Business and website security extends far beyond protecting sensitive data behind a firewall. Hackers are increasingly attacking websites and entire business systems, large and small. Their goals range from bothersome disruptions to costly takedowns like the recent WannaCry virus that held networks hostage worldwide.
Cyber attacks, including ransomware hacks that lock you out until you pay a ransom, are on the rise. But you can protect your valuable data and online assets from these modern-day thieves with smart security choices. This guide shows you how to protect your business, website, and data from security breaches and ransomware attacks in 7 easy steps.
But first, if you’re just getting started in online business, secure all-in-one providers like Square have you covered with secure end-to-end solutions. You get secure payments, a secure online store, secure back-end management system with email marketing, and much more in every free Square account.
Step 1: Employ Best Practices for System Updates, Logins & Email
Most small businesses don’t have the resources, people or technical know-how to stay ahead or understand the various threats. They are left to the mercy of their providers or the media, and more often than not employ reactive tendencies (i.e., security is out of mind and out of sight until it affects them directly).
— Tony Perez, Sucuri
Strong business and website security starts with implementing preventative measures and best practices system-wide to keep the bad guys out in the first place. For most small businesses, this means first securing what you control:
- Automate your operating system updates
- Use strong passwords and 2-factor authentication
- Secure email systems and procedures
Let’s explore how to secure these key elements of your business.
Automate Your Operating System Updates
Hackers are all too aware that many small business and individuals overlook updating their computer’s operating system software. And they take every opportunity to exploit this, as seen in the May 2017 WannyCry ransomware outbreak, which targeted a known issue in Windows operating systems.
Users who updated their Windows previous to the outbreak were protected, but the many users worldwide who had outdated systems felt its effects. And once inside, this outbreak, like others before it, attacked entire networks and brought entire businesses, websites, governmental, and educational systems to their knees.
The fix? Keep your Windows and other operating systems secure by setting up automatic updates to install the latest security updates and patches. Remember! Even the best antivirus and firewall protection can’t protect an outdated operating system. So make this security job one.
Use Strong Passwords and 2-Factor Authentication
The days of using the same password across multiple accounts and predictable patterns are over. Hackers are just too smart. Here, strong passwords and 2-factor authentication are what you need to protect both your customers’ accounts and your data.
Most operating systems, network software, and web platforms let you enable strong password requirements for customer and administrator accounts. It’s a good idea to use this. Many even let you set password expirations which require users to change their passwords periodically. This can be an irritation to customers, so use at your discretion, but it’s a great way to increase security for employee logins.
Strong passwords and two-factor authentication are key login elements for secure multi-contributor websites like our business information and news sites. All it takes is one weak password to give cybercriminals an opening to hijack your entire website, and regaining control is a long and costly process.
–Dave Waring, Editor-in-Chief of Marc Waring Ventures
Another way you can secure your business websites and blogs is by implementing Google’s 2-factor authentication. With 2-factor authentication, employees, admins, and contributors that access the backend of your website must enter:
- User ID
- Google authenticator number
The Google authenticator number is a 1-time code that users access via mobile app each time they log in. Again, it’s one more login step for your employees but is vastly more secure than a simple username and password combination. Learn more about enabling Google 2-factor authentication for websites and other online services here.
Secure Email Systems & Procedures
Infected email attachments are the cause of large numbers of hacks, network attacks, and data breaches. Despite email security protections like virus scans and spam guards, hackers still find their way into many computer systems using this simple trick. So all businesses should implement best practices that include both automated scans and employee scrutiny.
Even if an attachment is deemed “clean,” by a scan, if users aren’t certain of the sender, it’s always best to double-check an attachment before opening. Remember! Once an infected email attachment is open, it’s hard and often costly to stop the spread.
Step 2: Protect Systems, Data & Websites from Malware
Malware is a catch-all term for the many threats that attack computers, data, and online systems. Malware viruses, worms, trojan horses, and more get into systems without your consent and wreak havoc. They lock up websites and hold data for ransom, crash systems, and bring down entire networks. These electronic foes even lurk in the background and track your activity. In short, you don’t want any of this hanging around your system or website.
For computers and networks, maintaining up-to-date virus software and firewall systems add another layer of protection from malware attacks. Like the operating system updates discussed in Step 1, these updates can be automated, too. You can even set up monitoring and alerts if suspicious activity pops up.
Business websites, online stores, and blogs are susceptible to malware attacks, too. Like computer system and network protection, you can add malware protection with automated updates and alerts to websites and blogs. It’s best to do this before it’s too late.
We once received emails from a person threatening to block access to one of our news sites unless we paid a $5K ransom by a certain deadline. We ignored these warnings as spam. Imagine our surprise when the deadline came around and our entire website disappeared, and instead displayed a page stating the site was being held for ransom. Luckily, Sucuri was able to intervene, recover our site, and prevent future issues using constant monitoring.
–Dave Waring, Editor-in-Chief of Marc Waring Ventures
You don’t have many malware or data breach worries if you use a top online store platform like BigCommerce or Shopify that manage and monitor secure servers for you. However, if you operate a WordPress website or a site on another blog or web builder platform, malware can be a worry indeed since not every hosting service takes care of this for you.
If you operate a WordPress site or a site on another platform or hosting system that doesn’t fully protect its users, it’s up to you to add lockdown and malware prevention security to prevent hacking, infections, SEO spam, defacements, or hacker ransoms, like the one mentioned by David, above.
Hackers worldwide target unprotected websites using malware and other data attacks to gain entry and lock owners out. Then they demand payment for release. Once this happens, the fix can be long and expensive. So it’s well worth preventing this up-front with a security prevention and monitoring service.
