9 Tips to Keep Your Site Secure from Hackers
If your company does business online, you are a target for hackers. Why? Because you have exactly what they want—customer credit card and personal information. Hackers typically steal your customers’ data by either intercepting the messaging between you customer’s browser and your web site or hacking into your network to infect your pages with malware. In some cases, they can even break into databases to get customer data. If you get hacked and your customers’ data is compromised, you be held liable. And often, the damage to your company’s reputation is irreparable. Even if you never suffer a major data breach or see immediate damage from an attack, you can still be at risk. Malware infected pages take longer to load, causing customers to become frustrated and abandon your site. According to the Aberdeen Group, 57% of users abandon a site if a page load exceeds 3 seconds and 8 of 10 will not return to a site after a bad experience. To protect you customers and your business, you must take action to secure your site from hackers. Here are 9 tips and tricks you should use to stay secure.
1. Use Extended Validation SSL
Your customers need assurance that your site is trustworthy. EV SSL delivers that assurance. Any site that collects financial or personal information needs to have a Secured Socket Layer, enabled by an SSL certificate. They provide a secure connection between your visitors and your site.
But, not all certificates provide the same level of assurance. Certificates range from “Domain Name� certificates, which simply verify that you are the owner of the domain name you requested, to Extended Validation (EV) certificates, which verify you as a trustworthy organization. EV certificates cost more, but can be well worth it. Consumers are increasingly aware of the risks of online transaction and EV assures the customer that you’re trustworthy.
2. Use PCI and Vulnerability Scanning Services
You need to identify and address security issues before they damage your business. Many site operators assume that SSL is all they need to secure their site. Though SSL provides a critical layer of protection, it does not prevent network breaches and infection of your web pages. PCI and vulnerability scanning services scan your web site on a regular basis to identify issues that cause you to be non-compliant with PaymentCard Industry security requirements and other issues that threaten your customers. PCI and vulnerability scanning are often bundled together, but have different objectives. Failure to use both can result in large fines and even suspension of your ability to take credit cards.
3. Use White Hat Hackers
Use penetration testing to stay ahead of hackers. If you operate your web site from your own network, your site is only as secure as your network. In the world of network security, hackers with nefarious motives are often referred to as “Blackhat Hackers�.
When an organization wants to ensure they are safe from the Blackhats, they call in the White Hats for Network Penetration Testing. Network Penetration Testing includes the same activities Blackhat Hackers use, except they are conducted by White Hats as a service. White Hats test networks and websites by simulating a hacking attack to see if there are security holes that could compromise sensitive data. They identify critical attack paths in a network’s infrastructure and provide advice on eliminating these threats. They attempt to bypass security weaknesses to determine exactly how and where the infrastructure can be compromised.
If vulnerabilities exist in your network, the Blackhats will eventually find them, and the consequences for your customers and your reputation can be severe. Better that White Hats find the vulnerability first!
4. Use multi-factor authentication
Simply authenticating users with a user id and password is not good enough in this day and age. Despite enhancements to SSL and advancements in network security, hackers have demonstrated the ability to intercept user ids and passwords.
There are two common techniques. First, “man in the middle” attacks, in which the hacker inserts a process between the browser and web server and captures communications between the two. If the web server is using Extended SSL, the web user should be alerted that there is a problem. Second, if a hacker can infect a site, the malware they install may be able to download key loggers and sniffers, which allow the hacker to monitor where the user goes on the internet and steal their credentials when they sing in to sites. You may have noticed that banks and brokerage firms don’t rely solely on a user id and password. If you login from a new computer, they add an extra level of authentication to make sure it is really you. This is called “Multi Factor Authentication”, sometimes known as 2 Factor Authentication. Google has recently implemented this technology too. For example, you can change your Gmail settings so when you log into your account, Google sends an authentication code to a telephone number that they already have on file for you. You use that code with your password to log in. Unless the hacker also has access to your phone, you are the only one that can log in.
5. Use trust seals
Trust seals are images issued by 3rd parties, which attest that your site has met a set of standards and criteria that make it trustworthy. Studies show that consumers are more likely to purchase from sites where trust seals are present.
If you use Enhanced Verification (EV) SSL, most certificate authorities will authorize you to display their trust seal on your site to tell your visitors that they can feel safe doing business with you. A surprising number of sites have invested in EV SSL, but do not prominently display their seal. Today, with all of the concerns about safety and security when online, consumers need all the assurances you can provide.
6. Update Software Regularly
Many enterprises do not give enough attention to updating and patching their software. Failure to properly update software can result in major security holes that leave you vulnerable to malware attacks. The WannaCry ransomware, for example, spread by taking advantage of a Windows vulnerability for which Microsoft had issued a critical advisory and security patch two months before the WannaCry outbreak. Failure to implement this security patch resulted in hundreds of thousands, if not millions, of computers. Updating software is a critical part of website security. Any company that conducts business online has to ensure that all their plugins, themes, applications, platform installations etc. are updated and are running the latest versions. A versatile patch management system can automatically install updates and security patches as they are released, ensuring that security gaps and vulnerabilities are closed before they can be exploited.
7. Use a Managed DNS
Using a managed DNS service improves your network and site performance and provides you with additional security. When you communicate on the internet, domain names must be translated into IP addresses that identify each computer. A Domain Name Server (DNS) provides the translation.
If you use a DNS from your service provider, you do not have control over it, and your performance can be erratic. If you create your own DNS, the security is only as good as your network. It also has to be running 24/7 for your site to be accessible 24/7. A good way to avoid these issues is to sign up with a managed DNS service to host your DNS. These are companies that have established their own network of DNS servers and add features to improve performance, security, and protections. DNS performance is very important for how fast a web page loads. You must protect your whole site and your network to protect your customers and business.
8. Have an Incident Response Strategy in Place
Having a clear, actionable strategy in place for website security is a “must� in this day and age. You can consult with security experts to help create a clear, concrete security strategy. There will be costs involved, but it is important to keep in mind that data breaches are likely to cost you much more. A major data breach can even cause companies to go out of business, so it's always best to have a detailed incident response plan crafted with the help of security experts. Security incidents could happen anywhere and to anyone. All companies and businesses, big or small, need to be able to act immediately whenever a security incident happens, and take the necessary steps to recover data and prevent their reputation and bottom line from being damaged.
9. Train and Educate all Employees
Every employee in an organization has to be trained and educated in security practices. Your organization’s security is only as strong as its weakest link.
There are many instances of non-malicious employees accidentally causing data breaches by committing simple mistakes. These mistakes have the potential to cause wreak havoc on your organization’s bottom line and reputation and harm your customers. Employees must be trained in different aspects of cybersecurity, including recognizing scams and phishing emails, recognizing and avoiding suspicious links, applying security best practices to their user credentials, etc. Failure to train employees can have disastrous consequences. Want to protect your website from hackers? We can fix malware for free!
Scan My Website For Malware
Hacker Combat Community
Hackercombat.com