Let’s say you’ve installed a new security system in your home. You’ve got an alarm, secure windows, and a shiny new lock on the front door. Would you then give your spare keys to an untrustworthy neighbour? Or leave them on a park bench? Perhaps you live in a safe neighbourhood. Unless, of course, that neighbourhood is the internet.
Cyberattacks on businesses can lead to the loss of customer trust, if not financial setbacks that are difficult to recover from. If you are working with WordPress or Shopify and a website developer such as Infotex, they will prioritise the security infrastructure of your site – the home security system, we might say. This includes ensuring that the underlying code is written with security in mind (for example, not allowing malicious scripts to run or files to be uploaded) and configuring the server to protect the site (often utilising services such as Cloudflare to filter traffic). These important steps should never be overlooked, but the health of your business online relies on you also doing what you can to keep your website secure, as most attacks occur from social engineering weak points, not server breaches. You can help protect your website by keeping hold of your keys: maintaining secure passwords, browsers, and data systems.
E-commerce websites are particularly vulnerable to cyberattacks because the customer data and passwords that they carry are considered of great value to attackers. Nearly half of all cyberattacks are committed against small businesses, according to Cybercrime Magazine, so if you are the owner or admin of a website, have a read here about what simple steps you can take to keep your information safe.
How might I be hacked?
Easily avoided breach methods include:
Phishing. According to the 2020 Data Breach Investigations Report 22% of breaches involved Phishing (Verizon). Phishing is one of the biggest social engineering threats and refers to fraudulent methods used by attackers — typically via email, text, or phone — to trick people into providing sensitive information like passwords, usernames, credit card numbers, and social security numbers.
Malware and ransomware. If it infects your device or network, malware or ransomware has the potential to lock you out of your important data and systems. Preventative measures for this include regular backups of your site data, and avoiding suspicious links or the installation of unknown software. The 2019 DBIR reports that 94% of malware was delivered by email.
What can you do to protect your website?
Look after your Passwords
- We are told over and over to keep our passwords safe. While we are looking forward to a world of ‘passwordless’ security systems – a method advocated by many large organisations such as BT and Microsoft – for now, we’ve nonetheless got to stick to that important message – keep your CMS/Admin passwords secret and safe!
- Don’t save your password in the browser. Consider a password manager instead, that uses a strong master password and 2nd factor steps (such as your phone) to verify your authenticity. To help further eliminate vulnerability at login consider a plugin like Google Authenticator for two factor authentication.
- Enable biometric security (fingerprint readers, face-recognition) on machines that you use to access your site’s CMS/Admin.
- Think twice before installing browser extensions as they often have extensive access to your browser.
- Disable auto-fill options in your browser (this will also prevent the browser asking to store sensitive details such as your address and passwords).
- Keep your device up-to-date – this means running a current, supported operating system receiving regular updates (e.g Windows monthly updates). Check your browser is up-to-date regularly (for example, on Chrome, look under ‘help > about’ to check for version updates), and update installed virus checkers.
When you’re Out and About
- Consider a separate laptop/device when travelling. This will limit the possibility of losing your device which may hand access to your site to whoever finds it.
- Don’t use your site’s CMS/Admin on a public computer or one you don’t know, such as at a library, where others could have infected that computer with malware/virus or be looking over your shoulder.
- Avoid using public WiFi networks – these may be insecure, and put you at risk of ‘man in the middle’ attacks, snooping, and direct network access by hackers on the same network.
For your Information
- Avoid sharing CMS/Admin accounts: create separate accounts for new users where possible, even if they only need access for a limited time.
- Periodically review the CMS/Admin accounts on your site: check if those accounts are still appropriate, promptly disable ex-employee accounts, and check permissions.
- Be careful when copy / pasting content from the internet. Where possible use options which allow pasting the text only. It’s possible to copy hidden content which can assist hackers in compromising a site.
- Consider encrypting your file systems: A Small Business Guide to Computer Encryption
- If WordPress is your chosen platform, make sure you have the right additional plugins to add security to your site. Be careful, though, of adding too many plugins, as this can leave gaps for hackers, rather than lock your site against them. If you are interested in reviewing your WordPress site to see if it is running effectively, contact us for a digital health check on 01394 615 615.
As Bruce Schneier wrote at the turn of the century, ‘Security is a process, not a product’. If you can stay active and understand the risks then you’ll be in a much better position to drive your business forward online.