Poorly secured business websites may destroy a company’s trustworthiness and result in a loss of profits. What to consider if you want to prevent cybercriminals from messing up your online presence and sales? Martin Cambal, ESET Global Web Development Manager, shared a few tips that might be useful for CEOs and IT admins in small businesses.
Keep your logs
App logs assist you in identifying the attack, preferably at the very beginning, before any damage is caused. “All traffic on the website and the network should be logged so that the website’s developer can track down the assault. Logs should always cover at least the last 30 days. Some attacks happen from one hour to another, and some last for days. Hacking is a process you can uncover at its very beginnings,” explains Martin Cambal, ESET Global Web Development Manager. Finally, don’t forget to back up the logs. Preferably, they should be saved on a central storage location so that attackers can’t delete them after hacking the server.
Perform regular website backups and develop an RPO/RTO plan
Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are two key metrics that you should have in place in case it comes to the worst-case scenario and your company website gets hacked. As the Enterprise Storage Forum states, the RPO and RTO help you define how long your software can be down without causing significant damage. Also highly relevant is how much data can be lost without the business being dramatically affected.
“Businesses should have a regularly updated backup and recovery plan, as well as a disaster plan, stating what to do in the event of a cyberattack. Suppose a hacker attacks, for example, on an important database, possibly deleting the data too. In that case, you’ll appreciate having a predefined crisis response,” adds Cambal, stressing another significant security aspect: “Once a hacker gets into your website, you can’t trust it anymore. After you deal with the attacker according to your crisis response plan, it’s worth recovering the website totally.”
Monitoring software should continuously control the website’s availability, at least minute-to-minute. “It’s crucial for the company to be the first one to know about an attack and prevent the customers from having to report the errors,” Cambal says, addressing the importance of prevention. “On high-volume websites demanding big availability, it is good practice to limit the number of pages that can be viewed from one IP address. This means that the attacker must progress slowly, dosing the visits carefully, which gives the website administrators time to react accordingly and detect the danger in good time.” Monitoring services can be easily found and activated in just a few clicks — just search for “uptime monitoring” on Google, which will lead you to the right services.
Website made-to-measure? Discover website hardening guides
Tech giants, such as Google, offer free hardening guides that help you build a secure web server. Also, there are security checklists available. “Each brand offering web servers and web applications should provide you with effective cybersecurity tips, which should help you build a reliable and protected website,” says Cambal. “Also, when relying on web hosting, look for a provider that has the ISO 27001 certification, guaranteeing that your data will be safe with them.”
Be aware of the limits of open-sourced CMS
Open-source platforms, like WordPress, have many benefits, such as the possibility to build your website quickly. Nevertheless, they also bring new challenges. “Vulnerabilities of these platforms are usually widely known. An experienced attacker may use the information about weak spots of the website to attack it,” says Cambal. “The code is open, and anyone can look into it, taking advantage of its imperfections.”
Moreover, the admin part of the open-source platforms usually runs on a URL that is easy to guess, using the ending /admin or similar. “If the attacker steals the password and login credentials, they know exactly where to enter it,” continues Cambal. This particular URL should therefore be accessible only from specific IP addresses or VPNs, and it’s also worth implementing an extra layer of protection, requiring, for example, multi-factor authentication to log in.
Keep yourself informed
Getting useful information from the right source is crucial if you want to be one step ahead of cybercriminals. “Experts might appreciate valuable details about recent development in digital technology, presented, for example, on HackerNoon.com. Recent strategies and tactics of hackers can also be found on one of ESET’s content hubs, WeLiveSecurity.com,” says Cambal.
“Additionally, it’s worth following the OWASP Top 10 chart, which will provide you with up-to-date information about online threats and current cyberattacks,” points out Cambal. “When you know that certain types of attacks are trending, you can adapt your digital security strategy accordingly, or even program the website while having these types of attacks in mind — not giving hackers a chance.”
Having your website backed up pays off — find out more about backup and recovery strategies here.