It seems like every day now we read headlines about high-profile website hacks – not just of smaller websites, but large corporate entities that handle personal data for millions of people. To add insult to injury there is also a high demand for security professionals because there are so few of them, and even fewer truly qualified ones.
Am I at risk?
Technically, everyone who operates a website is at risk. You may think that the person hacking your website is some kid in his mother’s basement, sipping on some Jolt Cola, but that couldn’t be further from the truth. Most attacks on websites involve “bots” or computer programs that automatically scour the internet in search of vulnerabilities on websites. Once one of these bots finds a target they will run a set of scripts or code to gain access. Upon gaining access the sky is the limit, they can make your site send spam emails or serve out malware and viruses to unsuspecting users.
As you can probably guess, bots are indiscriminate when it comes to targeting a website. It doesn’t matter if your website sells stretch canvas prints of LOLcats or if you simply have a personal blog, although having more important information such as credit card information certainly increases your chances of an attack.
Who is responsible for security?
Ask anyone at a company who is responsible for security and they will point a finger at someone else. Management will point to IT who will point to the Creative Team, which in turn points to the Web Team. The reality is that everyone who works for a company is responsible for security, because each of us has the ability to introduce a vulnerability into the system, whether that comes in the form of weak passwords or downloading malware unknowingly from an email.
Security is something to not be taken lightly as it can cause a company to lose a lot of money or even go out of business. That is why it is so important to have everyone on board.
A better approach
It is important to have a solid security policy in place to ensure that the basic best practices are followed as well as having tailored policies for business specific needs. Some of these policies can include:
1. Don’t forget your SSL certificate: Your online customers will thank you for making sure their credit card transactions are secure, and next month Chrome will start shaming sites by labeling them as “not secure” if they don’t have an SSL certificate.
2. Strong Passwords: Always make sure to use Uppercase, lowercase, numbers, and at least one special character. Alternatively you can use a passphrase too, as it is easier to remember. An example could be (DogTeachesDancingLessonsToPeople). Make sure that no one shares their password either, they also exist to serve as an accountability tool.
3. Least Privileged Access: Only give access when it is required so that a person can do their job. If you work with PCI or HIPAA information, there is very little reason for even a developer to have access to real information. Have a plan to provide alternative testing access or limited access to test data with.
4. Software Update Schedule: The software we use isn’t perfect, which is why it is important to have a schedule in place to make sure it is updated and patched. Many breaches happen because of systems running older and more vulnerable versions of a software application. Also, are you keeping your WordPress plugins up-to-date? Hackers love to target older, less-protected versions of popular plugins.
In addition to these policies, make sure that you only connect to your website across a secure connection. Certain CMS sites like WordPress send their username and password over plain text by default, which means anyone on a WiFi network can intercept that data. Oh yeah, and WiFi isn’t secure anymore, either.
Ensure that the team building your code has a good understanding of secure coding and how to lock down your hosting environment. More and more people are becoming programmers but lack any real experience of how to write secure code. All of the developers here at Torx have worked in IT at some point, and have strong security based backgrounds, which makes us aware of the importance of locking down a website.
Not sure if your site is secure enough? We can easily set you up with an SSL enabled site, manage your WordPress updates and more. Contact us below to get started!