A website is only ever as secure as the people running it, no matter how good the security settings are when a site is designed if businesses do not take cyber security seriously then they will always be at risk of breaches and hacks.
The last 12 months have seen newspapers littered with stories about data breaches, serious hacks and large-scale scams, not least the main headlines affecting the NHS, Uber, Equifax and more recently TSB.
Despite the warnings, though 47% of the UK prioritise “convenient login over security”, that is according to new research by market research experts Mintel.
They also found that 44% of Britons use the same password for multiple accounts, with 16-24-year-olds the worst culprits (60%).
The study of more than 2,000 internet users also revealed that the majority of consumers do not willingly update even their most sensitive of passwords, with 54% saying they only do so when prompted.
What was the most worry find though is that only 26% use antivirus software on phones and tablets despite more and more of us using them for online shopping, banking and generally running our lives.
When we take all that into account it’s easy to assume that the lack of attention to cyber security will also be evident when it comes to running an online business.
Following the introduction of General Data Protection Rules (GDPR) in May, it’s now more important than ever to be secure, if you hold other people’s data because if you’re not it could prove expensive.
Non-compliance penalties could lead to fines of up to €20m or 4% of a company’s global annual turnover (whichever is higher), which should be enough to ensure businesses spend the money now to get their house in order, to prevent penalties occurring.
If you use a web developer to set up and create your website from start to finish, then you should be cyber safe – the problem though is maintaining it.
Unless you are someone who really knows what they’re doing it’s worth paying a web development company a monthly maintenance fee so that backups and scans are run and all software is kept up to date – that way you can sleep safe at night in the knowledge that your business (and your customers’ details) are safe.
Here at Webthinking we manage all aspects of web hosting and security, including quarterly PCI scans so the server is also always as secure as it should be.
According to recent government research, 43% of all UK businesses were hit by a security breach in the last 12 months, although that number rises to 60% among larger companies.
The research also found that the average cost of a cyber security breach is £3,100 but no price can be put on the loss of trust which can occur after a security breach – just ask TSB.
If you prefer to manage your website yourself then here are five ways to make sure you keep your website secure.
Hackers are clever and because of the nature of the business they never stand still, so neither can you. New risks and vulnerabilities are discovered daily, so staying on top of security is not something you can look at when it suits you.
If you think this advice doesn’t apply because you don’t sell online and maybe just write a blog then you’re wrong. Your website might seem like an innocent platform for sharing articles but an experienced hacker can easily and quickly turn it into a malicious spybot or somewhere to mine cryptocurrency without you even realising.
Keep everything up to date
Just as hackers never stand still, neither does computer software so staying on top of updates is essential.
If your website is run on WordPress there are plugins you can install which will alert you to any updates which need installing so you never miss a thing.
Some plugins for all CMS providers, whether it’s WordPress, Joomla or Drupal, can eventually become obsolete as third-party developers fail to update them or test them with the latest versions of the CMS software to it’s essential to make sure all plugins on your website are still compatible with everything else and up to date or it could provide an easy way in for hackers.
Get a padlock
Getting an SSL certificate not only gives you peace of mind, by adding an encryption layer of software it also makes visitors to your website feel safer and more likely to share data, register and buy from you.
It’s always surprising these days when websites don’t have a padlock, especially when Google is now using them as a search ranking factor.
So, as well as making your site safe, a simple SSL certificate, which is relatively cheap when compared to the cost of a security breach, will also help your website be found via search engines.
Think about your passwords
We have already revealed how many people fail to take password security seriously but despite the number of security breaches which come from cracking passwords, it still is possible to make yours super secure.
All you need is at least 12 characters, which is a combination of alphanumeric characters, symbols and both upper and lowercase letters – sounds simple enough doesn’t it?
The National Cyber Security Centre’s advice is to use three random words as a passphrase and then separate the words with special characters to help make a long, hard to break, memorable password.
I have just opted for Liverpool!Boulter*Tennis and according to howsecureismypassword.net, that password will take 53 septillion years to crack, so I think I should be ok.
Don’t rely on just one piece of security
How many locks do you have on your front door? I’m guessing it’s more than one so why would you only have one option to stop someone breaking into your website?
Your first stop should be a web application firewall which will inspect all incoming traffic to your website and prevent malicious requests, as well as protect you from spam.
There are hundreds, if not thousands of other website security tools to help keep you safe and many of which are free.
Make sure you have something which allows you to back up your site daily so if you are the victim of any kind of threat you can easily restore your site to a previous working state.
Many security plugins will also scan your sites periodically to make sure there are no hidden dangers.
Other good options include plugins like Wordfence or iThemes Security, which will monitor the changes to the website’s files.
Keep the admin area safe
If you are familiar with WordPress then you will know that traditionally the admin area can be found by just adding /wp-admin or wp-login.php to the domain name but you can personalise the link to make things harder for the hackers.
Once they know the URL they will try to force their way into your website by guessing the username and password but changing the URL will eradicate 99% of direct attacks.
Changing the login process is also a good idea, so instead of using a username, you can request that people log in using their e-mail address instead, as they are usually harder to guess. They also have to be created with a unique e-mail address.
Once you have secured the log in it’s all about securing your dashboard, which if damaged will impact your entire site.
Using a plugin such as Apache Password Protect will allow you to password protect the wp-admin directory and you can always take things one step further and change the WordPress database table prefix.
Using the default prefix makes your site database prone to SQL injection attacks but changing the name can play a large part in preventing them.
Plugins like WP-DBManager or iThemes can easily help you change the default prefix and therefore substantially reduce the risk.
In conclusion website security is a bigger job than many people anticipate, it also takes a certain level of skill and knowledge when it comes to renaming databases, changing URL’s and understanding reports and potential problems.
So, unless you or someone within your organisation can give it the time and attention it needs to keep your website safe, it’s worth paying the experts. A monthly retainer fee can be a lot cheaper than the cost of a security breach.
If you use Webthinking to develop your website you can be assured that:
1) It’s hosted on our secure server, checked quarterly and patched daily. This ensures that any new security issues that arise are dealt with as quickly as possible.
2) Platform updates are automatic.
3) All backups are encrypted and stored securely.
4) You will get the best advice and recommendations for your own personal computer setup from our team.
5) We are GDPR experts.