Step 3: Use a Secure Website Platform or Hosting Service
Using the right online store or web hosting service provider can lighten your security worries greatly. The top providers such as BigCommerce, Shopify, and others featured in our ecommerce platform guide, make website security job one by constantly protecting their servers and clients from hacker threats. For WordPress users, top hosting companies such as BlueHost partner with top security providers to protect your blog from malware and other threats.
Ecommerce Platforms as a Service are fundamentally different than WordPress-based ecommerce sites when it comes to security. In many aspects, they do offer a more secure alternative, mainly because they remove the end user from the equation.
— Tony Perez, Sucuri
Most of the top ecommerce platforms already provide fully secure, PCI-compliant online store checkouts and back that up by only integrating with PCI-compliant payment processors. But many now go a step further. The latest trend among the top ecommerce platforms is providing all users, even those on the entry-level plans, with sitewide security certificates and secure socket layer connections (SSL), which we’ll discuss next.
Step 4: Use a Secure Socket Layer (SSL) Connection Sitewide
A secure sockets layer (SSL) certificate is more than a feel-good for your site visitors, it actually ensures that the online connection between your users and your website is secure and any information that passes between webs servers and browsers is encrypted and transmitted securely. This helps prevent hackers and eavesdroppers from accessing and intercepting data as is moves between web servers and users browsers.
Most top ecommerce platforms like BigCommerce and Shopify, and BlueHost for WordPress provide this security essential for you sitewide. SSL encrypts all of your store’s content and publishes it securely, under sitewide https versus the traditional unsecured http in browser address bars. For example:
This green lock obviously creates a comfort level for shoppers which can lead to more sales, but there’s one more advantage. Google is starting to give search preference to fully secure websites, so by holding a sitewide SSL certificate, you can gain higher search placement.
If your ecommerce platform or WordPress hosting solution doesn’t provide sitewide SSL across all plan levels, you can purchase an SSL certificate from a provider such as DigiCert, Network Solutions, or Instant SSL. Simply contact your ecommerce platform provider and ask about getting a sitewide SSL certificate. They can arrange the purchase and installation for you through whoever they partner with. Basic SSL certificates usually run about $50 to $75 per year. Not a bad price for ensuring a more secure website, customer peace-of-mind, and higher search rankings.
Step 5: Set Up Site Backups to Prevent Data Loss
When it comes to ransomware, outside of keeping your environment patched, the best action a business can take is to have backups that are off the network. Backups are the last resort, and depending on your frequency, it minimizes your potential data loss recovery time.
— Tony Perez, Sucuri
Website backups are another key ingredient to protecting your website from hackers and even administrator errors. And not every platform takes care of this important issue for you. I actually learned this the hard way.
After years of running a WordPress site on a platform that provided automatic backups, I launched a small test site on Shopify, a top ecommerce platform. In playing around, I deleted a category of products, thinking I could restore them from the backup if needed. Whoops! I discovered Shopify doesn’t have an automated backup unless you add it through a 3rd party app.
Sadly, it was too late for me and I had to rebuild each item page from scratch. This was a small issue, but can you imagine if my entire site had a data breach or hack? (Unlikely on Shopify, but it can happen on others.) My entire site could be lost for lack of a backup.
If you’re not certain if your hosting provider or ecommerce platform runs an automatic backup, contact them to ensure that they do, or to see how to enable it. Believe me, it can save you hours in restoring a mistake, or your entire business in the case of an attack.
Step 6: Use Order Alerts for Suspicious Credit Card Charges
Fraud alerts are a credit card fraud prevention tactic that protects you from theft and saves you money and time by minimizing fraudulent orders. Your payment processor can enable these if they don’t already do it automatically. Fraud protection tools monitor payment data as orders are placed online to protect you from thieves using:
- Mismatched credit card user information
- Rapid repeat orders from the same customer using different cards
- Unmatched shipping and billing addresses
- Chargeback fraud from customers with a history of chargeback abuse
- International orders and orders from blacklisted countries
Using fraud detection tools, your payment provider helps reduce your losses by:
- Declining transactions with mismatched and incorrect payment information
- Flagging suspicious orders like rapid repeats orders placed with different cards
- Supporting an internal blacklist for customers that have filed repeat chargebacks
- Flagging international orders for verification prior to shipping
Sadly, a few bad apples will make it through even the best anti-fraud detection, but putting these measures in place can protect you from the bulk of credit card fraudsters.
Step 7: Avoid Storing Payment Data on Your Servers
Hackers can’t steal what you don’t store. Luckily, if you’re like most small businesses, you rely on outside providers to handle every facet of your online selling and marketing operation. Simply put, this means you don’t host your website, payment processing, email marketing, order management tools, and whatever else you use to run your business on your own servers.
If this is the case, you simply need to ensure that the providers you work with operate secure systems that protect the data they transmit and store on your behalf. Here again is where relying on the top-rated providers is the best way to ensure security across all of these functions since most of the top names in every category do this for you.
If you don’t already have providers for key functions or are looking to upgrade to a secure solution, start your search with our reviews of top-rated providers for:
- Ecommerce platforms
- WordPress website hosting providers
- WordPress shopping cart plugins
- Online payment processing gateways
- Order management systems
- Shipping software
- Email marketing providers
The Bottom Line
A secure website is something your customers expect all online sellers to deliver and that means securing more than online payments. Encrypting all data transmissions via SSL certificates, protecting systems from hack attacks, backing up valuable store data, and requiring strong passwords are a few of the ways you can protect all aspects of your online your business and your customers.
Luckily, many top ecommerce platforms, hosting services, payment processors, and other operating and marketing providers make security a priority. You can lighten your security load by using top-rated providers. But it always pays to understand each of these security issues so you know what questions to ask, and how to shore up security across your entire operation.
Do you run an online store? How to you address these security issues? Please share your thoughts and experiences in the comments below.