Some of your website’s security may be covered by your hosting company and they should always be your first call if anything were to happen.
However, you should always check what they do and don’t cover because at the end of the day you are responsible for your website’s security. Even the smallest of SMEs and micro-businesses require security.
It’s not always the case that the person or bot that is hacking you is after your business. You could be the weak link in a chain that leads to the real goal. Your business may be in a nice office on a brand new business park but your website is in the meanest, most corrupt part of town there is.
The Internet. It’s not a matter of if; it’s a matter of when. So let’s look at what matters in your quest for enhanced security.
1. Who or what am I protecting?
This is the first thing you need to ask yourself when adding security to your website. What is the most business critical aspect and what can you realistically afford to protect it. In terms of who, there are two main groups you need to think about protecting.
- Your neighbours : Chances are you will start out on a server with a few neighbours, either through shared hosting or VPS. If you or a neighbour gets hacked, others on the server can become affected. Hacks can take up huge resources which slows the other sites down.
- Your visitors : There have been examples in the past of websites having malware attached to their pages without the business being aware. This has resulted in malware being downloaded onto the visitor’s computer stealing everything from passwords to personal information. Beyond the reputational damage, you may be liable for any data protection breaches. Which brings us to the “what am I protecting?” part.
- Data protection : Data protection is vital to any business. Not only are you liable for any loss or abuse of personal data, there’s also the issue of business critical information. If you lose data, such as client information or payment information, how long will it take for your business to recover? And how much will that cost you financially especially after the GDPR roll out?
2. SSL certificates
SSL stands for Secure Sockets Layer. It’s a protocol that creates secure connections between a server and the person who is accessing the site, known as the client. SSL use a cryptographic system to encrypt information being passed between the client and server. Generally you can tell if a website has a valid SSL Certificate as the URL begins with HTTPS rather than HTTP and contains the padlock symbol.
- When do I need SSL? If you collect any credit or debit card details you absolutely need SSL certificates. If, however, you use third party payment processors, such as PayPal, you don’t need to. This is because your website won’t actually hold any of the financial information. Similarly if your website collects any personal information or has a login form for visitors, you should have SSL. This ensures any information gathered by your site is secure, encrypted, and protects the privacy of your visitors. Additionally, Google offers a ranking boost for sites with an SSL Certificate.
- Shared versus private? Most hosting providers will offer shared SSL certificates. Shared SSL is intended to be used in situations where you want a secure connection to your server that is not used by the public. This is because shared SSL does not use your domain name. Instead it will use the URL of the hosting company you use. Although cost effective, it can be confusing for visitors and may make them uneasy about sharing their information. Private SSL certificates are matched to your own domain name. Your URL will appear in the address bar of a browser. If you need SSL because you are collecting personal information through your site, you should probably look at getting a private SSL certificate.
3. Web application firewalls (WAF)
WAFs (Web Application Firewalls) monitor the traffic before it reaches web application, analysing requests to filter harmful traffic or traffic patterns. WAFs are a common security control utilised by businesses to protect against impersonations, zero-day threats, and other known vulnerabilities and attackers.
Not surprisingly, they are usually offered as an option for bigger websites as they can be tricky to put in place (due to the level of expertise require) and are relatively expensive especially for SMBs.
By Desire Athow
© Future Publishing Limited Quay House, The Ambury, Bath BA1 1UA. All rights reserved