How to Protect Your Website from Malware and Hackers

Website security is crucial for every business or organisation. The risk of cyber attack isn’t limited to ecommerce sites or big corporate websites. Even a small business website may fall victim to malware or hackers and lose its good reputation.

In 2017, a total of 516,380 small businesses in Australia faced cyber attacks. For mid-size companies, the average cost of recovering from a security breach was $1.9 million. These numbers are only going to increase in the upcoming years if businesses don’t take serious measures to enhance their website security.

Cybersecurity involves many complex technical concepts. Still, there are some simple best practices which should be enough to protect your website in most cases.

Website security best practices

1. Use strong passwords

Strong passwords are the first line of defence against hackers or security breaches. Every password related to your website must have the following properties –

• A password must be at least 10 characters in length
• It shouldn’t contain any complete words or names
• Your password should have a mix of uppercase and lowercase letters, numbers, and symbols
• It must be different from the other passwords you are already using

You may consider using a password manager like LastPass to create and store your business passwords. Hackers often use brute force techniques to generate billions of passwords per second. So, the more complex your password is, the better.

Enable two-factor authentication for all your accounts, if possible. Two-Factor authentication means there will be two checks before you can log in. For example, after you enter the password, a pin will be sent to your mobile. You need to enter the pin next in order to log in.

2. Update your software regularly

You must keep all your software up to date. Software updates are not just about adding new features; in most cases, these updates patch security vulnerabilities. If you don’t update your software regularly or use unsupported versions, you’ll be an easy target for hackers.

If you are using a CMS for your website, make sure you have the latest version of that CMS. Check that you’re using the latest versions of your plugins. Don’t use old or obscure plugins, even if you find them useful.

3. Regularly back up your data

No matter how secure your website is, there is always some possibility of losing important data or site access. Because of this, you should always maintain a backup copy of your site.

Most hosting service providers automatically backup sites on remote servers. Still, the best practice is to keep an additional local backup. There are tools and plugins to create a backup of your site content and database and, if you need any help regarding site backup, you should contact your hosting company or your web design agency.

4. Implement SSL

When your site has an SSL certificate, all the information that a user enters in your site goes to the server through a secured channel. This means that an intruder or hacker can’t get in the middle and intercept the information. In other words, SSL protects your website users against ‘man in the middle’ attacks.

SSL has become standard for all types of website. Even if you are not selling something online, or you don’t have any log in option on your site, you should seriously consider installing SSL to make your site more trustworthy.

You can get an SSL certificate for free. But you need a bit of technical know-how to do so. It’s also worth noting that the free SSL certificates have some limitations.

5. Choose a secure host

Choosing a reputable hosting company for your website is very important. Your host must be aware of cyber threats and dedicated to protecting your site from their side.

In the case of a website security breach, it becomes essential to communicate with the host to quickly restore your site and resolve technical issues. Before picking your host, make sure they’ll provide you with ongoing support. They must have excellent customer service and quick response time.

How to respond to a website security incident

If your website security is compromised, you have two responsibilities;

1. Minimising your financial loss and protecting your business’ reputation

2. Making sure your customer’s information is safe

It’ll be beneficial if you already have a website security incident response management plan in place. A plan like this should have five parts.

(A) Preparation

Develop a website security policy that all your employees must follow. Identify the sensitive information that your business uses or stores. Then, set roles and responsibilities regarding what to do if an incident occurs.

(B) Detection

Here are some common signs which indicate a security incident;

1. You can’t access your website

2. Passwords related to your site don’t work

3. Critical data is missing or altered in the database

4. Your computer keeps crashing and runs out of memory

5. Spam emails are being sent from your business account

(C) Assessment

This is where you should find the cause of the incident or at least determine how it has affected your website, data and business.

(D) Response

Isolate the affected systems. Disconnect the affected part from your network if possible. Repair and restore your website. Seek the help of professional security experts if necessary.

(E) Review

Evaluate what the reason for the security issue was. Was it a targeted attack or a general incident? Identify the parts of your system or process that needs improving to prevent similar events in the future.

Remember that it’s always better to prevent a security breach than to have to respond to one. A clear website security policy will help your business prevent and respond effectively to cyber threats.

Creating a website security policy

A website security policy should cover the following;

(A) Password requirements

Specify the minimum length of passwords to be used in your business related accounts. Set a particular timeframe after which any password must be updated.

(B) Email policy

State under which cases your employees can share their work email. Set criteria for spam and scam emails. Make it mandatory to scan attachments before opening.

(C) Removable device policy

Define in which cases one can connect a removable device to an office computer and copy files in or out. Make it mandatory to scan a removable device before attaching it to a computer, especially if it has access to your website’s backend.

(D) Handling sensitive data

Determine which specific people will have access to your website’s backend and database. You should also be very careful with any customer data that you store and who can access it.

(E) Handling devices

Specify how to report a lost device. Set up a routine which will be followed to update devices.

Conclusion

Sadly, despite following security best practices, your website may fall victim to cyber attacks. Hackers and malware creators aggressively target security flaws in existing web platforms and applications to find new ways of attacking sites and computers. It’s almost impossible to prevent all types of cyber threats with 100% success.

Because of this, keeping in touch with a web security service provider is essential to protect your website. SMB owners may find it more convenient to work with a security-focused web design agency right from the very start.

If you want to design a new secured website or redesign an existing one with a particular focus on security, our team is here to help. We adhere to the latest security principles, update our platforms regularly, and provide long-term support to our clients. Contact us today to get a free quote.

Note: 
The Department of Industry, Innovation and Science has additional resources on different aspects of business risk management (including cybersecurity). We have used their guidelines as a reference in this article.