A website is more than just the face of your business. It’s the throbbing heart of your organization. It’s the place where people access your services – frequently providing sensitive information, including Credit Cards. Most businesses can ill afford a major breach of their information. Obviously, getting your website hacked can pose a substantial risk to your business. In the case of intercepted transactions, you directly lose the money from that particular deal. But the financial hardships don’t end there. The loss of future business is a real potential. People talk, especially if they get hacked. Even the rumor of being hacked can ruin a business. Even for businesses that don’t use their website as a portal gateway, when you get hacked your own personal information is likely stolen, as is anything you store on the infected computer, anything on your servers, and anything on other computers that accessed your website. Heck, a website could get hacked and loaded with malware without the owner ever even knowing. Or, for that matter, the infected computer ever known. Finally, any website that gets hacked needs to be scrubbed and analyzed for other breaches or potential weaknesses. If a website owner is an accomplished tech wiz, then they can clean up their site themselves. But for everyone else, it means you need to hire IT gals and guys to scrub everything. So the financial hardships associated with getting hacked are severe (usually at least $50,000) and have ruined more than one company. That’s hardly new information though and presumably, most website owners are aware of the risk. Today, we want to discuss some practical steps said owners can take to ensure that their website is secure, both from Malware and outright Viruses. And no, we won’t have a section on making a more secure password. If you’re still using Password1 as a password, please get off the internet. Use Web Common Sense Keep in mind that the most common issue is simply not being aware of what you’re doing online. A website could be locked down like Fort Knox, but if a website owner clicks on a suspicious link or popup, or opens attachments in an email, their computer is infected. The next time they access their website, it’s compromised. Just like that. Even worse, you don’t even have to open an attachment. Hackers specialize in tricking the unaware, as we saw with the hack of the DNC and John Podesta’s account. So for God’s sake, don’t click on things that randomly pop up, don’t open email attachments from unverified sources, don’t follow shady looking links, and never, ever, trust an email that asks you to follow a link to change your password if you haven’t asked for it. Sometimes people get nervous and want to change the password either way. This is not a bad idea, but go to the website yourself, don’t follow a link sent to you. The biggest takeaway is to not interact with anything from an unknown source. That, plus trust the gut: if something seems suspicious, just stop messing with it. Custom Website VS CMS Platform One of the most common questions we get when developing a website is whether a client should go with a platform like WordPress, or build a Content Management System from the ground up. This is a tough question because both are valid. For many entrepreneurs, a custom CMS is cost-prohibitive (though it doesn’t have to be); plus platforms like WordPress or Magento help business ramp up quickly. But one of the biggest downsides to a CMS platform is that its code is open to most people, including hackers. Often, hackers will find something that will enable them to exploit any website utilizing a platform. This isn’t the case with a custom website CMS because only the SMB itself and it’s development team have access to the code. We aren’t saying business owners should avoid using a CMS platform. What it does mean that websites using WordPress or similar options need to keep up with patches and updates. Often these are to rectify issues that could be exploited. The other benefit to a CMS platform when it comes to security is that literally millions of websites are also testing out the code. Problems are generally quickly discovered. Third Party Security Services Additionally, websites built off a platform always offer very robust plugins to enhance a website’s security. You should also consider other third-party options. There are plenty of services that a website owner can use (whether they use a CMS platform or built their website from scratch), including any number of excellent security plugins offered by Web platforms. One of our favorite third-party services (useable with both a platform and custom site) is SiteLock. Sitelock constantly monitors your website. It scans every aspect of your website, from code to plugins and applications. It will even tell you when you need to update or patch a service. The best part is that it won’t slow the performance of a website (a massive concern as a 3-second delay can result in a noticeable drop in traffic). The Technical Stuff The steps discussed above aren’t reliant upon technical knowledge; in other words, you don’t need to know how to really code to use a WordPress plugin. However, there’s more to good web security than installing Sitelock or avoiding Phishing emails. If you don’t have the coding skillset, we strongly recommend you outsource this to a qualified development team. But you should still know the basics: For those websites dealing with financial transactions, getting an SSL Certificate is a must. Websites with a Valid SSL certificate are indicated by “HTTPS” at the beginning of a URL. Plus, websites that use this usually say secure, with a padlock image, on the far left side of an address bar. Web forms designed to be manipulated by users can also be hacked, without the proper steps. IF you have a webform, make sure your developer used Parameterized Queries (which means that people filling out the form can’t mess too much with your code). User Permissions are an exceptionally common way for hackers to gain backdoor access to your website. While this gets very complicated (contact our security experts for more information), the idea is basically to make sure that most users have only the ability to read a website. Those who can access the site need to be chosen carefully, and those with permission to execute even more carefully. We’ve only scratched the surface of good web security. For more details, give us a call at 408.805.0495/408.621.8481 – or click to contact us!