7 Step Guide to a Secure Website
It seems that hardly a day goes by that we don’t hear about another hack, defacement, DDoS attack or data leak happening to a big brand name. Hacking, for both malicious and criminal purposes, is rife on the net these days and if you don’t secure your site and protect your customers, then it’s unlikely that you’ll be in a position to build both trust and a strong brand.
Hackers vary in capabilities and in the reasons that they attack sites. Not all hackers are malicious either and many ethical hackers look for vulnerabilities in websites and networks so that they can improve security practices. Some hackers have very few skills at all and simply buy a kit on the black market that allows them to break into a site or an individual’s computer.
Security itself is an ongoing battle and one that the good guys often just aren’t winning. A report from AV vendor Mcafee, states:
“Cybercrime is a growth industry. The returns are great, and the risks are low. We estimate that the likely annual cost to the global economy from cybercrime is more than $400 billion. A conservative estimate would be $375 billion in losses, while the maximum could be as much as $575 billion.”
Governments certainly aren’t doing enough to collect information and educate on the cost of cybercrime and as such, many end users don’t do enough to protect themselves as they simply don’t understand the risks. This means that many personal and even business computers are left completely open to attack as they don’t employ robust security which can help to prevent such attacks.
With this in mind, let’s have a look at what you can do to secure your ecommerce site and ensure that your business and customer details remain safe.
1. Educate Staff
I’m putting this first as it always seems to be a huge afterthought for businesses of all sizes. Any security professional will tell you that the weakest link in an organization is always the human element. Social Engineering tactics remain one of the premier ways that cybercriminals gain access to people’s accounts. Basically, social engineering tricks users into taking certain actions such as clicking on malicious links. These tactics are commonly used on social media and in phishing attacks.
Recently, a trend has been noted in which a cybercriminal will target an employee of the company they’re looking to attack and gather as much information as they can on the individual from social media accounts such as Facebook, Twitter and LinkedIn. This information is then used to construct a targeted phishing attack which appears to be from somebody the employee knows in a business capacity. This is known as Spear Phishing and it can be very difficult to differentiate a phishing mail from a genuine one unless you know what you’re looking for. In fact, according to a Google study, phishing works about 45% of the time – a very worrying statistic.
With this in mind, train staff to:
- Know the dangers – an employee who understands the impact of a hack or data breach to the company will be more careful.
- Never click through on links in email -unless they already know that somebody is sending a link through.
- Be careful of attachments – even an innocuous looking Word document can carry malware, and it’s often the case that these are used in phishing mails now.
- Resist clicking through on links on social media – especially if the link promises something that seems too good to be true or uses a ‘clickbait’ headline.
- Use strong passwords – these should be complex, ideally using a mix of upper and lower case, numbers and special characters and should be managed with a password manager such as Last Pass.
You should ensure that your IT support guys carry out vulnerability patching and scanning on local systems and keep all AV patterns up-to-date, as well as updating router passwords and using a firewall.
2. Use Alerting Software
To protect against hackers and DDoS (Distributed Denial of Service) attacks, you should install file and server monitoring software in order to pick up any unusual activity as soon as it occurs. DDoS attacks have become incredibly powerful and unless you have a large, distributed network, they are very difficult to guard against. This is for the most part due to botnets, which allow a single attacker using as little as 1MB of bandwidth to amplify said bandwidth hugely.
A file/server monitoring program can’t stop this, but it can help to pick a DDoS attack up in the early stages and help to minimize the damage.
3. Implement SSL
SSL (Secure Socket Layer) has been around since 1994 and works to encrypt data so that it can’t be intercepted and stolen by hackers. If you take credit or debit cards then you must use SSL to secure the data on your web server. However, it’s not necessary if you use payment gateways or hosted shopping carts, but if you collect any personal data, then you should get a certificate.
For example, if you keep a database of usernames, passwords and email addresses, then you really should have SSL to protect users from their details being stolen. Many people use the same login details for different sites (not recommended) so a hacker can potentially access more than just the account on your site should they get hold of the details.
You can purchase a security certificate through your web host or from an approved vendor.
4. Choose a Secure Ecommerce Platform
There are a huge amount of ecommerce platforms to choose from, so it can be difficult to know the best choice. Do your research and check out what other people are saying for best results. When it comes to WordPress installations, make sure that your web developer has applied all of the plugins and security measures that are necessary to prevent hacks.
As of February 2014, 74.6 million sites globally used WordPress to power their sites, so it’s a commonly attacked platform due to its popularity. You should change default admin names immediately on installation and ensure the WP Security plugin is installed.
5. Use a Dedicated Server
When looking at your hosting, you should look at getting a dedicated server or a virtual private server for the best security. Shared servers are commonly used for sites that don’t experience a huge amount of traffic and these work, as the name suggest, by sharing resources between more than one website. This, as you can imagine, is very difficult to secure completely, so you should avoid, especially if you take debit or credit cards.
A virtual private server (VPS) still shares a physical machine in the data center, but uses visualization software to create a standalone, software-based machine that doesn’t share resources with any other site.
VPSs and dedicated servers are the most secure and also the most expensive. Don’t try to cut corners and get the cheapest hosting that you can (or worse, free hosting), as you will regret it if anything goes wrong. Choose a host with a good reputation and that offers an excellent rate of uptime and outstanding support.
6. Encourage Strong Passwords in Users
Your login area should be constructed in such a way that it forces users to sign up with a strong password. This should be clearly stated in the registration instructions and you should also prompt customers to change passwords regularly. You’re not really in a position to tell customers that they should be using a password manager, but you can prompt them into creating strong passwords and knowing why they should. Longer passwords are harder to break than shorter ones, so ask for a certain number of characters (at least eight) on registration
7. Back Up!
It’s surprising how many businesses still don’t effectively back up their systems and data, even in this modern age where the cloud makes it a doddle. If nothing else will convince you that backing up your data, then perhaps this will – 60% of small businesses that suffer a data breach fail within 6 months.
However, 75% believe that they’re safe as they are too small for hackers to bother with. Not so, in fact: small businesses are seen to be the weakest link and are much easier to attack than large brand networks, so are attacked more often. The average cost of a breach is around $214 per compromised customer – don’t let your business become another statistic.
Ensure that your site and all customer and business data is backed up both onsite and to a remote location such as the cloud. Don’t use free software to do this, Dropbox is great for storing files but you need the business account if it’s going to be safe. Ask your web host if they have a disaster recovery plan and create one of your own too, you’ll then be in a much better position to get back to business in the event of data loss.
The best way that you can protect yourself and your business when it comes to security is to learn the risks and take steps to prevent your business becoming a victim. Ask the advice of your IT support professional and take it. Ensure that your site’s secure from all angles – your local network, your web host, your employees and as much as you can, your customers, and you should remain protected as much as you possibly can be in the current climate.
Userlike is live chat software for websites, allowing companies to chat with their (potential) customers directly over the website. Look here for more information.