We have all seen the headlines. Data is the new coin of the realm. Data breaches and theft are at stratospheric levels, posing an ever increasing risk to companies and brands. Even if you don’t store credit card information or “sensitive” data, your website and other digital properties are still a juicy target for cyber-attack. Consider this:
- Many breaches are automated and “crimes of opportunity”. Cyber criminals often don’t care about you or what you do. It is misguided to think that you are safer because you are not a big target. The scripts and bots don’t care. They will try to breach anything and everything, any time day or night.
- Once inside your website or other digital properties your site can be used to infect other websites including your customer’s sites. They can be used as a launchpad for other attacks, as part of ransomware bot-nets, send SPAM and other nefarious cyber activities. This often leads to a site being black-listed as UNSAFE by Google and cyber security firms. This has a huge negative impact on site traffic, lead generation and other marketing KPI and activities.
- Infiltration of websites – even those that don’t store customer data– is often used to attack more valuable targets inside a company, including areas that do store customer or employee data. Don’t be lulled into a false sense of security because you don’t think you have “valuable data” exposed on your website – your valuable, sensitive data will be found.
- In addition to the loss of trust from your clients and customers, cleaning up after a security incident is expensive, time consuming and will set your reputation and marketing plans back months or years.
Here are five things that you should do right now to help ensure you are not a cybercrime victim.
- Use a WAF. A WAF (Web Application Firewall) is a device or cloud service that inspects incoming requests for malicious content including requests to access files and login pages that are not allowed. A malicious request is blocked and never reaches your website. It is one of the best investments to protect your web properties and company. Many WAF services also have content caching (CDN, for us geeks) which speeds up your site and makes Google happy. Site speed is a key factor in how Google ranks your site in search results. Faster site = Happier Google. Look at Incapsula or CloudFlare for cloud based WAFs.
- Keep Up to Date. Keep your systems and software, including the CMS, data base and operating systems, updated. Many exploited security flaws are months or years old so this is very important. If you are using WordPress, pay special attention to plug-ins.
- Scan for your protection. This one is missed -- a lot. At least once a quarter, have your web properties scanned for common vulnerabilities. There are many tools that do this (Nessus, for example). They work by searching your system (like a hacker would) for weak spots and report on what items need to be addressed, typically in CVE format (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures). Make sure you review and address any issues found.
- Lock your Front Door! This sounds simple, but we find that clients sometimes still don’t do the basics, like making sure their admin login pages are not publicly available. Make sure that any “administrative” pages, like CMS login pages are not publicly available. Make sure you use MFA (Multi-Factor Authentication) wherever possible, passwords alone don’t cut it anymore.
- TLS for Google love. To show you are serious about security, make sure your site is secure using SSL/TLS. This encrypts data between you and your user. Google is starting to down-grade the reputation of sites that are not using TLS. Unless you want to be on the bad side of Google, do this now.
This can be thought of as a BOGO(Buy One, Get One). Why BOGO ? If you do this, not only do you get better security, but Google will reward you with better rankings, more traffic and in the end, your customers will thank you too.