Your website is one of your most important business tools. It’s the gateway between your brand and the B2B and B2C consumer alike, and serves a wide variety of functions that contribute to your revenue model, even if you don’t have eCommerce elements integrated within.
While businesses are waking up to the necessity of advanced cyber security for their other online operations (data warehousing, etc.) far too many neglect their actual website. Recent reports show that approximately two-thirds of websites remain vulnerable. In addition, data shows that the most commonly infected CMS platforms are WordPress, Joomla! and Magento. That being said, a recent warning has gone out to any business running popular open-source CMS Drupal, directing them to immediately patch a flaw that an attacker could exploit just by visiting a vulnerable site. The latter is no small matter, with Drupal user data indicating the over 1 million websites are running on Drupal 6, 7, and 8, all of which are affected by the vulnerability bug.
Bottom line, is that no matter which CMS platform you use to manage and maintain your business website, it’s at risk at this very moment. The good news, is that there are practical solutions that can keep your prized asset safe from the prying eyes and hands cybercriminals.
5 Tips to Keeping Your Business Website Safe and Secure Against the Threat of Cybercrime
1. Use a Host Provider with a Reputation for Security
Most businesses look for hosts that can provide them with 99-100% uptime and gauge satisfaction based on that metric, neglecting to perform due diligence regarding the host’s own cybersecurity measures.
You must make sure your website’s first line of defense is a strong one. You need a host that is proactive about protecting client security, one that boasts a dedicated security team that can write necessary patches and web firewall rules to help mitigate zero-day vulnerabilities. Your host must also use an artificial intelligence (AI) and machine learning based system to monitor and apply fixes to all of their servers dynamically. The security offered must be enterprise level, even for small to medium businesses, and provide for SSL certification (more on this below). If your current host provider does not account for the above, it may be time to make a change.
2. SSL Encryption Deployment
All (we hope) eCommerce sites have adopted some level of SSL encryption in an effort to support secure financial transactions, a process which removes the risk of sensitive information (i.e. credit card data) being sent over the internet in plain text. Given that the established encrypted link ensures that all data passed between the web server and browsers remain private, it makes sense to secure your entire business website with an SSL certificate, even when no eCommerce element is present. If there is a page on your website without the HTTPS lock icon your site may not be as secure as you think.
Your host provider (as per item #1 above) should provide SSL certification, however, if you are currently using free SSL certification, you will need to upgrade to a more robust paid version for better data (and liability) protection. Organization Validation Certificates are more stringent in that they validate the brand behind the website, while Extended Validation Certificates ramp up website security a step further with a more rigorous vetting process that enables your site to have the notable green address bar at the top of your customers’ browsers.
Another reason your business should invest in more robust SSL encryption, is that with all else equal, search engines give preference to websites with SSL certification. That means not only will your website become more secure, you will have the opportunity to generate immediate ROI on its new security protocol.
3. Adopt a Better CMS Password Protocol
For one, limit CMS access to those who absolutely need to get into the backend, and restrict their access level to only the tasks they need to accomplish on a regular basis. For example, your content manager should only be able to access the function that allows them to add a new blog post (etc.) and not change user passwords or other admin level tasks. Even with that out of the way, a new password protocol must be instituted for all users. This protocol must include the following:
- Scheduled password resets - 30, 60, or 90 days are sufficient values.
- Increase password complexity - Must have at least six characters, can’t contain a user’s name or parts of the their full name, and must use at least three of the four available character types: lowercase letters, uppercase letters, numbers, and symbols.
- Passwords must never be shared.
- Passwords must never be written down.
- Do not allow office and remotely used desktops, laptops, and mobile devices to remember user logins for the CMS.
- Use a password management tool.
View more on the six best practices for password management and apply them to your business website CMS.
4. Update Your CMS Platforms (and Plugins) in Real Time
This is without a doubt one of the most neglected security measures. One needs to look no further than the Drupal example addressed in the introduction, an example that Drupal users reading this may not even know about yet. Make sure that you and your entire IT team receives and monitors all alerts regarding updates to the CMS platform and all plugins being used, no matter how small they may seem. These software updates must be made immediately upon receipt of notification, especially when you consider that the open source community is delivering security patches in response to known vulnerabilities that have been and continue to be exploited on business websites.
One of the biggest reasons that business owners fear a platform and/or plugin update, is that it may cause something to go wonky (i.e. the white screen of death). This is why in addition to promptly attending to updates, you should backup the entire site to off-site cloud storage, a process which can be automated for you. If any of this sounds daunting, the action item below will deliver peace of mind.
5. Seek IT Support From a Firm With Expertise in Website Security
The smartest decision you can make when it comes to protecting your website, is to secure the services of an IT provider that will provide the support you need to make sure that your website is updated, backed up, and working in a cohesive manner with all of your other IT dependencies. This IT consultant should be a top cloud solution provider that boasts expertise in endpoint threat protection and enterprise level cybersecurity for all business sizes. Contact Fully Managed today to find out how we will protect your website and other essential IT assets.