocol for regular updates, access procedures, and keeping all technology updated. And enforce it! Make sure that there is a valid security checklist and you are holding your people accountable to it.
Is your website as secure as it can be? Sign up for a free site audit. We can work with you to find new opportunities to make your site safer, better optimized, and more effective at driving traffic to your business.