2014 was the year of the hack. More DDoS attacks, data breaches and hacking incidents than the online world had ever seen before.
Add to these the nude celebrity photos scandal and an international cyber sabotage episode involving a major Hollywood film studio, and you’ll soon realise why hacking received a lot of media attention last year.
In fact, according to a report released in December by the Identity Theft Resource Center (ITRC), 2014 saw 783 security breaches in the U.S. alone, which exposed over 85 million records.
And that’s just the breaches that were tracked! Who knows how many other security problems went unreported or, more worryingly, undetected?
That’s why as a website/business owner, you would be wise to expect much of the same this year and online security should be at the very forefront of your mind.
So if you’ve just bought a new website; are in the process of building one; or have an existing site that is already turning you a profit, you need to make sure it’s secure.
But before we give you a checklist covering the very minimum you need to be doing to safeguard your online assets, let’s take a look at how your new security investment will be beneficial to your bottom line.
Businesses Thrive on Their Reputations
How do you think your customers and potential customers will react to the news that your website is insecure and could potentially suffer security breaches at any time? Chances are they’ll act with their feet and seek an alternative company to do business with.
A sterling reputation for security and protecting customer information is something that businesses should be proud of. Furthermore, a secure website will ensure that the inevitable trust that you’ve built up between your business and your customer base will remain intact.
Don’t get me wrong. There are always going to be security vulnerabilities online. But if you’re seen as a business that takes action and fixes issues quickly, it will stand you in good stead going forward.
Some firms commit commercial suicide by not addressing security issues right away. A decision that ultimately comes back to bite them at a later date.
Security Flaws Could Cost You More Than Just Customers
If losing the trust of your customers isn’t bad enough, how about a big fine to go with it? Because that’s just what your business could get if it fails to secure its website.
In the UK, the Information Commissioner’s Office (ICO) is the independent regulatory body which oversees business adherence to the Data Protection Act 1998 (DPA).
Failure to rectify a security issue after being notified could contravene the Seventh Principle of the DPA:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
So follow our advice and don’t risk ruining your reputation or exposing yourself to regulatory action this year – or any year for that matter.
Secure passwords are now fundamental
Banish Weak Passwords
Secure passwords are a pivotal part of any website security strategy, yet it’s amazing how many companies don’t choose to enforce them.
Your average Internet user is notoriously lazy when it comes to passwords and often uses the same one across multiple websites.
As a website owner, it’s up to you to break that bad habit and force their hand to come up with more secure login credentials.
Passwords should contain numbers, symbols, uppercase letters and have a minimum required length. Your website visitors may not like the change at first, but you can quite easily explain that you’ve introduced more secure passwords solely for their own benefit.
Two-step authentication provides an extra layer of security
Consider Two-Step Authentication
In addition to secure passwords, why not consider two-step authentication. It’s not as scary as it sounds and will provide an extra layer of security for customers logging into your website.
It works by sending a verification code (usually to a mobile device) whenever an individual is attempting to sign in from an unfamiliar location. Unless the code is correctly input, the sign in attempt is rejected.
This type of two-step authentication has been adopted by many businesses and so your customers won’t be too baffled by its introduction on your website.
Secure third-party vulnerabilities
Keep Any Third-party Plugins/Code Up-to-date
Your business website will probably feature third-party plugins and/or snippets of code. And while these would have been up-to-date and ‘secure’ when you implemented them, they can very quickly require updating – particularly when vulnerabilities are identified by their creators.
Even a single outdated plugin can represent a security risk and could provide hackers with a gateway into your website. That’s why it’s essential to update plugins as soon as new versions are released.
Just one weak link could jeopardise the integrity of your entire website. Hackers won’t quickly pass up an opportunity like that.
SSL should always be used for online checkouts
Use SSL Connections
SSL, or Secure Sockets Layer, is an online protocol that ensures all communications between client and server – in your case user browser and website – are fully secured.
It establishes an encrypted link between your customer’s browser and your website and allows sensitive information, such as credit card details, to be transmitted securely.
Without SSL, data sent between client and server is stored as plain text and can be vulnerable to eavesdropping.
SSL ensures that the connection and the data being sent are both encrypted. This prevents hackers from intercepting information and is particularly important for online checkouts.
Always test any newly-added security measures
Test Your Handiwork
Many website owners implement all manner of security protocols, yet have no idea whether they’re impenetrable or not.
It’s for this reason that vulnerability scanning is a must and it can even be undertaken for free.
Simply download one of the various vulnerability scanners that are available and run it against your website. It will produce a report outlining any potential issues.
However, vulnerability scanners should not be considered a replacement for manual penetration testing. They can sometimes throw up false positives and false negatives and leave you scratching your head about your website’s level of security.
That’s why if you can justify the cost, a manual pen test conducted by a third-party specialist vendor is preferable.
Basically, a manual pen test picks up from where a vulnerability scan finishes. A skilled penetration tester will also be able to see flaws in business logic, something that vulnerability scanners ultimately can’t.
So whatever your plans are for your website this year, make sure that first and foremost it’s secure. It will garner greater customer trust; help you steer clear of regulatory issues and bolster your bottom line as 2015 unfolds.