Scared by security statistics this spooky season? 🎃
Here are some current ones that make us flinch at small noises at night:
The scary part about the second stat is that you have no idea if that’s you.
You can’t help but think: okay, but how secure is my website?
Is your current protection really fine, or is it like:
We’re not judging – it’s tough to tell when you don’t have a frame of reference.
So, look at this blog as a guide or checklist.
If you want to skip the introduction and get to the methods, this link will send you straight there.
…but we have a feeling you’ll be glad if you start with the 101.
Website security, AKA cybersecurity, is a set of steps around your website to protect it from malware, viruses, and other evolving threats which could otherwise cause significant damage to your business.
As we’ve mentioned earlier, most companies experience security issues. That includes small businesses that don’t think of themselves as “highly prized” targets.
Statistically, it likely includes you, too.
So what can you do to avoid hackers and protect your business?
Here are some cyber-equivalents of locking the door and getting a guard dog that can help you prevent and contain cyberattacks:
We’ll discuss these and other measures to fix an unsecured website in a minute.
But first, what exactly is in it for you, and what happens if you don’t prioritize website security?
Your business may be well-established and your services top-of-the-line, but all of it crumbles without proper website security.
It’s the difference between building a fortress and a sandcastle.
So here are the benefits of investing in a fortress:
| Benefits of website security | Summary |
| Keeps your and your customers’ information safe |
|
| Maintains and improves your SEO so new customers find you |
|
| Gives you better chances of surviving attacks |
|
| Provides you with more time to react to, contain, and stop attacks |
|
| Prevents you from losing money to hackers and expensive consequences |
|
| Honors customers’ trust in your company |
|
And let’s face it, if you were just thinking about these benefits out of context, you’d say yes to all without hesitation.
But we’re talking about an investment.
So, what’s the worst that could happen if you skip the website safety check and stick with the sandcastle option instead?
You’ll want to save this next part if you’re chasing approvals from the higher-ups.
Cutting straight to the chase here, the consequences of a successful cyberattack on professional services, eCommerce, and nonprofit companies may include any of the following:
Capital One paid $190 million to settle a lawsuit filed by customers whose information was stolen in a breach.
Nonprofit company One Treasure Island suffered an attack in which hackers stole $650,000 via an email scam.
We’ll stop painting the picture here.
You get it: the consequences can be dire.
Instead, let’s focus on how you can do a website security check and arm yourself against any cyber threats that come your way.
Ideally, security audits should be handled by experts who know what they’re looking for and can spot weaknesses a mile away.
And they should be done regularly as part of your website maintenance plan – too much is at stake otherwise.
That said, there are things you can do to check how secure your website is right now, and it’s handy to learn a little about it before you reach out to a security expert.
So, we’ll start with the short version:
| Ways to check how secure your website is | Brief explanation |
| 1. Install a Secure Sockets Layer (SSL) Certificate | An SSL protocol encrypts your data so only you can crack the code with a key. That way, if a hacker intercepts your messages, they’re just a useless string of random symbols. |
| 2. Use a web application firewall (WAF) | Firewalls filter out unauthorized access attempts and potential threats to keep your network safe. If something dangerous does come through, they shut down outward traffic, so data can’t be stolen. |
| 3. Update your themes and plugins regularly | Aside from updating your core website, plugins and themes need upkeep too. Otherwise, hackers could use them to break in, like a loose brick in your fortress. |
| 4. Use security tools to check if your site has been compromised | If you’re worried, you can use online tools to do a quick scan of your site and flag malware or breaches right away. |
| 5. Make sure you use random and uncrackable passwords | One password for everything is a tricky habit to break, but you can do it with a password tool like LastPass. Your employees won’t have to remember individual passwords, and you can regularly change them without a fuss. |
| 6. Be aware of common scams hackers use to get access | Talk to your employees about scams like phishing. And don’t do it just once – make it a regular mandatory course, so nobody forgets important details and no new hire falls through the cracks. |
| 7. Set up a regular backup schedule just in case something goes wrong | You shouldn’t do it every day, but you have to back up your site regularly as part of your general website maintenance routine. It could be the difference between going bankrupt and getting back on your feet. |
| 8. Implement multi-factor authentication for both backend and frontend users | Make sure people need to have more than one credential to log in – a password and email verification. If a hacker gains access to one, they still might be stopped at the second step. |
| 9. Make sure you’re using a secure web host with a good reputation | Your host needs to be as diligent about security as you are – otherwise, you could be collateral damage if their business is compromised. |
| 10. Check user access and follow the principle of least privilege | Make sure your employees only have access to what they need to complete their jobs. If only a few people have access to important data, it’s less of a security risk for everyone. |
| 11. Follow web servers best practices | Restrict access to sensitive locations like CMS configuration and prevent directory browsing, so hackers don’t get all your data ready to go. |
And now the same thing, but better.
Before you furrow your brows, installing a Secure Sockets Layer (SSL) Certificate doesn’t mean buying some fake diploma to hang in your office or anything like that.
Have you ever received an update on a chat app saying, “your messages are now encrypted”?
Maybe you thought, “okay, whatever.” Or, “huh, what does that even mean?”
It means you’re now protected by an SSL protocol that takes the words you type and translates them into seemingly random symbols that only you can decipher using your key.
