Business website security: Learn the basics

You are currently viewing Business website security: Learn the basics

How to keep your website and your business secure

 

Starting March 2020, business life as we knew it changed drastically. The pandemic brought on a hasty WFM for many companies. Insurance consumers moved their search for policies to an online marketplace, and insurance companies and agencies struggled to launch appropriate technology.

Unfortunately, hackers went into overdrive. Experts say 56 percent of all internet traffic is now from an automated source such as spammers, scrapers, hacking tools, impersonators and bots—the bad guys. So how do you make sure your website is safe for you and your customers? What are the steps to business website security?

 

Emphasize cyber security

First, cyber security should be something you talk about frequently, to be sure your employees understand how important it is, both to work data and their own personal data. In their eBook, “Keeping Your Business Secure: A Checklist for Basic Website Safety,” Hubspot provides these tips for your business website security:

  • Start with the best cyber security you can afford. Make sure it’s validated by independent third-party testing. Hubspot recommends taking the software for a drive before you trust, using online demos, free trials and customer reviews.
  • Make security trainings part of every employee’s annual training, at the least. Hubspot offers a training module for your use. View it here.
  • Make it easy for employees to point out a potential issue. If you have an in-house IT team or helpdesk, they should run point here. If not, make sure everyone knows who to contact immediately.
  • Emphasize the importance of backing up data (ie, their work and projects) to the cloud on a regular basis, and send a recurring calendar reminder for your team.
Related:  Cyber security and data protection in our new reality

 

Password protection

The next basic step to business website security is password protection. Not just yours, but if you’re the owner or manager, your entire office’s. Offer password management tools to your employees, making it easier for them to choose strong passwords that aren’t easy to guess or hack. Read recent (Aug. 2021) reviews on the different password managers here to help you choose the right one for your business.

At least twice a year (better, quarterly), remind your teams to change their passwords. Even better, provide a two-factor authentication tool for their use, requiring not only a password, but a text to that person to authenticate that attempted log-in. Many password managers offer this service.

 

Be alert to phishing and ransomware

Most of the time, unsuspecting employees provide an open door to hackers. They click on an email that looks authentic – but isn’t, allowing cybercriminals to gain entrance. No doubt you’ve read about multiple ransomware attacks this year on companies of all sizes. And you’ve seen how the White House is stepping up the focus on ransomware demands.

Don’t think you’re immune. You’re not. In fact, cyber experts say you should assume you’ll be hacked in the near future, if you haven’t been already.

Coach employees to stay vigilant. Carefully examine emails before clicking on any links. Those poorly worded, misspelled emails that send up red flags are becoming more sophisticated. They may mimic an email from your bank, credit card company, even your doctor. Is there a typo in the email? Does the logo of the company supposedly sending it look right? Companies work hard to ensure their emails represent the brand well. They won’t have typos or major image issues.

Hover your mouse over that link and see what the actual link is. If in doubt, forward the email to your IT group or consultant, asking if this is a spoofed email.

Hubspot provides a few tips to help us all spot a spoofed email:

  • Create an annual training session required by each employee (online or in person) that talks about ways a cybercriminal can hack into a system.
  • Hubspot, in conjunction with Sophos, a cyber security company, suggest setting up a team meeting where you provide several examples of phishing emails. Divide your employees into groups and have them work together to find what’s wrong with each email, identifying it as a phishing attempt. Here are example emails you can use.
Related:  Retail data breaches: How shopowners can learn from others’ mistakes

 

Business website security

Follow these steps to ensure your website remains secure:

  • Keep your website data offsite. Don’t store backups on the same server as your website. In the case that a ransomware attempt freezes your website, you’ll need to retrieve this data from a different server.
  • Keep your software and plugins up-to-date. Updates often contain security upgrades and vulnerability fixes. Check your website for updates; you can also add an update notification plugin. Some platforms allow automatic updates, which is another option to ensure website security.
  • Add HTTPS and an SSL Certificate. If you include policy applications on your site, you need a secure URL that uses HTTPS to ensure data transfer safety. An SSL certificate encrypts customer data when transferring customer personal information between the website and your database.
  • Use a secure webhost. IEEE Computer Society explains it this way:
    Think of your website’s domain name as a street address. Now, think of the web host as the plot of “real estate” where your website exists online. As you would research a plot of land to build a house, you need to examine potential web hosts to find the right one to ensure your business website security. Many hosts provide server security features that better protect your uploaded website data. Check for these items when choosing a host:

    • Does the web host offer a Secure File Transfer Protocol (SFTP)?
    • Is FTP Use by Unknown User disabled?
    • Does it use a Rootkit Scanner?
    • Does it offer file backup services?
    • How well do they keep up to date on security upgrades?
  • Be careful who you give user access and administrative privileges to, for your website.
  • Once you’ve chosen your CMS (content management system), change the default settings immediately. You’ll want to change the file permissions, control comments and user visibility.
Related: Mobile ransomware prevention: How to protect yourself

 

Securing your virtual meetings

You’ve heard of the Zoom hacks that happened early on in the pandemic – where someone hacked into a meeting and took over. Review these steps to keep your meetings secure, courtesy of Hubspot:

  • Require attendees to provide their first name, last name, and email address when registering for an event.
  • Don’t allow anonymous attendees. Ensure each attendee adds their first and last name once they sign into the meeting.
  • Consider not allowing questions to be asked anonymously—this will help keep folks accountable; plus, it allows you to follow up.
  • If using Zoom, use the Zoom password feature to make sure the only folks in your event are the ones who were invited.
  • Prepare a statement in advance of events that you can use if an attendee posts inappropriate content in the chat.
  • If your event has 50+ registrants, try to have 2-3 moderators to help with chat and Q&A.

 

Resources:

Keeping Your Business Secure: A Checklist for Basic Website Safety
10 Essential Steps to Improve Your Website Security
Secure Your Site with This Security Checklist
How to secure your website: 5 tips for every business website