Poorly secured business websites may destroy your company’s trustworthiness and result in a loss of profits. How can you keep cybercriminals from interfering with your online presence and sales? Martin Cambal, ESET Global Web Development Manager, shared a few tips that will be useful for CEOs as well as IT admins in small businesses.
Keep your logs
App logs assist you in identifying an attack, preferably at the very beginning, before any damage is caused. "All traffic on the website and the network should be logged so that the website's developer is able to track down the assault. Logs should always cover at least the last 30 days. Some attacks happen from one hour to another, and some last for days. Hacking is a process you can uncover at its very beginnings," explains Cambal. Finally, don't forget to back up the logs. Preferably, they should be saved on a central storage location so that attackers can't delete them after hacking the server.
Perform regular website backups and develop an RPO/RTO plan
Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are two key metrics you should have in place if it comes to the worst-case scenario and your company website gets hacked. As the Enterprise Storage Forum states, the RPO and RTO help you define how long your software can be down without causing significant damage. Also highly relevant is how much data can be lost without the business being dramatically affected.
"Businesses should have a regularly updated backup and recovery plan, as well as a disaster plan, stating what to do in the event of a cyberattack. Suppose a hacker attacks an important database, possibly deleting the data too. In that case, you'll appreciate having a pre-defined crisis response," adds Cambal, also stressing another significant security aspect: "Once a hacker gets into your website, you can't trust it anymore. After you deal with the attacker according to your crisis response plan, it's worth recovering the website totally."
Monitoring software should continuously control the website's availability, at least on a minute-to-minute basis. "It's crucial for the company to be the first one to know about an attack and prevent the customers from having to report the errors," Cambal says, addressing the importance of prevention. "On high-volume websites, demanding high availability, it's a good practice to limit the number of pages that can be viewed from one IP address. This means that the attacker must progress slowly, which gives the website administrators time to react accordingly and detect the danger in a timely way." You can easily find and activate monitoring services by searching for "uptime monitoring" on Google.
Website made-to-measure? Discover website hardening guides
Tech giants such as Google offer free hardening guides that help you build a secure web server. They also offer security checklists. "Each brand offering web servers and web applications should provide you with effective cybersecurity tips, which should help you build a reliable and protected website," says Cambal. "Also, when relying on web hosting, look for a provider that has the ISO 27001 certification, guaranteeing that your data will be safe with them."
Be aware of the limits of open-sourced CMS
Open-source platforms, like WordPress, have many benefits, such as the ability to build your website quickly. Nevertheless, they also present security challenges. "Vulnerabilities of these platforms are usually widely known. An experienced attacker may use the information about weak spots of the website to attack it," says Cambal. "The code is open, and anyone can look into it, taking advantage of its imperfections."
Moreover, the admin part of the open-source platforms usually runs on a URL that is easy to guess, using the ending /admin or similar. "If the attacker steals the password and login credentials, they know exactly where to enter it," continues Cambal. This particular URL should therefore be accessible only from specific IP addresses or VPNs, and it's also worth implementing an extra layer of protection, requiring, for example, multi-factor authentication to log in.
Keep yourself informed
Getting timely information from the right source is crucial if you want to be one step ahead of cybercriminals. "You can find valuable details about recent development in digital technology, on HackerNoon.com. Recent strategies and tactics of hackers can also be found on one of ESET's content hubs, WeLiveSecurity.com," says Cambal.
"it's also worth following the OWASP Top 10 chart, which will provide you with up-to-date information about online threats and the latest cyberattacks. When you know that certain types of attacks are trending, you can adapt your digital security strategy accordingly, or even program the website while having these types of attacks in mind — not giving hackers a chance."