Website security: nobody cares until something goes wrong
I know you don’t want to, but take two minutes to read this post because the 7 tips below can help make sure your website doesn’t get hacked.
Website security. You don't want to know, right? You've got enough things to worry about. You're planning events & booking trade stands, you're in budget meetings, you've got a new product launch, and on top of that you need to organise the department Christmas lunch. And besides, security isn't even really your remit.
I understand that. And I know that I’m bothering people by going on about this, and that most people won’t even get past the headline on this post. But the thing is, this stuff matters. We all lock our front doors behind us when we leave our houses. We don’t leave our laptops on the passenger seat and then wander off leaving the car unlocked (well, we try not to, anyway). So why do we go on thinking that our websites and our data don’t need similar care and attention? It’s not enough to only care about security when something goes wrong.
Security through obscurity is not security at all
So here comes the usual excuse. It probably won't happen to me - we're not high profile enough. Well, I hate to say it, but that’s where you’re wrong. Many attacks are automated, with bots out crawling the web looking for known vulnerabilities. Which means that if your site is vulnerable, the chances are, sooner or later it will end up in a database somewhere, which is the equivalent of having a little red target painted on it. It’s not just high profile sites that suffer from hacks and data leaks; and being relatively small, or relatively obscure, is absolutely no guarantee that your site won’t be compromised.
Insecure website risks
And it’s not like the risks are insignificant either. What can happen if your site is compromised? Well, here’s a few things to think about:
- Defaced website
- Visitors faced with “this site may have been compromised” message
- Your website traffic redirected to an ‘unsavoury’ domain
- Loss of private company or client data (sometime subsequently published online)
- Brand damage caused by all of the above
- Website unavailable for an unspecified time period (affecting reputation and possibly sales).
- Loss of reputation in search engines
- Malware infection that can take weeks and cost thousands to clean up
- Ransoming – site crippled (hacker effectively changes the locks) until a ransom is paid
- Possible legal ramifications under data protection laws, if users’ data is leaked, especially if best practice is not being followed.
- Unexpected disruption and stress caused by any of the above which impacts your business and your ability to get on with anything else
Sounds like the day from hell – right? Except that usually it’s the week from hell, and sometimes it’s the gift that just keeps giving and it can take months before things are resolved.
Now, I’m sure at this point some of you are probably dismissing this as scaremongering. And yes, you might pay no attention to website security and get away with it. But the point is that following best practice is the sensible thing to do. I’ll come back to the front door analogy. We’ve all left our front door unlocked accidentally once or twice and got away with it, but does that mean we do it all the time? No. We lock our doors because it’s the sensible thing to do.
So what should I do to lock the doors of my website?
I’m so glad you asked. The first, and best piece of advice, would be to get your site audited by someone with some expertise in the area, and fix any issues that are found. There are even services like HackerOne where you can offer a ‘bounty’ to a community of trusted hackers, to try to find security issues in your website. For large corporates it’s worth considering. For most of us, however, being aware of the following things should be enough to consider the front door locked.
- Check that your hosting is good quality and reputable (and therefore includes considerations such as keeping server software up to date), and that you have good support available if something were to go wrong
- Check that your site is being backed up regularly
- Ensure that ALL the passwords used to access any area of your site are secure, unique, and changed regularly in accordance with best practice. That means client logins, CMS logins, c-Panel, FTP etc etc.
- If you’re running WordPress, check that the core and all your plugins are up to date.
- Ensure error reporting & directory listings are turned off. Both elements provide additional information to would-be hackers about how your site is put together, and may also expose other data that shouldn’t be publicly available. (Last month Virgin Media’s recruitment platform exposed the details of 30 – 50 thousand job applicants via an open directory listing)
- Remove anything (plugins, modules, services etc) within your website that you don't need, as this limits the areas that can harbour a vulnerability.
- Find someone suitably qualified, and make it their responsibility to be aware of security issues; remembering that security isn't something you can look at once and forget, because new exploits and vulnerabilities are discovered every day.
I know that in reality, responsibility for the company website usually rests with folks who don’t have either the time or the skill-set to handle many of the items above. But like most things in life, for a small consideration you can contract the expertise of someone who does. It’s the sensible thing to do.