Are small business websites safer from security breaches?The reality is that smaller business websites are very appealing targets for cybercriminals. Attacking a large corporation may be a bigger payoff, but they tend to have much stronger security and the risks are much higher. Smaller businesses often don’t have the best website security in place and can’t afford to fight back against these criminals, making them a popular target.In the UK, a recent government survey released in 2020 showed that 46% of businesses and charities reported a cyber-attack in the previous year, with 33% of these saying they experienced a breach once a week – a 22% increase from the previous year. In the 2021 report, only 33% of smaller businesses had done a cyber security risk assessment, and only 31% had any cyber security policies. For smaller businesses, the average cost of a security breach is high at £8,170, and a significant breach can easily be something a business cannot recover from. Not only is this cost monetary, but it also involves the damage to the reputation of the company, downtime from lost data, lost sales, and lost productivity, and costs of attempting to recover lost data.
7 security tips for your business websiteAs the online portal to your business, website security clearly needs to be a priority. So, what should you do?
1 – Use a professional host with a good reputationMuch of your website security can and should be handled by your hosting provider. The best hosting providers make security a priority, offering features like a web application firewall (WAF) and denial-of-service (DDoS) protection, helping to prevent the most common types of brute-force attacks before they even start. Website security is technical and it’s easy to get put off by people asking you about SQL injections and cross-scripting, but a good web host and web design team can understand how your website works and offer best-case protection and security features to secure business and client data.
2 – Choose the right content management system (CMS)The CMS is a tool used to construct your website, add, and update content on your website, and plan future content. These platforms can also offer additional security for your site, as developers continually implement updates and security features to increase protection and counter new threats, update website coding to eliminate new vulnerabilities, and more. It’s a critical part of website maintenance to minimise security vulnerabilities and keep your website running swiftly at the same time.If you’re not sure which CMS to use, we recommend WordPress. Not only does it have plenty of functionality and continual improvements, it’s also user-friendly and free. Some security plugins like WordPress’s Wordfence Security are also recommended to help make your website more secure.As the owner of your business website, it’s best practice to take an active role in your web security by checking for updates for your add-ons, security plugin and other plugins, whether they are third-party or supplied by your CMS. In addition to closing vulnerabilities in the software, these updates fix bugs, improve compatibility, and streamline the performance on your website.
3 – Use strong passwordsNo matter how good your website’s security is or how vigilant your team is, a weak password can put your website and business at extreme risk. They are one of the most common security issues behind a breach – but also the easiest one to fix.Start by developing a strong password policy for your business that informs people about the risk of using the same password on multiple sites, of sharing their passwords, or making weak passwords. Then move on to how to create strong passwords (we recommend 8 characters including a random mix of upper and lowercase, numbers, and symbols).It’s also recommended that you use a good password manager to store, track and use passwords so they remain secure you don’t have to take the trouble to remember them. Apps like Keeper, LastPass, bitwarden, PasswordBoss, and 1Password are all very effective and easy password managers to use.
4 – Implement multifactor authentication (MFA) and limited file permissionsMultifactor authentication can also be implemented to help prevent access if a password is compromised. This involves typing in a password and then having a second code generated and sent to an independent device (like your work mobile) to ensure the right person is logging in.Finally, secure passwords, file permissions, and access should only be granted to those people who require access. The fewer people who have administrative access to your website, the lower your risks. Remember to have at least two people with active user permissions to administer your website to prevent being shut out. User file permissions and file access should also be changed as soon as a person leaves your organisation.A lot of these security measures can and should be implemented on your work devices, the applications and cloud services you use, email addresses, and your business network, as well as your website itself. The more layered your IT security and security features are, the better you’ll be able to reduce and manage security risks.
