The last year has been a challenge for many small and medium-sized industrial operations and businesses. You had to deal with COVID, new work from home policies, and supply chain shortages and problems. With all that, have you had time to think about securing your website?
You may have read about various recent cyberattacks. You have seen the headlines, but you are not worried because your organization is too small for hackers to take aim at you? Right? Wrong! Lack of attention to website security is the quickest path to become a hacker’s next victim. Website security is critical, regardless of your business’s size.
Alarmingly, nearly half (48 percent) of SMB business managers think that their organization is too small or unimportant for hackers to notice. The harsh reality is that any website is a target. In Sectigo’s State of Website Security and Threat Report, January 2021 we learned that 50 percent of small and medium-sized organizations experienced a website breach, and 40 percent are attacked every month.
Despite the risk, the study found that only 30 percent of SMBs believe they are vulnerable to online threats, including those businesses that have recently experienced a breach. SMBs are overconfident and do not consider their websites to be vulnerable, despite how vital their online presence is to their success. This is a perception battle with reality, at epic proportions.
It is not a question of ‘if’ your site will be probed for vulnerabilities. It is a question of ‘when.’
Five Ways to Protect Your Business & Your Website
Keep Your Tech Updated. When choosing a tech stack for your website, it is critical that it gets proactively updated and patched to expose and ward off vulnerabilities before they can be exploited by cybercriminals. For example, automated CMS patching, such as auto-updates to WordPress or Magento, prevent hackers from sneaking in between updates or exploiting outdated version with known vulnerabilities. It is critical to keep the core site version and any plugins updated with the latest revision in real time.
Pay extra attention to areas on your site that request user input, such as registration forms, where many attacks occur.
Proactively Detect Malware and Vulnerabilities. There is a big difference between being alerted when something already went wrong and having the knowledge to stop an incident BEFORE it begins. It is surprisingly common for websites to have malicious code working silently in the background without the owner’s knowledge, or causing any visible malfunction.
Utilizing an automated vulnerability scanner that will continuously scan for vulnerabilities on your website is an essential security measure. Vulnerability scanners will scan web applications for security problems such as cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF). More advanced scanners deliver more robust techniques that delve further into the web application and can then automatically and safely remove malicious code from legitimate files without compromising their functionality.
Implementing the Right Tools to Remove Discovered Threats. You uncovered a vulnerability in your MySQL database, website files, or another core component of your website. Now what? Do not get caught with the knowledge of a threat only to have no way to counter the attack. Prepare to remove the threat. Your website admins can use remediation software that immediately removes active vulnerabilities without disruption. In the event of removing a discovered threat, make sure you choose a tool that prioritizes business continuity.
Regularly Protect Your Backups. If your website succumbs to a cyberattack, your backups are your insurance policy and the key to your recovery plan. With a proper backup, if your website is suddenly unavailable, you will quickly be able to restore it to the correct version, with all its data intact. Version control software is widely available, and many hosting services have plans that periodically perform database backups and snapshots. Effective backup and restore tools are critical to any connected business to quickly reconstruct lost information.
Automate TLS/SSL Certificate Management. “Identity” is a critically important concept for websites. Your website visitors need to be confident that they are on your secure website and have not landed on a spoofed or malicious look-alike site. Digital certificates (visible as a padlock in many browsers) help visitors know that the personal information they enter is only being shared with your authentic and verified site.
Web browsers can also provide warnings when someone browses to a site lacking the correct digital certificate. Given that more than 72% of respondents in our study said that they collect or store sensitive data through their website, providing clear assurance is critical for earning customer trust.
The advent of certificate automation solutions has made it considerably easier to issue, renew, and maintain TLS/SSL certificates, meaning that small businesses can enjoy the benefits of identity security with minimal management. Multiple levels of SSL certificates are available through hosting providers, domain registrars, or Certificate Authorities themselves.
All products will alert website owners about the need to renew the certificate, and some even enable SSL “subscriptions” that ease the process. For web pages that collect sensitive personal data or financial information, it is wise to upgrade from a Domain Validated (DV) to an Extended Validation (EV) certificate, which provides the highest level of trust available.
Cyberattacks are rising in number much faster than business managers are preparing for them. It is critical to protect your organization by keeping your website software updated, proactively detecting malware and vulnerabilities, tooling up to remove threats, performing backups, and automating TLS/SSL certificate renewal. While cyberattacks may never end, there are many resources and technologies available so you can be prepared for anything.
The Internet is ever-evolving, so should your organization’s website security.
Alan Grau is VP of IoT, Embedded Solutions at Sectigo, the world’s largest commercial Certificate Authority and provider of purpose-built, automated PKI solutions. For more information, visit www.sectigo.com and follow @SectigoHQ.