Cyber Security – Protect Your Website

National Cyber Lead for the Police Digital Security Centre, Neil Sinclair explains what you need to consider to ensure your business's website is secure.

The words “My website got hacked!” sends shivers down a business’s spine, even more so, web developers’.

Why? The big question is, who is responsible? In the simplest terms, the hacker is responsible. But who is responsible for the clean-up? It depends upon how your website is built.

If it is an HTML site, this is going to place a greater burden upon the developer.

A content managed system site, such as WordPress which is free, with open source software licensed under the GNU General Public License (GPL). The GPL guarantees end users the freedom to run, study, share and modify the software.

There is no guarantee for performance. Hackers like to target the software because it’s free for them to view. Over 25% of the web is powered by WordPress so hackers can release a single virus that can spread far and wide.

Here are three questions to consider:

  • Whose website is it – is it your own, or do you lease your website?
  • How did the hack occur – was a password compromised, if so whose? Did the virus or hack accidentally upload, if so by whom? Or was it a vulnerability exploited between updates?
  • Do you have a security agreement in place – Are there disclaimers or limits within the security agreement? Without some type of security agreement in place, the burden of fixing the website will land on the owner of the website, unless the owner can show negligence by the hosting service or developer.

Your business should consider putting these 10 steps in place:

  1. A regular maintenance schedule – Although this is no guarantee against hacking, it offers a huge layer of protection. Many updates are put in place AFTER hacks and vulnerabilities are discovered. Facilitate Auto updates as well.
  2. Secure passwords – This is your primary defence to ensure your site is protected.
  3. Limit the access to the site – Editor hacks are less severe than an admin hack.
  4. An efficient hosting system which allows for regular backups – If the hack is discovered early enough, sometimes it can be fixed simply, by rolling the site back to some point in the last 30 days. A review of all systems, plugins, software and theme updates should be done as part of the rollback process
  5. Computer monitor plugins
  6. A site wide backup of source files
  7. A SSL Certificate – Small data files that allow secure connections between a web server and browser
  8. Consider third party solutions when collecting sensitive information like credit card data or personal information
  9. Site Lock Plans – Daily malware scanning and removal (manual removal may cost extra)
  10. A security agreement – If your site is hacked you have insurance to help take care of the problem.

How does a security agreement work? Essentially, the suppliers of the plan are taking the above suggestions and putting them into practice. Additionally, they are taking care of the hacks that still get through because despite protections, a number of websites have the possibility of issues.

The end question is, what enabled the hack and how is it going to be fixed? If a security agreement is not in place, you may be fortunate enough to choose a web developer willing to work with you to remedy the problem.

Good website developers do their best to have a website that is built properly to make it more difficult for hackers to break in.