When it comes to website security, many small businesses are in a constant state of change. Changing from a state of denial—in a sense that they don’t need security because they think they have anything to steal and are too small for someone to find a way in—to a state of panic when they find out their compromised website has been spreading malware for months and now they are blacklisted by the search engines. A shocking statistic, according to a 2017 Manta poll of small business owners, almost 90% of those surveyed didn’t think they were at any risk of experiencing a data breach. While we are discussing troubling statistics, The U.S. National Cyber Security Alliance reports that up to 60% of hacked small and medium-size businesses go under within six months of a serious compromise.
Much of the panic could be alleviated if small business owners took a little time to think about security and understand how bad security or none at all can destroy a business, and how good security is a business enabler. A great way to maintain a small business—especially if you sell anything online or rely on your website for leads—is by implementing website security solutions.
Government Regulatory Compliance
Any kind of compromise to your website is inconvenient at best and a legal nightmare at worst. It is especially bad if you handle sensitive customer data via your website. The cost of failing to comply with industry or government regulations can be high—both in financial terms and in the impact increased scrutiny can have on your productivity and profitability. Understanding which regulations apply to your business takes time but is fundamental to maintaining a functional, productive business.
Two of the most commonly-referenced acronyms impacting regulatory compliance for businesses these days are PCI and HIPAA:
PCI stands for Payment Card Industry and is used as a placeholder for PCI-DSS, the Data Security Standard established by major credit card brands. The aim of the PCI Standards is to fundamentally protect your customers from identity theft or abuse. These standards place restrictions on how you can host your application, collect customer information, and what you must do once information has been collected. There are agencies that help to independently audit your business for regulatory compliance. If you run an e-commerce store or collect customer credit card/financial data, PCI is something you need to be aware of and comply with.
HIPAA is the Health Insurance Portability and Accountability Act that was passed in the US in 1996. The first part of the act applies broadly to those providing health care access and coverages. The second part applies specifically to preventing fraud, simplifying documentation, and reforming medical liability. In general, Title II of HIPAA applies to any business that houses, transmits, or interacts with the private health information of Americans. The aim of HIPAA is to protect patients from having their medical histories inadvertently leaked into the public space. It applies to any business dealing with, collecting, or interfacing to both medical histories and personal health information. Any compromise to your site that provides access to this kind of information could be disastrous for you and your business.
Strong Passwords are Your First Line of Defense
It is shocking how many websites are compromised each year. There are many reasons this happens, but it is unfortunate that many could have been prevented by strong passwords or a consistent password policy. According to a 2017 Verizon Data Breach Investigations Report, more than 80% of hacking-related breaches leveraged either stolen and/or weak passwords. Yes, you read that right, 80%. In their 2017 report, SplashData outlines the most frequently used passwords in leaks and attacks. Looking at the top 10, it is shocking to see that business “protect” their websites and accounts with these passwords:
- Password <— seriously?!?
Hopefully, you will not find a password you use on the list.
If you think your password policy could use an update, we typically recommend that important passwords—like those to your website admin, servers, FTP, or social media accounts—follow these guidelines:
- Between 15-20 characters long
- Use a mixture of:
- Upper and lower case letters
- At least two to three numbers
- At least two to three symbols or punctuations
- Random strings of characters as much as possible—i.e. a common word and 1234 after won’t cut it
- Passwords are not duplicated across websites or accounts
- Passwords are changed twice a year at a minimum
If the idea of managing complex passwords seems cumbersome or daunting, one option to simplify are password management tools like 1Password—our favorite—, DashLane, or LastPass. There is a risk of these services being compromised and your passwords exposed that way, but they are still a viable option for management and 1000x better than a password of “password”.
Website Continuity In Case Of Compromise or Technological Failure
Unplanned events can have a devastating effect on small businesses. Complications such as fire, damage to stock, illness of key staff, or IT system failure could all make it difficult or even impossible to carry out your normal day-to-day activities. This also goes for your website. Failures in hosting, bad development files, security breaches, etc., can all wreak havoc on your website and eCommerce activities. Thankfully, you can take steps to minimize the potential impact of a website compromise or error and ideally prevent it happening in the first place.
Build a Routine for Security and Backup
As a responsible business owner, you know that sensitive data should always be backed up regularly—automatically if possible—and the backup copies should be stored in a remote location or in the cloud. Website data, digital files, WordPress themes, customer data, email, etc., should all be handled the same way. You should create regular backups of all of these types of files and make sure they are stored in some other location than your server. Depending on how often your website is updated, we typically recommend daily or weekly backups for things like database files, email, and customer data. Then, run full monthly backups on everything. A great habit to get into, as well, is making multiple copies of your backup files and storing those in two separate locations—e.g. do not store your backup files or backup drives at your business location. If something like a natural disaster or fire destroyed your business location, not only would your computers and the original drives be destroyed, so would the backups.
Check with Your Hosting Provider
As part of their services, many web hosts provide automated backups but, in my experience, a lot of users do not use the service. Typically, most web hosts will offer backup through the cPanel or Plesk control panels or via another tool in the website admin area. The only issue with many of the host provided backup solutions is that often the backup file is stored on your web hosting server. The issue with this is that if there is a server error, your backup could be lost or compromised. Additionally, depending on your hosting plan, storing backups could quickly use up all of your available storage space. If you’re unsure what backup and restore options are available, a good first step in making sure you’re covered is to contact your web host to see if they provide automated backups and how you can set them up.
If you are using WordPress as your website CMS, Backup Buddy could be a great option to help automate your backup routine. Backup Buddy is a WordPress backup plugin, which allows you to automatically create complete backups of your full WordPress site, just your database, the files, or combinations in between. To us, one of the best features is that once Backup Buddy has completed the backup, it can send the files to multiple remote locations such as a cloud storage service like Dropbox, to your computer, FTP server, etc. Once the transfer is complete, it can remove the copy stored on the web server to preserve storage space. At Relic, we use Backup Buddy on several websites and have had great success ensuring sites have a proper backup in case of emergency. Click here to learn more about Backup Buddy from iThemes
Keep a Clean Copy of Any CMS Theme after Customization
Sometimes a website compromise doesn’t come from a nefarious external source—many times, it can come from within. Especially with a platform like WordPress, an update to a plugin or theme can break your website. Additionally, many of the compromises that external users will take advantage of rewrite parts of your WordPress theme code. When you finally discover that your site has been compromised or an update has broken something, it can often take a significant amount of time trawling through hundreds of lines of code to discover the issue. One of the quick options to reverse these changes without restoring a site backup is to simply reinstall a clean copy of your theme. We recommend that after any customization you do to your theme, you download a copy for safekeeping just as you would a full site backup. If you are using a tool like Backup Buddy, there are options to backup just themes, your media files, and/or plugins separately.
While website security can seem complicated and a daunting task but, with a little bit of planning and automation, you can easily secure one of your more valuable business assets.