That way, if a hacker intercepts your messages, sensitive information they could have used against you becomes useless gibberish on their end.
You should have an SSL for your business.
It’s a simple defense system that will let you answer your clients’ payment questions or text a password to a colleague without risking the data being leaked.
But just in case, it’s still good to delete that information once you’ve resolved the matter.
A firewall is a defense mechanism that analyzes each data pocket that tries to enter your network, determines whether it’s safe based on pattern recognition, and then lets it in or blocks it accordingly.
It’s one of those things you should just have for your website.
It won’t exactly prevent all types of attacks, but at the very least, you’ll get notified if a breach happens, and the firewall will stop all outward traffic so nothing can be stolen.
Then, you have a moment to react, trace the source of the attack, and fend it off.
But make sure you use a firewall that scans and monitors your site, not just your network – a web application firewall (WAF) or next-generation firewall (NGFW) is a safe bet.
For example, State Creative (that’s us!) uses Sucuri.
Your site is as safe as its weakest link.
Updating your website core doesn’t guarantee 100% safety when you have unsupported or abandoned plugins waiting for a hacker to take advantage of them.
Your website maintenance needs to cover all bases, so ensure your package includes regularly updating plugins and themes.
Aside from that, it’s good practice to keep an eye out for better options that could replace your current solutions.
Still using the same forms you picked out in 2017?
Take a look at what other companies are doing, and you’ll spot a better alternative fast.
Okay, so you might not yet have an expert by your side to point at things and say, “this needs to change” or “you need these three programs.”
However, those horror stories we’ve talked about sound like something you don’t want to be a part of.
Even if you’re not a karate master, it’s still important to learn a thing or two about self-defense.
And the first step in any martial art is assessing your surroundings.
So, how do you check your situation now? How do you know if somebody’s already infiltrated your database?
Don’t panic.
You can examine the situation independently with the help of security tools.
For example, Virustotal requires only the site’s URL and can detect malware or other breaches immediately.
If any of these security tools highlight a problem area you’re unsure about, or you simply want a more thorough website security check, you can always contact us for support.
It’s a red flag if your employees are copy-pasting passwords, using obvious firstname-lastname combos, or the famous “QWERTY” combination.
Are your employees…
Red flags everywhere.
And what about you?
We understand, though. It’s annoying and inconvenient to change an old habit, and much more to remember a new number and letter combo for every account you create.
So, here’s how you can make it less of a drag and avoid company-wide pushback:
And teach your employees about them.
Phishing is a widespread trick that, unfortunately, works way too often due to a lack of employee training (and of firewalls to contain the damage).
Employees who don’t know about it might download a dangerous link, send money to a fake account, or provide sensitive information, thinking they’re emailing their superior.
That’s how a small Indiana-based nonprofit got hacked a few years ago.
One mistake is enough for a hacker to get in.
You can prevent it by creating a mandatory security course and updating it regularly.
But for extra protection, here’s what else you can do:
So… are you finally totally safe?
Unfortunately, with cybersecurity – there’s no such thing. That brings us to…
If you’re asking, “how secure is my website?” but not backing it up in case the results aren’t stellar… that should be one of the first things on your to-do list.
You can tell you’re on the right path if you’re backing up your website and not assuming things will always go according to plan.
If not, and something happens, you might not be able to restore your data.
And in that scenario, any additional worry could be one too many – remember all the other data breach consequences we’ve talked about earlier?
Thankfully, this is another easy fix. A security expert can easily set up regular backups as part of your maintenance plan, so you never have to worry about it again.
So what does that mean?
Multi-factor authentication means you require more than one piece of information to access the data.
The idea is, even if a hacker got a hold of your password, they won’t get easy access due to the extra layer of verification you set up.
And how does that play out in real life?
For example, when you try to log in, the site asks you if you want to confirm your identity via email or input a short code sent to your phone number.
This helps protect both the site and potentially compromised users.
And yes, it’s an extra step to log in – but if your employees understand why it’s important, they’ll have an easier time adhering to it.
What’s the worst that could happen if your web host isn’t great?
Well, if your provider isn’t meticulous about security on their end, it could result in frequent issues like recurring downtime or slow loading speed on your end.
In the worst case, if the provider gets hacked, you could be at risk, too – for reference, even popular hosts, like GoDaddy, have been hacked in the past.
This isn’t to say that you shouldn’t use them for your website.
But do diligent research, and don’t settle for the first option you find.
It’s the good ol’ principle of least privilege.
If you’re unfamiliar with the term, it basically means giving people access:
This point is linked to how well you’ve trained your employees on cybersecurity but with an extra layer of security.
The rationale is simple:
There’s no need to risk security to share all the data with all the employees – they don’t require it anyway, and you’re all safer if they only have what they need.
Some best practices for web servers include:
That’s pretty much the end of our list.
It’s a lot at once, but that’s why experts exist – they’ll illuminate the way for you, so your website doesn’t start feeling (or behaving) like a haunted house.
Security is the foundation of your website and, by extension, your business.
It’s crucial. But it doesn’t have to be scary. 👻
If you’re concerned about your website security and need an expert to take care of maintaining your site, reach out to State Creative.
That way, you won’t have to worry about all the things that could go wrong or fend off attackers on your own.
And if you’d like to learn more while you’re here, here’s how you can improve website security right now in three simple steps.
