Cybersecurity is an important part of risk management for a business, whether you are thinking of adopting cloud computing or just using email and maintaining an information-only website.
Theft of digital information has surpassed physical theft as the most commonly-reported fraud in business today.
Successful businesses create a culture of technology security that enhances the value and brand of the company and customer confidence.
The Federal Communications Commission’s Small Biz Cyber Planner is a useful online tool for small businesses, especially those that do not have a dedicated employee to protect the organization from cyber threats. The tool is available at http://www.fcc.gov/cyberplanner.
Basic Security for Business Owners
If you are a business owner or manager, here are some common website security questions to consider.
What are common website security threats?
- Vandalism or theft by an insider. Dissatisfied or former employees are among the largest security threat to a business website. It is important to cancel access and change passwords after an employee leaves a business.
- Malicious software. Users can download malicious software that can be used to steal passwords and hack into websites or computers. Much of the bad software, known as malware, is found on disreputable or unsavory websites. Most anti-virus software will detect and block these types of programs, however, not always. Gambling and pornography websites are notorious for installing malware. The solutions: keep your virus software up to date, avoid websites that aren’t business related, and, if you are able, do not allow users to connect to potential harmful sites.
- Automated hacking attempts. Web “bots” are software applications that run automated tasks looking for vulnerable websites. If you use secure software to power your business website, it should be impervious to most automated hacking attempts.
While a good web developer can help keep a website secure, the best security starts with managing access and keeping your business computers clean. Change passwords regularly and when employees leave. Use your business computers only for business.
Why is SSL Encryption important?
SSL stands for secure socket layer. In simple terms, it is a dedicated connection between two computers that no other computer can access. Encryption is useful for protecting important data. When you combine SSL with encryption, you have a secure web connection. You need SSL encryption if your website collects information from individuals that is personally identifiable and or valuable.
What is multi-factor authentication?
Authentication is a process by which a user proves his identity to a system, normally when logging in.
An authentication factor is something a user presents to a system to prove his identity. It may be something he knows (a password) or proof of possession of a physical object (a one-time password token or smart card; a registered computer device) or a measurement of some physical characteristic (biometric: voice print verification, fingerprint, retina or iris scan) of the living human user. In short, something the user knows, or something he has, or something he is.
Multi-factor authentication means authentication using multiple factors. For example, a user might sign into a system with a combination of two things he knows, or a combination of something he knows and something he has, or perhaps something he knows, something he has and something he is. The premise is that adding authentication factors makes it more difficult for a would-be attacker to simulate a legitimate authentication and consequently impersonate a legitimate user.
How do I know if my website is secure?
Secure is defined differently by different people. Some view security as an absolute. If there is any possible vulnerability, some Information Technology professionals believe a website has security issues. By the very strictest definition, almost every website is insecure. Some website security professionals will use a rigorous definition of security to sell website owners excessive or unnecessary services. Before you worry about how secure your website is, determine your risk factors. For example:
- What is on your website that someone would want to steal? If your website is purely informational, your security risk is low. Few would hack your site unless they believe there is something valuable inside.
- Would anyone want to deface or vandalize your website? If your business has a high profile website or a site that polarizes users, your security risk may be higher. Vandalizing a popular or politically significant website is a way for a hacker to draw attention. If you are a small business with a low-profile, you are less likely to have your site vandalized.
- What is the worst case scenario? Consider these questions: Is your website mission critical (i.e. will your business be significantly impacted or grind to a halt without it? If someone steals your information, could you end up in court?) These situations raise security concerns.
What questions should I ask about my business website’s security?
Learn the language of cybersecurity.
- Cross-site scripting attacks. Abbreviated as XSS, this is a common method of hacking websites. If your website has a place where visitors can enter text, your site could be vulnerable. Most web developers know about this vulnerability and block it.
- SQL (pronounced “sequel”) injection attacks. This is another vulnerability that can be blocked. If your website uses a SQL database, it could be vulnerable. Ask your web developer.
- Ask your web developer about his security experience. If you have a high-risk website, you need a developer who has developed and successfully protected high-risk sites.
Website Security Tips for Small Business Owners
- Password management. Use good passwords and require that they be changed often, kept secret and never shared. Most information technology experts recommend 8 (or more) characters, with both upper and lower case letters, numbers and when technically possible a punctuation mark or other symbol. Never use a user’s name or login ID for a password, never write down a password and display or store it in an unsecure area accessible to more than the user, and change passwords every 60 or 90 days (or more often).
- Manage access. When you hire employees and when you work with vendors, suppliers, contractors or others, issue them their own passwords. When they leave your employment or have completed their work, revoke their access.
- Watch downloads. Never download anything you are not 100 percent confident in and do not open any email attachments from anyone you are not able to identify.
- Keep systems patched. There are hundreds of security tools to help protect your electronic systems. One mantra that keeps coming up is to keep your computers patched and updated. Enrollment in automatic updates and periodic visits to software vendor sites for the latest patches can keep you safe from known vulnerabilities.
- Keep virus software up to date. Out-of-date software means your computer is vulnerable to malware. Malware can steal your passwords and infect your website.
- Intruder lockout. Many systems can detect repeated attempts to sign in with incorrect passwords. Use a system that detects too many invalid attempts during a short period of time to lock out the user and prevent further attempts.
- Training. Don’t overlook the value of training employees on the best practices of password composition and other acceptable use policies of your business technology.
- Get professional help. If your website has a high profile or if there is data that someone might want to steal, get assistance from a security expert. It is cheaper to employ someone to secure your website than it is to recover from an attack later. Some outcomes of a cyber attack, such as bad publicity, are difficult to quantify in terms of lost business revenue and goodwill among customers. But you know the impact can be significant.