UPDATE — JULY 24, 2018: Today Google began rolling out Chrome 68. Now, Google's browser will display a "Not Secure" warning next to the website in the address bar if the site is not secured with HTTPS.
Do you need to prove your website is a safe place to visit? Yes, you do. Actual threats and customer perception ought to prod you to ensure you have proper cyber security strategies in place. It doesn’t matter how big or small your business; every website is at risk of attack by hackers looking for data they can sell.
75 percent of Canadians are worried about the threat of cyber attacks.
It’s the same logic business owners use with their cars, homes, brick-and-mortar business locations and anything else of value. They understand the value of locks and security systems to safeguard the things they value.
Beef up your security with these 5 strategies
All cyber security plans include a few key elements.
A web application firewall.
Daily malware scans.
Timely software updates.
A quality web host.
Let’s look quickly at the risks, then delve into the basics of ironclad protection.
The stakes are high
The days of website breaches being handled quietly are long gone. People read news headlines, and headlines are never kind to organizations that betray consumers in any way.
Consider headlines that discuss breaches of private consumer information. Facebook and Cambridge Analytica recently made the wrong type of headlines because of Facebook user data that Cambridge Analytica misused. Facebook market capitalization plummeted by billions of dollars. Cambridge Analytica declared bankruptcy.
Market cap losses were never in Facebook’s business plan. It isn’t in your business plan, either.
True, you might not have as much private customer data on your website as Facebook, Home Depot or similar headline-makers. But if your customers trust you with their names, passwords, credit card numbers and so forth, you need to safeguard their data via proactive data loss prevention (DLP) tactics to keep your business out of the headlines.
Understanding website vulnerabilities
First, we need to understand the many ways hackers can damage a website. This includes erasing data, holding it hostage or rendering a site unavailable for any length of time — all of which can trigger customer grumbling. Here are some examples of common attack techniques:
If hackers place malware (malicious software) on your website, it could enable them to erase your data or steal private customer information. They could profit in other ways, which would also cost your business in downtime, loss of reputation or both.
Brute Force attack
Criminals use automated software that works through millions of password combinations until it finds one that works. It tries passwords far faster than humans could. Once a criminal has a valid password and access to your system, he or she can do anything to it that you yourself could.
Zero Day attack
Hackers are always looking for new security gaps or vulnerabilities in website code; this is how they break in. Given the millions of lines of code behind many sites, it’s a good bet that previously unknown weaknesses will eventually be found. In the interval between discovery and when a security patch arrives, criminals have a window of opportunity to exploit those weaknesses.
Securing your website
Now that you understand just how vulnerable your website is, let’s explore the DLP techniques you can use to safeguard it.
1. A web application firewall
A web application firewall (WAF) inspects every incoming piece of data and turns aside malicious code, while allowing legitimate traffic to pass. By keeping known malware and suspicious communications from reaching your website, it can prevent break-ins and data loss. A WAF can protect against SQL-injection, cross-site scripting and DDoS attacks.
2. Daily malware scans
In addition to a firewall that filters traffic to your website, you need to regularly scan your website for malware. A malware scanner checks all data on your site and alerts you if it turns up any viruses or suspicious files. Scanners like GoDaddy’s Website Security automatically remove threats as they are discovered. Learn more here about how to keep your site malware-free.
Editor’s note: The Express and Deluxe plans of Website Security malware scanner include a WAF to protect your site between daily scans.
3. SSL encryption
An SSL certificate encrypts data transmitted to and from your website. That encryption shields all exchanges with your website — keeping thieves from “eavesdropping” on them and stealing customer data like names, addresses and banking details.
If your website has an SSL certificate, browsers recognize it as a safe site to visit and they’ll indicate that it’s secure. Now the most popular browsers have started to “out” any website not equipped with SSL encryption. Imagine customers seeing this “red-letter” message in their Safari address bar:
Here’s an example of what Firefox displays when an insecure page (one not protected by SSL encryption) asks for a username and password:
Here’s another message from Opera:
Similar messages now appear in Google Chrome and other browsers.
Having messages like these mar your business website could have the same effect as the wrong type of news headline: Potential customers turned away.
4. Timely software updates
All websites depend on software, including the content management system or site builder itself, along with any themes or plug-ins you’ve chosen. A weakness in any of them can be all a hacker needs to break in and do mischief.
Developers regularly update their software to disseminate new features — this is what triggers those update alerts you get. They also issue updates to close any security holes that have come to their attention. Keep your software updated and you make your website harder to hack.
5. A quality web host
Business owners don’t always have the time or the expertise to secure their websites on their own. Their best option might be to work with professionals whose business is website security.
Most malware attacks don’t have people directing them. They are automated.
Bots repeatedly work on websites until they find the weakness they were designed to exploit. When a website host offers security tools and staff as well as hosting, customers get a one-stop shop.
Read our helpful tips on What is Web Hosting and how to choose the right product.
Closing thoughts on cyber security
You might say that your business needs digital assets like a secure website more than it needs business cards. That’s saying something.
Your business also needs customers and you work hard to earn their trust. Don’t let data loss or a warning message from a web browser endanger that trust, or your business.
Secure your website. Update your software promptly, use a web application firewall, scan your site daily for malware and follow the other tips in this post. By leveraging this mix of DLP strategies, you’ll offer your customers (and yourself) peace of mind.