It’s a wild web…and it’s only getting wilder. How well-protected is your company’s website?

In today’s Internet age, attacks on our web assets come from all angles, especially those we least expect. No matter who you are or what position you’re in, you have a role to play in keeping the web safe.

As a branding agency, we understand how a potential hack has the ability to really mess with your brand reputation. Your website is one of the main ways your audience interacts with your brand, and part of building brand trust is a secure website that keeps each user’s information protected.

Here’s a hot tip on how to get started: an audit. Review the following questions with your team.

What’s hiding in your website’s content management system (CMS)?

Start by taking an inventory of your CMS, including contact form submissions, user accounts, orders, user-submitted files (résumés, photos, etc.), contest entries, event signups – anything that was given to you in trust by your users.

Now imagine if that data was made available to the general public, or worse, those with nefarious intentions. Would you be in serious trouble?

If your answer is yes, it’s time to get serious about protecting your website. There is inherent risk to maintaining a website, and you should mitigate that risk to the best of your ability.

Let’s go over some ways your users’ data can be exposed, then we can get into mitigation techniques.

What are the weak links?

Attacks can come from anywhere. A big one being used lately is what’s called a “supply chain attack.” These happen when malicious users go after the weakest entry points of an overall system – sort of like poisoning grapes before making wine to make the person who drinks it sick.

In the website world, this attack can come from the plugins that provide some specific functionality or the software running your database. If bad code is injected into those smaller pieces, the entire system is vulnerable.

Here are some of the attack vectors:

• Weak passwords: Passwords that are easy to guess are huge security holes. Be sure to keep it difficult enough to keep the baddies away. Consider using a password manager like Bitwarden or LastPass; they’ll generate and store strong passwords for you.
• Hardware/software misconfigurations: Network devices such as a Wi-Fi router often come with a default password pre-programmed and are freely accessible to the outside world. These flaws in product design are well-known throughout the ‘net. Without doing due diligence by properly configuring the device, you leave yourself open to attack.
• Older software: Many applications and operating systems have an EOL (end of life) – a date after which security patches are no longer developed. It’s important to recognize this and migrate to newer software before someone gets the best of you.
• Excess software: Applications not essential to a system offer unexpected avenues of attack and should be removed.

Let’s continue that audit and revisit your website.

When was the last time you reviewed who had access to your CMS?

It might be time to clear out some old accounts or change your password. Again, fire up that password manager so you can use high-quality passwords without having to remember them. If available, you can also enable two-factor authentication (2FA) to make your administrative accounts even more secure. Ask others on your staff who have access to do the same.

Do you have a data retention policy in place?

Think about what kind of data you’re requesting from your customers, how important it is to you (and more importantly, to them), how long you keep it and how often you remove it. Consider automatic deletion if it’s available to you.

Do you know your hosting provider?

Is your hosting provider taking the necessary measures on their end to keep your environment secure? Ask and find out! You should inquire about their use of a firewall, data retention, who on their staff has access to your server (and therefore your data) and if their user accounts are sufficiently safeguarded.

Whether you’re an officer, on the administrative staff, a member of the IT department or a stakeholder, you can be involved in this effort. Keep your finger on the pulse of the website and ear on the ground to listen for potential trouble.

It’s a team effort!

Once you’ve audited your website, ensure your team understands the necessity of keeping your website secure.

Non-IT folks: This means you need to review or create company policies related to protecting your site and user data. Develop and display comprehensive privacy policies on your site. Research best practices and work with your IT group to find out what capabilities you have or need to implement. Budget for the tools needed to live up to those policies.

If you’re IT: You’ve got the responsibility of making sure all these practices are in place. Subscribe to services that alert you to problems with your site or provide real-time lists of vulnerabilities detected in the wild, even if they don’t apply directly to your site. Monitor exploit databases for zero-day attacks. Work with your hosting company to implement corporate policies.

Website security can be daunting, especially when you know what’s at stake. But many hands make light work, and with everyone on board and rowing in the same direction, you and your users will have confidence that your site is safe and secure in the world wild web.

If you still have questions or need help with your website’s security, drop us a line.

Tony Nagy

Tony is a Digital Arsonist at MindFire. As our resident programmer, Tony will work with you to create user-friendly and results-oriented digital campaigns that will light up your brand.