Business Website Shouldn't be Taken Lightly - Keep it Safe and Secure
Bethany is a recent economics graduate with passion for writing about business and technology.
Every business website contains sensitive data mainly in the form of customer information, and every business owner has a legal obligation to protect that data by preventing security breaches. If you think your business website is simply not worth the hacking effort, you should know that data theft is not the only thing on hackers’ minds. There are many hackers out there driven by the sheer aspect of destruction, as well as those who would simply use your server to mine for Bitcoins or as an email relay for spam.
The damage caused by online threats and hacks can never be completely undone, but there are ways of protection that will show cyber-criminals that your website is not an easy picking.
Keep it Updated & Patched
The internet is constantly evolving
, which means that gaps in security are a regular occurrence. This is why software updates and patches are the first lines of defense. Most of the hacking is done through automated scripts crawling the internet in search of software security weaknesses that can be easily exploited. While targeted handpicked attacks usually bring the bigger prize, automated ones offer greater opportunities for hackers due to their ease of access and wider reach. This means that most of the websites are compromised due to unsecure, outdated software.
You can never know if a certain update contains a vulnerability patch or security enhancement, so it’s important to install all the updates immediately as they come out. Hackers can scan thousands of sites per hour, so delaying an update you risk their bots finding a vulnerability before you had a chance to patch it.
The admin-level of your business website is like a funnel to all the information you want to keep hidden from hackers. This is why you’ll want to prevent search engines from indexing your admin pages, which will make them much harder to find by hackers. To accomplish this, you simply need to use the robots.txt file
The next step is access control concerning your employees. If they’re plugging some devices into the network, each one needs to be scanned for malware every time it’s attached. Logins should be set to expire even after a short time of inactivity, and the number of login attempts should be limited within a certain time, even in case of password resets. Keep in mind that email accounts can also be hacked, so login details should never be sent that way.
Take Passwords Seriously
Although it seems obvious, this issue deserves a special mention within access control. People are usually aware of basic stuff: that passwords should never be written down and should be changed frequently. But the fact is that 80% of hacks happen due to weak passwords and more than half of internet users still use one password for multiple, if not all logins. Hackers can run 420 billion simple password combinations per minute with only a $300 graphics card, meaning that having eight-character lowercase passwords is practically the same as having none at all.
Not only does each account need to have a unique password, but also a truly strong one. Simple insertion of special characters is not enough – you need to aim for ‘gibberish’. The reason is that the words which could be found in dictionaries or are frequently used online are an easy target. Password-cracking programs need only minutes to guess millions of passwords composed of such words. That’s why your phrasing needs to be random. In other words, if you can easily pronounce your passwords, they’re not strong enough.
Password managers can be really helpful and are available for both online and offline use. Using these tools all your passwords will be stored
in an encrypted format and you’ll be able to generate random passwords with one click of a button. You can boost encryption even further by 'salting' the passwords.
Keep in mind that all this won’t mean a thing if you enable auto-fill for forms. This will make your business website vulnerable the moment someone’s phone or computer gets stolen.
Now that you’ve established access control, it’s time to establish traffic control. This is where a web application firewall (WAF) comes in. WAFs can be hardware or software-based, but today the most popular ones are cloud-based varieties
due to their modest subscription fee and plug-and-play service. Once you install it, WAF will become a gateway for all incoming traffic, set between the data connection and your server, reading every bit of data passing through. It will not only block hacking attempts but also filter out all kinds of unwanted traffic such as malicious bots and spammers.
In addition to protecting your website from corrupted data, you also need to protect the privacy of personal information of your users and clients. This information can be read in transit between your database and website, so you need to use the encrypted SSL protocol which will prevent all unauthorized access.
Try to Avoid File Uploads
This is probably the most neglected line of defense since file uploads can contain malicious scripts that can get through even the most thorough system checks. If that script gets executed on your server, your website will open up completely to hackers. Every upload is a great risk, even a simple change of avatar.
In case the nature of your business requires you to have a file upload form, you need to treat each upload with suspicion. Rename each file on upload to make sure it has the right extension. It would be best to store all the files outside the root directory using a script to access them and prevent direct access. This way users won’t be able to execute the files they’ve uploaded.
If possible, the ideal solution would be not to use your own web server to run your database, but a different one. That would prevent direct access to the database server from the outside world, so the risk of your data being exposed becomes minimal.
The Internet is an ever-evolving landscape, so website security is equally complex and prone to changes. The steps above represent the framework for crucial security principles but are not solutions you can simply set and forget. The point is to combine them to create a systematic approach and treat them as a continuous process of constant risk assessment.
Subscribe to get your daily round-up of top tech stories!