Does Website Security Matter to My Business?
So, Equifax was hacked, but your company doesn’t have a treasure trove of financial data. Do you really have to worry about website security?
For many businesses, website security is legally required. If you accept credit card payments or store medical data, you are required to secure your customers’ information. There are specific protocols for PCI (credit card) and HIPAA (medical information) compliance. But even among our clients, these are the exception rather than the rule.
I don’t store valuable data. Why should my website be secure?
Perhaps you’re an artist, a freelance writer, an attorney, or a veterinarian. Generally, your website doesn’t store much data at all. It’s simply a resource for information.
Sure, the antivirus companies want your money, and your domain registrar wants you to have something called an SSL certificate, but if you aren’t protecting anything valuable, why put a lock on your door?
How Mediastead Secures Our Clients’ Websites
At Mediastead we rarely work with companies that store critical data online. Most of our clients rely on us for web development and hosting. A few companies have databases of their inventory and sales and a few companies have information that needs to be protected for HIPAA compliance.
However, our security process doesn’t vary depending on the client. We use the exact same process to make sure our security plug-ins are kept up to date.
Our preferred platform, WordPress, is used by roughly 20% of all websites worldwide. By sheer volume of users, it makes a very attractive target for hackers. Native WordPress security is reasonably good; however, no platform can ever keep pace with malicious hackers attempting to circumvent this security. For that reason, we also license another proprietary security software for our servers.
The Mediastead team patches every client website at least once a month. Occasionally, a serious threat is announced in the WordPress community, usually having to do with a virus, Trojan horse, or active hacking attack. When this happens, all servers are patched the same day the fix is made available, usually within 24 hours after the vulnerability has been identified.
Every website should be secure.
Obviously, if you do store proprietary data within your website structure, you want to protect that data.
More likely you store data off-line, but if your website is connected to that database it could be used as an on-ramp or a lockpick. For example, your website may be connected to your inventory database, which is connected to your point-of-sale cash registers. Even though your website doesn’t store credit card data, smart hackers can use it as a lockpick. A deadbolt secures your house, but a good thief knows to look for the fake plastic rock in the flower bed.
Finally, hackers might not even want your data. Most small business website hacks aren’t looking for data. They are looking for empty server space and unused bandwidth.
Your Website May Have Helped the Equifax Hackers
The Equifax hackers had access to thousands of terabytes of data. They didn’t download it all onto a personal laptop or even a room full of servers. They likely stored it in chunks across many different servers all over the web. Even if the FBI or SEC trace the data, it’s being stored in unused disk space on Web servers for thousands of legitimate small businesses.
Next, they want to reap the benefits of their heist. The hackers will spam the millions of email addresses they recently captured. They won’t blast them from a single laptop in a seedy Internet café. They are going to piggyback on the outgoing mail servers of tens of thousands of websites, perhaps yours.
Meanwhile, your small business is paying for that storage. You’re paying for the bandwidth. And you may also be hosting the email server.
This last element is the most dangerous to you. The illicit activity is traced back to your IP address. No, the FBI probably isn’t going to bust down your door. But Internet security firms keep a running list of unscrupulous IP addresses. If your website or your email server is identified as associated with spambots, you’ll be blocked from reaching many of your potential customers, and you may never realize it.
How can you tell if your website has been hacked?
Most of the time, it’s pretty hard to tell from the business owner perspective. Usually, the business owner doesn’t suspect hackers, they tend to believe that their problems are the result of a bad website development team.
Business owners may see three symptoms of a hack:
- Search engines aren’t finding you effectively anymore.
- Outgoing emails are disappearing or bouncing back.
- Your website seems to run much slower than it has in the past.
Even a well-developed website will eventually be vulnerable if security and functionality patches aren’t kept up to date. Many clients come to us after ignoring their website for more than a year. They rent supercheap server space, or they have a developer that charges by the hour to do updates, so they don’t bother updating until something breaks.
Every website, particularly ones hosted using WordPress, Joomla!, Drupal or one of the other popular platforms, should be patched monthly at a bare minimum.
In late 2016 Google began recommending that all websites have an SSL (secure socket layer) certificate and all data transferred to or from your website be encrypted. In January 2017, Mediastead made the decision that SSL certificates were going to be standard operating procedure for all clients. We want to protect all of our clients, not just those who store highly valuable data in their website.
Making sure your website and any of your servers connected to the Internet are routinely patched is critical not only for your data protection, but the protection of your ability to communicate unfettered.