According to the Federation of Small Businesses (FSB), small and medium businesses are now more likely than corporations to be attacked by cyber criminals, because they are seen as easier targets.
Cyber crime can come in many forms, such as hacking, phishing, malware and more. Website security is just one part of protecting yourself – but like your shop, office or home, it can be vulnerable if not properly protected.
As one of our specialities at Pentascape is website security, here are just a few simple tips from our knowledge bank to help protect your business from cyber-attacks through your website.
- Keep up-to-date Whatever website platform you use, make sure you do the updates. These often include patches for security flaws that have been found or disclosed recently – and it is those flaws that hackers and malicious code take advantage of. Don’t forget that plug-ins need to be updated too, alongside general security updates to your website software such as WordPress.
- Keep a backup of your website You can never have enough backups – especially if your business relies on the website for it’s primary source of revenue such as e-commerce. If your site’s database was destroyed – how would you be able to track the latest orders? On our WordPress hosting platform, we make sure backups are automatically taken of the database every 4 hours as a minimum. Make sure you have regular full backups of your website and its content, and that these are kept somewhere safe.
- HTTPS / SSL certification An SSL certificate on your website will ensure that the data it sends and receives is transmitted securely. You can see that a website is secured by SSL when the website address contains ‘HTTPS’ instead of ‘HTTP’ and usually your web browser displays a padlock symbol. Without SSL and HTTPS, data on the internet is sent as plain text – this means it is about as secure as sending the information on the back of a postcard. Having website security features is especially important if you have a login form or checkout anywhere on your site, because sensitive information is being sent. As the bare minimum you should have a free (non-verified) certificate which simply adds encryption to the data. There are also more advanced domain and extended verification certificates available, for websites that need extra assurances for customers, including extra detail in the web browser to indicate a secure website.
- Secure passwords Yes, they’re annoying and yes, everyone says this – but there is a reason for it! Assuming there are no other known flaws, the primary security weakness in a system is users and therefore, their passwords.Our quick tips include:
– Don’t use common passwords (such as the word ‘password’) or obvious sequences like ‘abc’ or ‘123’.
– Don’t write your passwords down on a piece of paper you leave on your desk.
– Do make them difficult for people to guess.
– Do remember that long passwords are more secure than short passwords – so, ‘RasberryJupiterHotdogVideo’ as a password is more secure than ‘8fG9%5h’ (not to mention easier to remember!) You might be interested in this article on the worst passwords of all time (warning: contains many profanities!).
- Limit access to CMS You wouldn’t give someone you don’t know access to your locked filing cabinets – the same policy applies here. Only people who need access to do their job should have access to your website admin area. This includes upper management and directors – if they don’t need access, they don’t get it. Remember the point under ‘Secure passwords’ that the “primary security weakness is users and therefore, their passwords” – so the fewer users, the more secure your site.
- Have an internal security policy and an incident process Think about what you and your business would do if the worst happened to your website. A security policy and incident process should be tailored to your business needs but should cover things such as password policies, business continuity plans and contact details for key personnel responsible for the upkeep of critical systems. Identify steps to take in case of a breach, who has responsibility for each step and what should they do. Practise your plans and ensure everyone involved knows what to do.
- Industry specific compliance Certain industries require compliance certification to be completed for you to be within the law. Examples of this are PCE compliance for e-commerce sites, or FCA compliance for lending/finance companies. If your site was to be found non-compliant for any of these you can face fines or legal action. If you such compliance is required in your industry, check what you need to do on your website to remain compliant, and ensure your website meets the criteria. Compliance often covers how and what information is displayed, and security around how data is sent and stored.
- Hire web specialists to keep an eye on your site If you don’t have an in-house specialist in your company, hire a professional to keep an eye on your website to keep it running smoothly and securely. A good professional will give honest advice, regardless of their potential stake in any work that needs doing. Ideally they should have experience in the type of system you’re maintaining – it’s no good hiring a car mechanic to fix your washing machine. So make sure you choose a professional who specialises in website development on your platform, and related online security – this is not the same as IT hardware support and security.