Every year, it’s important to review the critical aspects of your business. Don’t forget to include your website security in the review! Here are 5 business security tips for your website.
1. Password Review
First, take time to review the relevant passwords for your website hosting and domain, or your server administrator passwords if you’re hosting your own.
- Your website probably uses a service for hosting online. These website hosting companies are where your website files are stored, and they may also contain sensitive data, depending on what information your website collects. If this data is compromised, not only could your website go down, but you could find yourself liable for a breach of customer data and privacy. It’s critical that you keep this data secure. Update your website hosting passwords every year.
- Likely separate from your hosting and the physical storage of your files is your domain registrar. Your domain registrar places an entry for your website in the “internet phonebook” system called DNS (Domain Name Service). More importantly, they work with the ICANN (Internet Corporation for Assigned Names and Numbers) to assign your website the domain name that others use to reach it, and they ensure proper configuration for your email as well. If you lose control of your domain registrar account, not only could you lose that www. domain, which is part of your brand and online identity, but you could also lose control of your email. Skilled hackers could even change your email settings to eavesdrop on your email without you knowing. It’s important to update your domain registrar passwords every year.
- Finally, if you host your website from your business, running on a server, it’s important to insure that your administrator accounts have their passwords updated as well.
When updating your password, be sure to choose a good password. A good password is one that uses random characters, at least 8 characters long, and that you haven’t used anywhere else. You should store your password in a secure password manager.
2. Check your domain contact information
Speaking of domains, take a moment to ensure that your domain registrar has the correct contact information for your business. If your information isn’t correct, you could lose access to your domain. It also wouldn’t hurt to enable a “privacy” service, which will use their information for the public listing, but relay any email messages directly to you. This is particularly helpful to avoid spam and useless junk mail.
3. Update PHP, MySQL, and other server extensions
Next to “front door” security with passwords, it’s important that you check your “back door” security with what’s on your website. Server modules and extensions, like PHP, are critical to making your website function, but they also expose it to potential vulnerabilities in their code. Running out-of-date modules and extensions are some of the most common ways that expose it to hackers, who are aware of old vulnerabilities and frequently check websites for them.
Since PHP is so common, both in use and as an attack vector, let’s look at it as an example. The latest versions of PHP are 5.5.31, 5.6.17, and 7.0.2. You should ensure that you’re running one of these. Also, if you’re running the 5.5.x branch, you should be aware that security updates will cease in about 5 months, so you should begin migrating to at least 5.6.x, or, better, the 7.0 brach. (Keep in mind that upgrading may cause compatibility issues, so you’ll want to do so carefully.)
Other common modules and server extensions that you’ll want to update are MySQL, and phpMyAdmin, and if you’re running a Microsoft IIS Server, ASP.
4. Protect the rest of your network
Speaking of running your own server from your business, whether it’s running Apache, NginX, or IIS, you’ll want to be sure that your website isn’t an open door for hackers to break into your local network by exploiting a flaw on your server. You also will want to make sure that other, less secure computers on the network aren’t able to compromise your server.
- First, to protect from malicious attacks from the outside, you should be using a SPI (Stateful Packet Inspection) firewall to look for common attacks hidden in requests for your website.
- Second, you should ensure that all computers on the network are up-to-date on security patches, antivirus definitions, and other software updates. This helps protect against “attacks from within” by compromised machines.
- Finally, consider using a “unified threat management” system to protect from both fronts – inspecting incoming requests, and filtering malicious content from being accessible to other devices on the local network.
5. Review your “OP-SEC” work policies
OP-Sec – Operational Security. Besides the ordinary business security tips that focus on technology, it’s worth mentioning that you should review your work policies on how your employees treat security.
- When a former employee is terminated, ensure that they logins are disabled and any passwords they might have been aware of are updated. Also, if they have keys to the server, don’t forget those as well.
- If employees are allowed to choose their own passwords, make sure they know that this must be a unique password and not one they’ve used elsewhere. Ensure that the passwords they choose are secure.
- Train employees who answer the phone or directly respond to emails to be suspicious of giving out information related to technology or customer data. As a general rule, the only information that should be provided is customer data, after the customer has verified their identity.
- Ensure that your email doesn’t allow phishing attacks. If a user opens an attachment, there should be security in place to prevent the attack or limit its damage.
There are other things essential to your security, but these are five of the most critical business security tips. Review them once a year to help protect your business website.