I was recently asked about website security by a friend of mine who was just getting started with his online business. After answering some of his questions, I realized there might be a few business owners out there who could benefit from some basic website security knowledge.
If you’re a business owner or manager who is concerned about website security and you’re not sure where to start, here are some basics for you.
NOTE: This is NOT a comprehensive website security guide…these are just some typical questions with quick answers. If you want more in-depth info, contact me and I’ll point you in the right direction.
Q. What are the most common website security threats?
A. There are three common website security threats:
- Vandalism or theft by an insider. Disgruntled or former employees are the biggest security threat to a business website. Most businesses use the same password for a lot of their computer “stuff”, including access to the company website. If you don’t change all your passwords after your let someone go (or if you don’t cancel all of their access), you risk problems.
- Malicious software. People can sometimes download malicious software that can be used to steal passwords, “hack” into websites or computers, etc. Most of the bad software in the world (known in the industry as “malware”) is found on disreputable and or unsavory websites. Most anti-virus software will detect and stop these types of programs, but not always. Pornography and gambling websites are notorious for installing malware and they should be avoided. The solution to this issue is to keep your virus software up-to-date and stay away from websites that aren’t business related when using a company computer.
- Automated hacking attempts. There are thousands of “bots” that are constantly crawling the web looking for vulnerable websites. While there are a lot of different techniques, the main techniques are fairly easy to block. This is where your web developer comes in – if they use secure software to power your company site, your website will be impervious to most automated hacking attempts.
Big picture – a good web developer can help keep your website secure, but security starts with managing access and keeping your company computers “clean.” Change passwords when employees leave and make sure your business computers are only used for business.
Q. What does “SSL Encryption” mean and why is it important?
A. SSL stands for “secure socket layer.” In very simple terms, it’s a dedicated connection between two computers that no other computer can access (like a virtual tunnel). Encryption is useful for protecting important personal data (like credit card numbers, social security numbers, etc.). When you combine SSL with encryption, you have an incredibly secure web connection. You need SSL encryption if your website collects information from individuals that is personally identifiable and/or valuable.
Q. How do I know if my website is secure?
A. The word “secure” is defined differently by different people. Some people view security as an absolute – if there is any possible vulnerability, some IT pros will say a website has security issues. By that strict definition, almost every website is insecure. Many website security “experts” will use this rigorous definition of security to sell website owners excessive or unnecessary services. However, before you worry about how secure your website is, you need to determine your risk factors. Ask yourself the following questions:
- What is on my website that people will want to steal? If your website is nothing more than an online brochure (which defines our website, for example), your security risk is low. No one is going to try and “hack” your site unless they think there is something valuable inside…so nothing valuable = little or no risk.
- Would anyone want to deface or vandalize my website? If you have a very high profile website (think CNN.com) or a website that polarizes people (a political organization, for example), your security risk is high. Vandalizing a popular or politically significant website is a way for a hacker to draw attention to themselves or prove how dangerous they are. However, if you’re just a little Denver Internet marketing company (or similar low-profile business), it’s unlikely anyone wants to invest the time to vandalize your site.
- What’s the worst case scenario? Is your website mission critical, i.e. will your business grind to a halt without it? If someone manages to steal your data, could you end up in court? If the answer to either of these questions is “yes,” you need to be very concerned.
As a general rule, 95% of the websites on the internet have little or no security concerns because they have few risks.
Q. What questions should I ask a web developer about my website’s security?
A. Make sure they can speak intelligently about the following issues:
- Cross-site scripting attacks: Abbreviated as XSS, this is an incredibly common method of hacking websites. If your website has a place where visitors can enter text (like a contact form, for example), your site could be vulnerable. There’s an easy XSS security test you can do yourself, but most web developers know about this vulnerability and block it easily.
- SQL injection attacks: This is another vulnerability that is easily blocked. If your website uses a SQL database, it could be vulnerable…so ask your developer. If they don’t know what a SQL injection is (and if they’re building you a website that will use a SQL database), that’s not a good sign. By the way, SQL is pronounced as “sequel”…so when someone says “sequel injection” this is what they’re talking about.
- Ask them about their security experience: If you have a high-risk website, you need a developer that has developed and successfully protected high-risk sites.
Q. What are your website security tips for small business owners?
- Use good passwords and keep them secret. They should be 6-8 characters (or more), they should have both letters and numbers, and some of the letters should be capitalized.
- Manage access. When you hire employees, when you work with contractors, etc., issue them their own passwords instead of sharing your own. When you fire them, revoke their access.
- Watch your clicks. Don’t download anything you’re not 100% confident in and don’t open any email attachments from anyone you don’t know.
- Keep your virus software up-to-date. This is a no-brainer really, but a lot of people skip this step. Out of date software means your computer is vulnerable to malware…malware that can steal your passwords, infect your website, etc.
- Get help if you have risk factors. Remember, if your website has a high profile or if there is data that people might want to steal, you need help from a website security expert. It’s much cheaper to pay someone to help you secure your website now than it is to recover from an attack later.
Like I said, this is just a basic primer. If you need more info, comment below and I can point you in the right direction.