Launching a website is an exciting and necessary move for most organizations. In today’s digital world, the public expects companies and public agencies to have an online presence. But building and maintaining a website opens up the possibility of cyberattacks, ransomware, malware, and network outages.
If cybersecurity isn’t one of your organization’s top concerns, it should be. The average cost of a data breach is $7.35 million. And DDoS attacks, which can bring down your entire site and disrupt your ability to conduct business, are increasingly common. These attacks are most common in the financial, retail, information, and public sectors.
So, what can you do to tighten up your website’s security and deter cyberattacks? Here’s a list of seven of the most valuable tips and actions you can put into practice today.
Maintain Software Updates and Security Patches
Nearly every website relies on both a content management and a hosting platform. A CMS is what webmasters and builders use to create, update, and present content that others see as images, videos, and words. But like any other piece of software for small businesses, a CMS needs frequent updating.
Ignoring new release builds, overlooking security patches, and other updates is a recipe for disaster. Without those, your site, plugins, or APIs become more vulnerable to hackers as many updates, and patches fix critical security issues. These vulnerabilities can be leveraged by a hacker to hijack a site or steal data.
In other words, they’ve figured out how to manipulate and use portions of the software’s design to their advantage. Cybercriminals may exploit the functions and features to gain access to your network, load malicious downloadable files onto your site, or mess with its content.
Consequently, your organization could be liable for exposing sensitive data or infecting visitors’ machines. That isn’t the image you want to present, and it definitely isn’t consistent with a brand identity that is trustworthy and reliable. It would be a good idea to subscribe to any security feeds your CMS has so that you are kept informed of releases and security patches.
Practice the Principle of Least Privilege
When it comes to user management, the principle of least privilege is your best bet. In a nutshell, this means that users should only have access to what they absolutely need to do their jobs. And the programs and access employees or vendors have should only extend as far as their responsibilities go.
For example, say your organization runs a VPN or virtual private network. To use the VPN, employers and vendors must request permission to gain access. Without these permissions, their network credentials will not authorize access. Simply put, when these employees and vendors attempt to use the VPN service, they’ll receive a denial or error message.
Under the principle of least privilege, only those staff members and vendors who work remotely will get VPN access. But they’ll also be restricted to what network resources they can get into. That may be folders limited to each staff member’s respective department. Or, it could encompass applications and programs they use daily.
Ask who needs to access the content management system (CMS) and only grant logins and permissions to those individuals. In addition, restrict permissions for various parts or functions within the CMS according to job function. The same should go for the website. Some CMS’s have granular permissions to the page level. Use those granular permissions to only give content creators access to the pages they are going to be keeping current.
Use SSL Certificates and Web Application Firewalls
It should go without saying that SSL certificates and web application firewalls are the first lines of defense. But you’d be surprised how many websites do not use a secure link or an application firewall. Secure website links are recognizable by the lock icon on the left side of the address bar. They’re also URLs that begin with HTTPS instead of HTTP.
A secure sockets layer or SSL certificate makes sure any information someone enters on your site is encrypted. For instance, if someone types in a login and password, that grants access to financial accounts. Or, visitors need to exchange personal, sensitive information to pay for products and services.
Most people won’t do this if the site link is unsecured or the site itself doesn’t encrypt or mask things like social security numbers and passwords.
Make sure your website SSL certificates use TLS 1.2 or above and are renewed before they expire!
Now web application firewalls do something similar on the backend of your site. They scan and analyze the information that’s getting exchanged back and forth. If something looks suspicious, the web application firewall won’t let it through. You’ll also get a notification of any questionable activity.
Conduct Frequent Scans for Malware
Sometimes malicious programs can go undetected to the naked eye. So, even if everything looks like it’s running well on your site and no one’s raising any red flags, that doesn’t mean something isn’t lurking in the shadows. It’s still prudent to frequently scan your hosting server and any devices used to administer your site for malware.
These scans should include every device that accesses your organization’s network and website content management system. USB drives, laptops, phones and tablets with apps, and IoT devices fall under the umbrella. All it takes is one infected device to wreak havoc. Ransomware is a form of malware quickly emerging as the weapon of choice for cybercriminals.
The Cybersecurity and Infrastructure Security Agency reports that ransomware and malware have impacted pipeline companies, software organizations, and managed service providers. In fact, no organization is immune. It can overtake your network from a vendor that performs maintenance or even be caused by an employee plugging in a personal USB drive.
Don’t take the chance and schedule regular, ongoing quick, and deep scans of your entire infrastructure.
Schedule Regular Data Backups
What if your site was to go down due to a cyberattack? Worse, what if that same attack made your content management and web hosting system inaccessible? You would be unable to reach your customers and would lose potentially valuable information necessary to rebuild. To prevent this, you need regular backups of your data.
The best webmasters and organizations make frequent backups since they know that a cyberattack can happen at any given moment. Without a backup on hand, you could be waiting a week or two …. or never to get your site back up and running. That vital information that’s exchanged through your site and makes up your content could be gone in a flash.
Regular backups safeguard that data, but you should arrange for the information to go to another secure server. Don’t place it on the same server or network your site is on. Insulate your data from any breach that could easily spread to the rest of a server and network. Remember, hackers are opportunists, and they will seize any chance to harvest as much as they can.
Strong Password Management
Cybersecurity experts recommend using strong passwords and password managers for a reason. One of the leading causes of data breaches is exposed and easy-to-guess passwords. When employees share passwords and use them across systems, it will increase the chances hackers will guess them.
What’s more, using sensitive and personal details like birthdates, favorite foods, and pet names can also increase vulnerability. Password managers eliminate the need to keep track of unique passwords across several devices and systems.
Further, vendors and employees will be protected, and you’ll get to maintain separate passwords for computers, content management systems, and other apps.
The best password managers auto-generate encrypted passwords that people never see. Instead, they simply use the manager to log in to the necessary systems and apps.
This cuts down on the chance employees and vendors will write those passwords down in visible places. Auto-generated, encrypted passwords also reduce the chance of credentials being shared. Lastpass offers a passwordless option to achieve maximum security.
This includes identical logins between company apps and systems, as well as personal passwords. Unfortunately, it’s not unheard of for an employee to use personal passwords (such as email and online banking) for company systems. Why? Convenience and ease of recall.
Limit Login Attempts From the Same IP Address
What do cybercriminals do when the first login attempt fails? They try and try again. But if you implement limited login attempts, this security feature will discourage hackers. A good rule of thumb is to limit attempts to three. While this might present some inconveniences to employees and vendors, such a measure will go a long way to enhancing site security.
For example, after three failed login attempts, the account is locked out. To regain access, the person has to reach out to you or a system admin to unlock it and reset the password. Cybercriminals aren’t going to do this because it’s an illegitimate attempt to gain access to your website’s data or network.
With limited login attempts enabled, you’ll be able to proactively stop unauthorized activity in its tracks. While hackers could attempt to log in from different IP addresses, that would represent an added inconvenience to a malicious actor. Many will move on and try to find a site that doesn’t have this layer of defense simply because it’s easier to hack.
Conclusion
Keeping your website secure should be a top priority. It gives consumers and the public confidence about engaging with your brand. Plus, it prevents costly fines, penalties, and audits for non-compliance with privacy and security regulations. Not to mention, it saves employees from the painful headache of reassembling your organization’s website and essential content.
Sources:
- Human error remains one of the leading causes of data breaches.
- Automated Brute Forcing on web-based login - GeeksforGeeks.
- Passwordless is Possible