Imagine someone broke into your neighbour’s house. And just a few days after that, the same happened to one of your neighbours across the street.
Would you feel safe and just tell yourself that something like that could never happen to you? Or would you call a security company or install a surveillance system to have piece of mind?
I guess, you would do something to make sure your property is secure (at least, I would).
However, what would you do if you found out your website is redirecting your clients to inappropriate web pages? Or worse, private information has been compromised or lost?
Would you go to the same lengths to find out how to protect your website? Well, you should!
What can happen to your business?
Recovery takes a large amount of time and money
Your website hack may be fixable but it will take a considerable amount of your time and your money.
You will have to figure out what to do next and spend more on your website if your hosting provider didn’t back it up and it has to be re-programmed.
You may be sued
If there has been a data breach, legal fees and fines may come into play.
Your company risks getting sued by your clients and fined by regulatory agencies (up to 4% of annual global turnover) if you don’t comply with the latest data protection policies (GDPR).
Your business may never recover from it
Website hacking can have a significant impact on your revenue - studies show that 29% of businesses with a data breach end up losing revenue, with a loss of 20% or more.
To add to that, it will damage the reputation of your brand and make potential clients look elsewhere.
As you can see, website hacking can have serious consequences for any business. And as a business owner, you should be aware of how to protect your website before it’s too late.
How does it happen?
Hackers will look for any weakness on your website, such as weak passwords or out of date software.
They observe, take things apart, see how they react and once a security flaw is found, they can unleash all sorts of attacks, such as using your website to send phishing emails, hijack sessions or to shut your website down with a DoS attack.
However, there are simple data security practices you can follow to protect your website.
How to protect your website?
No website is hacker-proof, but you can make it more resistant to cyberattacks by following a simple checklist.
1 - Keep your software up-to-date
Out of date software is still one of the most common issues in website security.
It is crucial to keep your server operating system and any software running on your website up to date, to patch any security holes.
If you’re using a CMS like Drupal, for example, you should always check for security updates and apply them. The same goes for any plugins.
Most vendors and CMSes notify you if there are system updates available.
If you don’t know how to update the software, ask your hosting company for help or find a developer or agency do it for you.
2 - Use SSL Encryption
SSL encryption ensures the basic level of website security.
It’s an Internet security protocol used by Internet browsers and web servers that allows sensitive information such as credit card numbers and login credentials to be transmitted securely.
You can tell if a website is using a secure protocol SSL when the "http" in the address line in the browser is replaced with "https”, and you can see a small padlock next to it.
Since July 2018, Google Chrome is flagging (and shaming) websites that don’t use https as “not secure” and has included it as a ranking factor.
To ensure SSL encryption, you will need an SSL certificate from a certificate authority (CA). The cost can vary widely - between free and $400 - depending on the level of encryption and features you will need.
Once you get your certificate, it has to be installed on your web server. There are step-by-step instructions available, but if you’re not a techie, an experienced developer or agency can give you a hand.
3 - Back up your data
You should back up all of your website files regularly, especially if you handle other people’s information. In case your website is attacked, you are more likely to recover if your data is safe.
First of all, make sure you choose a secure and reputable web hosting company, to back up your data to a remote server.
Even if your web host provider already performs backups of your data to their own servers, you should still backup your databases and content, offline - for example, on external hard drives - and online - by choosing cloud-based storage services such as Google Drive or Dropbox or automated backup services.
Set reminders on your calendar if you’re going to backup your data manually.
4 - Use secure passwords and change frequently
Naturally, you will have to deal with passwords to access your CMS, databases and other accounts.
Some people simply use passwords they can easily remember. In fact, 123456 remains one of the most commonly used passwords on the Internet. Shocking, I now. And even worse is to use the same password for different accounts.
You’re basically asking to be hacked. Simple passwords are easy for hackers to guess and if you use the same password on several websites, when one of your accounts is compromised, all of your logins will be exposed and vulnerable.
Ensure that your passwords are strong - have a mix of numbers, letters, and special characters. A lot of websites already suggest or require that mix when you’re creating a password for a new account. And change them frequently.
There are many tools you can use to create and manage passwords and to stay on top of it. For example, with LastPass you can create strong passwords and access all of your accounts through a single online vault.
5 - Monitor and scan your website for vulnerabilities
It is important to scan your website regularly to find vulnerabilities or loopholes that hackers might take advantage of.
The best way to check for potential web security threats is to use online web scanners. Besides performing them on-demand, it is important to keep your security scans on a schedule or automate them.
Web application security scanners are proactive tools to notify you about vulnerabilities, how you can fix them to avoid potential attacks and to keep track of the security level of your website.
If using a web security scanner is the proactive approach, using a Web Application Firewall (WAF) would be the reactive one.
A WAF can also be used to detect vulnerabilities, but instead of finding threats before they become a problem for your website, it responds to active threats as they happen.
A WAF does not fix and close security loopholes. It only hides them from the hacker by blocking the requests trying to take advantage of them.
If you don’t mind spending a little more, it is always a good practice to install a WAF, but don’t rely on it as a stand-alone security solution.
6 - Educate and be prepared
59% of data breaches happen not because of some mean-spirited hacker who wants to hurt your business but because of your own employees.
Web security has to be a team effort. That’s why it is important to keep your staff informed and to educate them about best practices and web security procedures.
Train them about basic internal web security such as authentication (password managers, two-factor authentications, etc.), network connections, usage of company laptops and mobile phones, backups, software installation, etc.
This checklist can help you prevent a lot of headaches when it comes to your website’s security.
It’s all about acting proactively by taking simple measures to protect your website as best as possible.
Yes, you will have to invest some time and money in web security, but it’s much cheaper than no security at all.