5 – Implement regular, automatic backupsIdeally, your website should be backed up daily to a secure location, especially if it is a busy business website or ecommerce website that captures client data, holds client accounts, or deals with sensitive or private personal or financial data. If your website is compromised by an attack that takes it down or holds your data ransom, having a very recent backup will allow you to disable your website and restore it with minimal losses.It’s this type of protection that made the recent Kaseya attack by REvil much less devastating than it could have been. This attack was a supply chain ransomware attack that delivered an update to businesses using Kaseya software that froze their data when downloaded and demanded a payment to release it. Although it affected over 1,500 businesses around the world, the damage was limited by clients having backups in place.The reality is that there is no way to eliminate the risk of an attack occurring, especially when a trusted supplier is compromised. Even without criminal involvement, a server may be damaged, a fire could break out, or a flood could take it out. But by planning for a worst-case scenario by automatically backing up business and ecommerce websites daily, damage can be contained, downtime minimised, and security risk minimised.
6 – Keep all software up to dateAll software on your business network and devices must be updated as soon as possible when patches and updates are rolled out. As with plugins and add-ons, these updates for cloud services, apps, and software contain important security patches that shore up vulnerabilities that can put your business at risk. Outdated software not only compromises your security, it can also affect the user experience of your website, causing features, forms and tools to fail or become buggy.Even if a certain product or cloud service doesn’t have anything to do with your website, outdated software for the application can still compromise the site through your network. For example, a virus can move through your network, access the administrator’s computer, and pull down your website or compromise the data.We all understand that updates are often frustrating and annoying (and we know from experience!) but they’re too important to miss. Taking the time to run your updates twice a week is a small price to pay when the security of your website and business is at risk.
7 – Learn to recognise common threats and security issuesOne of the best ways to prevent a breach is to be able to quickly recognise common types of attack and take action to halt it. That means learning about common threats, how to identify suspicious activity, and what to do if you think your business website has been compromised. Again, this takes a team effort, so it’s worth educating all your staff and not just your web admins. Some common signs that your website has been compromised include:
- Alerts from your browser or website host
- Your website being flagged by Google
- Unexplained slow loading times
- Alerts from customers
- Strange website redirects to unwanted advertising
- Cross-site scripting (XSS) – These are simple attacks that are very common, targeting the user before they get to your website and redirecting them to scam to extract sensitive information. A web applications firewall (WAF) will help prevent this happening to your website.
- Injection – A SQL injection attack targets the website and its servers, adding a piece of code that reveals hidden data and user inputs, and allows the hacker to modify data. In the design phase, your team should use parametrised statements and database protection.
- Fuzz testing – This is an attack that looks for vulnerabilities like coding errors and security loopholes in your website’s software, causing it to crash by adding in bulk data that overwhelms the site. The hackers then look for ways to access further vulnerabilities and pull valuable data from the site.
- Distributed Denial of Service (DDoS) – A DDoS attack bombards your website with requests causing it to crash by overwhelming it. This can be used to distract away from a more subtle attack against a security vulnerability, to hide additional attacks, or to simply cause chaos.
- Brute force attacks – This is a straightforward attack to gain control of your website and data through multiple login attempts. It usually involves trying to break in via the login by using malicious programs to guess at the username and password, or even buying legitimate, compromised logins and passwords from hackers on the dark web who have already acquired them.
- Malware – This is malicious software that is designed to target an application, network or website. The most common forms of malware are ransomware, worms, and viruses, and they account for some of the most significant cyberattacks in history, including the NHS attack in 2017, the Reckitt Benckiser attack also in 2017, and the ransomware attack that hit the Surrey headquarters of the Police Federation of England and Wales in 2019. Ransomware has become so dangerous that it is now considered to be a more significant threat to the UK than hostile countries.
- Phishing attack – These are some of the most sophisticated attacks – and some of the most difficult to prevent. They tend to rely on fooling a person (often via email) into sharing personal or financial data, make a bank transfer, or downloading a virus onto the system. They use sophisticated social engineering to pressure an employee, pretending to be an authentic client, member of the organisation, bank, or through an attractive giveaway or link.