If you’re concerned that your business’s website and secure data is in danger of being hacked, your fears aren’t entirely unfounded. Security experts estimate that as many as 30,000 websites are hacked each day — and that no business is too large or small to fall off the radar of hackers. Despite that very real threat, there are proactive steps you can take to minimize the likelihood that your site falls victim to malicious web predators. Here are six simple ways to secure your business’s online data.
1) Keep your software up to date. Sites are commonly compromised because operating software becomes outdated, allowing hackers to automatically detect those holes and use them to their advantage. If your site uses a reputable managed hosting service, that host probably runs regular security updates (without requiring any involvement on your part) to minimize security risks and proactively apply patches. If you don’t rely on managed hosting and/or your site includes forums and content management systems, sign up for automatic notifications with the third-party service to ensure you’re notified of any security issues and can respond quickly with the appropriate fix as soon as they’re detected.
2) Code carefully. Hackers commonly access sites due to coding flaws that make it simple to rewrite a query in a way that accesses secure data. Regardless of database you use, parameterized queries should be a best practice in your site’s coding standards. By using placeholders (like question marks), such queries create parameters that make it much harder for a user to input unexpected data (which is often as simple as moving one character in a query) that can lead to an SQL injection attack that rewrites your database.
3) Don’t provide detailed messages. Too much information in your error messages can give hackers the insight they need to gain access to your site. Even seemingly harmless language like “incorrect password” when a user enters an invalid username and password combination tells a hacker that he or she correctly guessed at least part of the required credentials (the username).
4) Invest in business class software security. Hacking has become so inexpensive and automated that cyber-criminals with little hacking knowledge now have the tools they need to gain access to your site. Safeguard your data by investing in business-class security suites that automatically search for malware and other vulnerabilities, and apply the necessary patches on every device associated with your business — including mobile devices and data stored in the cloud. Most important, take any detected threat seriously. In the case of Target’s multi-billion dollar breach, a security software threat was detected — but was ignored.
5) Establish security processes and policies. Don’t assume that your employees know about the many security threats that their innocent computing activities present. Establish written policies and best practices for how to keep passwords safe, secure and regularly updated. Educate your team on how to transmit sensitive data so that it is not sent across public email domains, on how to spot suspicious links in email, and on identifying whether a website is secure and valid. Perform regular backups of your website and database data regularly so that you have a reliable record of sensitive information, should it be compromised.
6) Test for vulnerabilities regularly. It’s more cost-effective to prevent hackers than to react to the aftermath of a breach, particularly if a hack results in the loss of secure personal and financial data owned by your business, employees or customers. Once you’ve taken the basic security measures noted above, establish a relationship with an IT audit firm that is reputable within the small business community. Get a professional opinion about just how secure your systems are and where improvements can be made. Invest in a professional audit that is conducted at least once a year and includes testing for firewall security, network and router configuration, operating system security, and penetration tests.
What other advice can you share with business owners and IT professionals looking to help keep their company’s data more secure?