6 Website Security Tips To Protect Your Business
by Serena Raymond on Feb 23, 2020 12:00:00 AM
Keeping your website secure is a no-brainer. Of course you want to do what you can to prevent customer data from ending up in the wrong hands. The difficult part is putting the security measures in place. But we’re making it a little easier for you with these website security tips.
What do we mean by “website security?” When we talk about website security, we’re talking specifically about protecting company websites from cyber attacks.
Cyber attacks can take a few different forms, from vandalism to bringing your website down completely. The biggest risk facing companies, however, is a data breach. This is when a hacker is able to access sensitive information from a website. This data might be login credentials, credit card information, social security numbers, or any other personal information stored by an organization.
While data breaches are unmistakably bad for business and can tarnish the reputation of a company, it’s also bad for the employees and customers affected. After all, their information can be sold for as much as $200 per record. This puts them at risk for identity theft and personal bank accounts in jeopardy through no fault of their own.
These website security tips will not only help your business, but they’ll protect your customers.
1. A checklist is your best friend
Sometimes the hardest part of implementing security isn’t coming up with what to do, it’s actually putting it in place. Creating checklists for different procedures is a tried-and-true way of mitigating costly mistakes. One great proof point of this is the surgical checklist.
Mortality rates from even basic surgical procedures used to be much higher than they are today. A major factor in reducing mortality rates? A simple checklist.
It can save lives, and it can protect your customers.
The important thing about the checklist is to stress the importance of following it to your employees. While a checklist is a great tool for reducing risk, it’s only effective if it’s actually followed.
Work with your employees and teammates to create a realistic checklist. Have everyone agree on processes and best practices. Review your checklists regularly to see if there’s anything that needs to be updated, or any way you can reduce the number of steps someone needs to follow.
Create checklists specific to the different applications you’re using, such as application monitoring tools, open source container orchestration software, or databases.
If you’re deploying Kubernetes, this is a good checklist before running clusters in production. If you’re using MySQL, this is a short checklist specifically on security. Research the systems you use and see if there are already templates you can utilize. Otherwise, create your own from scratch.
2. Backup your data
We’re not talking about manual backups once a quarter. You need a real-time, automatic backup solution to make sure that you always have access to your critical system data. This way, if something goes down, you’re able to get back online with the most up-to-date data. You don’t want to fall victim to an attack and then be set back a few months.
Store your backups in a remote and secure location, as in off-site cloud backups. This recommendation comes straight from CISA (Cybersecurity and Infrastructure Security Agency).
Remote backups are more secure than other backup techniques as they provide better protection from natural disasters. There’s also the added benefit of that you don’t need to actually travel somewhere to check on your backup.
3. Always be scanning
You should be scanning your systems at all times for vulnerabilities. And it’s imperative that you patch any vulnerabilities within 15 and 30 days depending on the severity of the vulnerability.
And it’s not just software vulnerabilities you need to look out for, but configuration vulnerabilities. Not addressing this can lead to a huge breach.
In 2019 alone, exploited vulnerabilities allowed hackers to open FaceTime chat sessions to spy on people, access to FBI files, and the ability to steal browser data. And that was just January.
Discover your vulnerabilities before someone else does. Because you can’t count on it being a friend who finds them.
4. Stop using outdated systems
If your operating systems, applications, or hardware are no longer supported, you need to make a move.
Relying on legacy systems from vendors puts you at risk. No more updates, patches, or notifications. It’s on you to monitor that system and find vulnerabilities—and you and your team might not be experts in those systems.
If you’re using software they’re ending support for, put a plan in place to remove it from your tech stack. And if you’re still using something out-of-date, make it priority No. 1 to move toward a modern solution.
5. Secure everything
- Domain ecosystems
- User accounts
- Data in transit
- Web applications
- Web servers
Seriously, secure everything.
How can you do this?
Don’t use default passwords, enable two-factor authentication, control who has access to what, enforce HTTPS or HSTS (more on this below), disable applications that are not necessary to your business, and know where everything is stored.
One way to secure your domain ecosystem is to put a DNS protection solution in place. This will protect employees and public Wi-FI guests from accessing malicious content around the web.
Defining user roles also needs to be taken seriously. If someone requests access to a certain application, ask them why. Incorporate the principle of “least privilege”. Figure out what level of access they need instead of giving everyone admin accounts. Keeping the number of people who can access applications and hardware means there’s less opportunity for security failures.
6. You have an SSL certificate, right?
One last piece of advice: If you don’t already have one, get an SSL certificate for your website. Most companies should have locked down their SSL in 2018 when Google decided to mark sites “Not Secure” if they’re lacking an SSL certificate. However, there are still a surprising amount of sites out there lacking “HTTPS” at the beginning of their URL.
Check with your web hosting provider, as SSL certificates are often included in your domain subscription. If not, there are plenty of options for you.
Ready to take your security to the next level with DNS threat protection? Get your free trial of DNSFilter.
When researchers talk about DNS security, they often refer to anything that protects DNS infrastructure. Although protective DNS and DNS security fall under the cybersecurity umbrella, protective DNS takes a different approach to cybersecurity than standard DNS security. Both security strategies are important for the stability of your business, but protective DNS reduces risks from your weakest link–human error. Protective DNS is critical for you...
The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.
Industry State of the Art
This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world. And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.