Website and online security – 6 simple steps to secure your business
A huge proportion of business is now done online and the volume of internet traffic rises every year. Unfortunately, the runaway success of online transactions and communities has in turn attracted the attention of increasing numbers of lawbreakers, from amateur hackers through to organised criminals.
Most criminals go for the easy targets and the good news is that there are a few simple steps you can take to protect yourself and your business.
1. Use secure passwords
The number one way that websites are compromised isn’t complicated hacks using advanced technology, it’s simple guesswork! At a very basic level hackers will try to use common words or combinations – like abc123, qwerty, password, etc. However, most attackers will take a more sophisticated approach and automate the process of attacking your website or systems. A typical attack will use a network of other computers to attack your system trying to login multiple times every second and using a different password each time (the passwords that are tried can often be based on words from the dictionary – known as a “dictionary attack”).
It’s of vital importance that all your passwords are secure.
Tips for a secure password:
- Make passwords at least 15 characters long.
- Mix uppercase letters with lowercase letters, numbers and symbols.
- Avoid using words that appear in the dictionary (e.g. instead of Apple use App1e, etc).
- Avoid using anything that is public knowledge (your date or place of birth, child’s age or name, etc).
Of course, having to remember a range of passwords that are 16+ random characters long is a feat that would make a good circus act! The easiest way to deal with the problem is to use a password “safe” (see step 5), failing that, at least write them down on paper somewhere and store them somewhere safe (at home or the office in a locked drawer).
Two Factor Authentication (2FA)
2FA is a simple way of making any login more secure by requiring not only a password but also a second piece of information that changes frequently and something only known to the authorised user. 2FA can be implemented using a physical token (a small USB key you insert into the computer when logging in), or a phone app like Google Authenticator that generates unique numbers every 30 seconds.
How we help our clients
Any new sites we create are setup with secure passwords by default, additionally the CMS we use – WordPress – will automatically generate a secure password for you, and warn you when you are using something insecure. We also offer 2FA on all websites and strongly recommend it for e-commerce sites.
2. Keep your software up to date
The second most frequent cause of hacks and unauthorised access to your website is vulnerabilities in outdated software. No software is bug free, but when bugs that compromise security are found, they are usually fixed by the software supplier quickly.
Once a vulnerability becomes known, hackers, etc. also start to try and “exploit” it. Prompt application of software updates and security patches reduces the chance an unauthorised user will gain access to your website. It’s important that you keep up to date with software updates across your business, but it is critical that any internet facing systems like websites are up to date.
How we help our clients
We have a management tool that allows us apply updates quickly on a scheduled basis and subscribe to an industry security bulletin so can proactively carry out updates when necessary.
3. Take regular backups
Even with the best precautions, your website and other systems may fall victim to an attack or a problem unrelated to security, like defective hardware or sudden power loss. It’s really important that you have a backup of all your key systems and data and also know how to restore it!
How we help our clients
Websites we manage are automatically backed up on a daily basis and the backups are stored away from the main servers.
4. Use SSL on your website and check for SSL when using another website
SSL (Secure Sockets Layer) is a protocol to enable secure connections across the internet.SSL encrypts the transmission of data between the browser and the website so anyone in between cannot read what is being sent.
To offer SSL on your own website you need to generate an SSL “certificate” (which used to cost around £50+ but is now available free of charge) and then install the certificate on your website. The use of SSL is especially important when using public WiFi networks, etc. that are easy to eavesdrop on. SSL is essential for any ecommerce site or any site that captures sensitive personal information, but it is now becoming good practice for all websites. In fact to encourage adoption of SSL, Google may improve the ranking of your site vs not using SSL.
How we help our clients
To give our clients peace of mind, all websites delivered since early 2017 have been set to use SSL by default. A certificate is provided and all the configuration is carried out by us included in the cost.
5. Use a password “safe”
Further to point 1, it’s all very well having secure, long passwords, but how do you remember them all? Well, you don’t! The best option is to use a piece of software called a password manager or “safe”. A password manager will store all your passwords in a very secure encrypted form, and will require you to enter a master password in order to access them.
There are a number of paid for online services like LastPass and 1Password, plus free options for use locally. Internally we prefer to “KeePass” which is free open source software available for most operating systems and mobile phones. If you have multiple devices you can use a service like Dropbox or OneDrive to share the data files and ensure they are in sync.
At the very least, write your passwords down and keep them securely stored in a locked drawer or other secure place. The chances of your passwords being found by a hacker when they are in you home are much, much smaller than the chance of someone guessing your insecure “123Password” password!
6. Be wary of online identities
You could have the most secure password and systems in the world, but it you fall for a “Phishing” scam you are opening the door to hackers and letting them in! Phishing is the process of using deception to obtain passwords, PIN numbers, account numbers etc.
Owning a company, a website or even a domain makes you more of a target for Phishing attacks, because some information is in the public domain that the attacker can use to seem more credible. Beware of urgent messages telling you to log in to your bank account, website or renew your domain, etc. Treat any request sent to your that asks you to log in to another system as potentially suspicious. DO NOT, click links in emails unless you were expecting them and even avoid using any of the contact information supplied as it might also be false.
The best option is to find the official website for your bank / domain registrar / etc yourself via Google or by using your bookmarks and login yourself. Similarly, lookup contact phone numbers or email addresses the same way if you want to contact an organisation.