Worst Case Scenarios: How To Avoid Security Fails
Data loss is one of the worst things that can happen to a business. Most small-to-medium companies fold within six months of a major data breach, and the reputational damage is almost always catastrophic. If a friend or neighbor reported buying from a website whose lack of security caused their bank account to be compromised, would you be willing to make a purchase on that same website?
With cybercrime at record levels, and malware being reported in unprecedented volumes, the internet is a dangerous place to do business. Fortunately, there are obvious steps any ecommerce platform or online service provider can take to improve website security. And although ethical hacking tests might be beyond your limited budgets, these recommendations are considerably more affordable and highly advisable:
Restrict access to back-office functionality
Don’t give every employee unrestricted access to databases and key functionality. Do you really trust your new intern or the work experience guy not to inadvertently reveal confidential data? Junior staff is generally more likely to misplace or compromise company hardware, so check their login credentials can’t be used to access sensitive information. It’s easy to develop a system where only senior personnel receive full access.
Hand over corporate security to one person
This expands on the previous point. Giving someone sole responsibility for online security should ensure that important tasks are actioned promptly, while sufficient funding will enable systems to be maintained in peak condition. Encourage your nominated employee to keep abreast of security trends by attending conferences, consulting with industry experts and even following Reddit threads on cybercrime and malware trends. Trust this person’s opinion, and include them in discussions about new hardware or software.
Make security a universal responsibility
Once the appointed security head has settled into their post, ask them to train up their colleagues. Teach employees about phishing techniques, and maybe even set a test to see how many people click a link in an unsolicited email. Those that do should be directed to a landing page explaining the dangers of what they’ve done – they’ll be far more cautious in future! Use multiple communication methods to discuss issues like social engineering and malware, informing and educating everyone from the office junior to the CEO.
Use two-factor authentication (2FA)
It’s easy to gain access to certain accounts, especially when the only protection is a password field. Admittedly, passwords can be bolstered by using a mixture of upper/lowercase characters, numbers and symbols. Periodically insist on new passwords, such as whenever an employee leaves the company. Even so, 2FA is the optimal solution, particularly when coupled with automatic inactivity logouts. Indeed, security firm Symantec claim 80% of known security breaches would have been prevented if victims had used 2FA.
Install SSL certificates
SSL certificates (or TLS as they’re officially known) enable a website to establish a secure connection between themselves and individual users for the duration of their stay on the site, or throughout an ecommerce transaction. An exchange of algorithmic keys identifies the host and recipient, preventing man-in-the-middle attacks or eavesdropping. Customers are reassured (and protected) by the presence of an HTTPS address, a green browser bar or a padlock icon. WestHost is ready and willing to help customers purchase SSL certificates.
Send up the Cloudflare
The Cloudflare content delivery network offers numerous benefits. These range from 99.999% uptime through to file caching and intelligent routing, while content is backed up at various delivery points worldwide to ensure availability even during server downtime. In terms of security, Cloudflare blocks known threats from attacking websites, recording unwarranted visits or unwelcome attention. The Cloudflare Plus package even includes SSL certificates, and like the free Cloudflare service, it’s available to WestHost clients.
Use a dependable hosting partner
A trustworthy hosting partner will keep websites live, free of malware and regularly updated with the latest security patches and plugin revisions. The best agencies have data centers protected by military-grade security and manned 24/7 by knowledgeable technicians primed for instant response to server issues or outages. Without wishing to sound immodest, these are all services WestHost provides. We offer shared or dedicated server hosting, catering for everyone from private individuals to enterprise level businesses.
Develop a disaster plan
This sounds dramatic, but preparing for the worst may limit any subsequent damage. For instance, automatic data backups to an offsite location safeguard continuity of trading if vital documents are deleted, corrupted or locked down by ransomware. Have a plan ready to notify clients about a data breach, listing details of any preventative measures taken (suffixed by a brief summary of what actually happened). Create a chain of command in a crisis situation, containing contact details for the agencies cybercrimes should be reported to.