Poorly secured business websites may destroy your company’s trustworthiness and result in a loss of profits. How can you keep cybercriminals from interfering with your online presence and sales? Martin Cambal, ESET Global Web Development Manager, shared a few tips that will be useful for CEOs as well as IT admins in small businesses.
App logs assist you in identifying an attack, preferably at the very beginning, before any damage is caused. "All traffic on the website and the network should be logged so that the website's developer is able to track down the assault. Logs should always cover at least the last 30 days. Some attacks happen from one hour to another, and some last for days. Hacking is a process you can uncover at its very beginnings," explains Cambal. Finally, don't forget to back up the logs. Preferably, they should be saved on a central storage location so that attackers can't delete them after hacking the server.
Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are two key metrics you should have in place if it comes to the worst-case scenario and your company website gets hacked. As the Enterprise Storage Forum states, the RPO and RTO help you define how long your software can be down without causing significant damage. Also highly relevant is how much data can be lost without the business being dramatically affected.
"Businesses should have a regularly updated backup and recovery plan, as well as a disaster plan, stating what to do in the event of a cyberattack. Suppose a hacker attacks an important database, possibly deleting the data too. In that case, you'll appreciate having a pre-defined crisis response," adds Cambal, also stressing another significant security aspect: "Once a hacker gets into your website, you can't trust it anymore. After you deal with the attacker according to your crisis response plan, it's worth recovering the website totally."
Monitoring software should continuously control the website's availability, at least on a minute-to-minute basis. "It's crucial for the company to be the first one to know about an attack and prevent the customers from having to report the errors," Cambal says, addressing the importance of prevention. "On high-volume websites, demanding high availability, it's a good practice to limit the number of pages that can be viewed from one IP address. This means that the attacker must progress slowly, which gives the website administrators time to react accordingly and detect the danger in a timely way." You can easily find and activate monitoring services by searching for "uptime monitoring" on Google.
Tech giants such as Google offer free hardening guides that help you build a secure web server. They also offer security checklists. "Each brand offering web servers and web applications should provide you with effective cybersecurity tips, which should help you build a reliable and protected website," says Cambal. "Also, when relying on web hosting, look for a provider that has the ISO 27001 certification, guaranteeing that your data will be safe with them."
Open-source platforms, like WordPress, have many benefits, such as the ability to build your website quickly. Nevertheless, they also present security challenges. "Vulnerabilities of these platforms are usually widely known. An experienced attacker may use the information about weak spots of the website to attack it," says Cambal. "The code is open, and anyone can look into it, taking advantage of its imperfections."
Moreover, the admin part of the open-source platforms usually runs on a URL that is easy to guess, using the ending /admin or similar. "If the attacker steals the password and login credentials, they know exactly where to enter it," continues Cambal. This particular URL should therefore be accessible only from specific IP addresses or VPNs, and it's also worth implementing an extra layer of protection, requiring, for example, multi-factor authentication to log in.
Getting timely information from the right source is crucial if you want to be one step ahead of cybercriminals. "You can find valuable details about recent development in digital technology, on HackerNoon.com. Recent strategies and tactics of hackers can also be found on one of ESET's content hubs, WeLiveSecurity.com," says Cambal.
"it's also worth following the OWASP Top 10 chart, which will provide you with up-to-date information about online threats and the latest cyberattacks. When you know that certain types of attacks are trending, you can adapt your digital security strategy accordingly, or even program the website while having these types of attacks in mind — not giving hackers a chance."
Your company’s website is like the store window of a brick-and-mortar shop. Its design is crucial for your customers and partners, and you need to keep it safe. Yet globally, around 30,000 websites are hacked daily. Here's a guide to common types of attacks.
The more data your company stores and depends on, the greater the need to back it up.
Websites are sometimes referred to as the “shop windows” of the digital era for a good reason. They have the power to positively influence the way customers view your company or product, help create the perfect first impression, or build trust in your service. Or, they can do quite the opposite, especially when poorly secured. Have you ever considered that your website might be a business risk?
Why back up data if I've never lost any? Greg Bak, product development manager at data protection, backup and disaster recovery software vendor Xopero, often hears this question from businesses. "But the query should be put differently," Bak said. "Business owners should rather ask: If someone takes away my computer right now, would I be able to continue working and guarantee business continuity?" Many companies don't realize how dependent on digital data they actually are. Here are some of the insights he's shared to help you recognize the importance of regular data backups.
Keep your journey safe with more digital security related content.
By subscribing, you agree to receive marketing communications from ESET. ESET respects your privacy. View our privacy policy here.