A company’s website is an important tool for attracting customers and prospects. The main purpose of a website can vary, from serving as a virtual storefront to solely providing information to the website visitor.
Regardless of the website’s purpose, it’s important to take prudent security measures to prevent the site from falling victim of an attack by hackers and online criminals. Website attacks can run the gamut from relatively benign vandalism or defacement to full-bore attempts to harvest personal or financial information that can be used to commit online fraud.
Some small businesses hope that their comparatively small profile online will help shield them from hackers. While lower traffic volumes can reduce the risk somewhat, automated hacking tools routinely scan websites of all sizes to search for vulnerabilities.
These tools often don’t know (or care) what they’re exploiting, as long as they find a site with weaknesses that they can take advantage of. A small business site may not generate as much traffic as the web’s leading properties, but it’s likely to be considered an easier target.
Knowing the Risks
At the low end of the threat spectrum, websites can be defaced or altered if hackers using automated tools can exploit unpatched vulnerabilities. The primary consequences of these types of attacks are the potential embarrassment for the company and the time and effort required to undo the vandalism.
More serious hackers can upload "drive-by" viruses or malicious software (known as malware) into the website’s code and pass the virus to people who access your site. Similar attacks include using your company’s site to relay spam messages, which could cause problems with your hosting company.
The most serious attacks attempt to steal sensitive information that can later be used to gain access to banking, billing or merchant accounts. When customer data gets compromised in a website attack, you may be required to notify customers under various data breach disclosure laws.
It’s important to think about the potential effects on your business if your website is attacked or taken offline. An e-commerce site would obviously lose business and suffer reputational damage while a site that primarily demonstrates a company’s capabilities could lose some credibility (especially if the company provides technology-related services).
Locking Down the Gates
While it’s nearly impossible to secure a website completely against hackers, a variety of routine measures can make a website secure enough to resist casual attacks.
- Using strong passwords on your site, including your FTP and blog software, is one of the most important basic steps you can take. It’s a good idea to use different passwords for each account, even though keeping track of all of the passwords can be challenging.
- Updating your website or blogging software, including any plug-ins you may be using, is another good step. Updates known as patches are frequently issued after vulnerabilities are discovered, so it’s important to make sure your site has the latest defenses in place.
- Use separate accounts for all employees who have to access or manage your site and remove the access of any former employees. If someone doesn’t need access anymore, there’s no sense leaving active an account that can be exploited.
- Back up your site’s code and content routinely and make sure to monitor the site regularly.
- If your website offers an online checkout, then make sure to use a secure connection and ensure that your company is PCI compliant.
- Use SSL certificates for transactions.
- Don’t store any sensitive customer data.
By following these measures, you’ll reduce the chances (and potential effects) of a web-based attack that can affect your business online.