How to make online security a priority
Let’s cut straight to the chase, online security is a big deal. A cyber-attack can lose you access to your systems and your data, cost you your reputation and thousands of pounds to fix the damage and that’s before you deal with a potential fine from the Information Commissioner’s Office if you fail to meet your responsibilities under GDPR.
Let’s look at the facts. According to data from Thames Valley Police:
- 3.9 million cyber-crimes in 2016
- 28% businesses reported an attack to the police
- Cost to UK economy was £4 billion in 2014
- 500 million new viruses were released in 2015
- 3,000 denial of service attacks every day
- 500,000 phishing attempts every day
As the internet continues to play a bigger and bigger role in organisations of all shapes and sizes, security must be treated as a priority.
We are Olamalu, digital experts, and we think about security from the outset of any brief we receive. This thought process runs through our discussions on systems architecture, data collection and storage and access control. At the back end, we’ve introduced a new site management system to ensure that security updates can be applied as quickly as possible. Alongside this, we’ve implemented a new process which pushes each website through a series of checks to ensure that the security update is properly applied and the website is still functioning as expected.
What can you do?
Security isn’t something that just falls into the laps of web experts like us. There are things that every business should be doing. Here are our top 5 recommendations:
1. Keep admin up to date
- If a member of staff leaves, ensure that their access details are deleted.
- Be clear on who has access to your website and limit the number of administrators to a maximum of 3.
- For those who need to access certain sections of the site for updating/editing purposes, grant an editor profile. This will give people access to just the bits they need – not the whole site.
2. Ensure passwords are strong and change them regularly
- Strong passwords are not just a requirement for your email or financial transactions online, they are also imperative for your website server, admin and database passwords.
- Make sure your password is a combination of alphanumeric characters, symbols, upper and lower case characters and is at least 12 characters long to prevent brute force attacks.
- Don’t use the same password for all your different website logins. Change your passwords regularly to keep them extra secure. Store users’ passwords in encrypted form (sites built using Drupal have this already). This ensures that even if there is a security breach, attackers do not get their hands on actual user passwords. If you use electronic storage for your passwords, remember that this file itself will need to be encrypted and passworded.
3. Make sure that your web server is properly secured
- Only people with server admin access should be able to log in and be sure to limit the number of people with access. Instead of using passwords, use cryptographic keys. Ensure you have a strong firewall that blocks what you don’t need. Keep the server upgraded and ownership of the file system clearly demarcated.
4. Keep all software updated
- As a site owner, it’s your responsibility to ensure that all software that your site uses to run, is kept tip top and up to date. Software companies are continually updating their products to include enhancements and updates to security in response to what is happening in the cyber world NOW. It’s imperative that you ensure your site has the most up to date versions of software to protect both your business and your customers. It’s your choice whether you take responsibility to ensure that this happens, or you outsource to some technological experts…
5. Make sure you have a backup and recovery process in place
- Every website has the potential to be attacked by hackers and cyberbots. Whilst prevention is the best cure, it is essential to have a plan in place in case a security breach does occur. If your site does get compromised, you will need a way to restore an uncorrupted version. This requires a rapid investigation of the incident to understand the nature of the attack and when the attack happened which may be a while before it was identified. Recovery involves eradicating the security vulnerability that was exploited and then reinstalling a clean version of the website.
The National Centre for Cyber-Security issues regular cyber security guidance and has an excellent, easy to understand and straightforward guide on how to increase your protection from the most common types of cyber-crime. You can download it at https://www.ncsc.gov.uk/smallbusiness
The last word - don’t forget about GDPR
If you are holding personal data on your website, GDPR requires you to keep this data secure. The security measures that you have in place must be sufficient for your business, the data you are holding and indeed your industry.
(If you need a reminder on GDPR, we gathered together all of last year's communication on GDPR into one hub here: https://www.olamalu.com/gdpr-hub)