Protecting Your Business Website
Preventing, Identifying, and Defending Against Cyber Attacks
As a business owner, it's important to understand how to prepare and prevent cyber attacks. A cyber attack targets your computer devices or online accounts to collect private information. In some cases, websites are even hijacked for ransom. A successful attack can lead to loss of money and even lawsuits. Our guide will explain what you need to do to protect your business website.
How to Protect Your Business Website
Website security is a broad topic, but there are several specific and direct steps you can take to safeguard your business website for both you and your customers.
You wouldn’t install a cheap lock for your front door, so why make your password easy to guess? A strong password is a quick and simple way to make sure your business website is secure. Too many business owners rely on using simple and easy-to-remember passwords across all their websites and devices. If one account gets hacked, every application and website that uses that password is in danger.
A strong password has these four elements:
- 12-14 characters long
- A mixture of uppercase and lowercase letters
- Uses numbers and symbols in combination with letters
- Unique to website
You can also use a two-factor authentication as an added barrier. Two-factor authentication (2FA) checks two contact methods before allowing someone to sign into your account. In most cases, a notification goes to your email or phone number with a secondary code you’ll use to gain access to your business website.
An SSL (Secure Sockets Layer) Certificate isn’t a physical paper you display on your website like a college diploma. SSL certificates allow your website to use an encrypted connection, which secures the communication between a website and its users. Installing an SSL certificate on your business website protects you and your visitors’ private information.
SSL certificates appear in a website’s web address as an ‘s’ in the first part of the domain name (for example, https://www.northwestregisteredagent.com). Without an SSL certificate, websites are open to cyber attacks, and search engines like Google warn visitors away from them.
Get top-shelf SSL security, free for 90 days, when you hire us to be your registered agent or form your company. After your free trial, it’s just $9 a month to keep your website security active, and you can cancel anytime.
You don’t need to be a website security professional to use the top tools in the industry to secure your website. Many anti-virus and anti-malware software is available for free or a fee for the public to use. Depending on what website builder you choose, you can even use some of the tools and plug-ins they have available.
For example, most web hosts offer these website security tools by default:
- SSL certificate
- Cyber attack monitoring
- Regular website backups
There are additional features, add-ons, and plug-ins web hosts or website builders offer for their paid accounts. You can also purchase software from private sellers. But be sure that its from a trusted programmer and is compatible with your business website.
Web Application Firewalls or WAFS protect websites from potential hacker accounts. You can think of firewalls as shields against nefarious visitors trying to attack your website. There are different types of WAFS you can use but they all operate on a blocklist or allowlist procedure.
Blocklist WAFS block any user or traffic you deem harmful to your website or that may pose a risk. Allowlist WAFS only allow pre-approved users on your website. It’s important to know that WAFS don’t protect your website from all types of cyber attacks, but they are a helpful tool for stopping most cyber attacks.
Keeping a website updated goes beyond changing phone numbers and office hours. You’ll need to be sure to check any virus guards, security plug-ins, and certificates to see if they are expired or even malfunctioning. Don’t worry, though, most website builders offer auto-updates.
To turn on auto-updates on a WordPress website, follow these steps:
- Go to your admin dashboard by signing into your WordPress business website
- On the left-hand side of your admin dashboard, click Updates
- Within Updates, click Enable Automatic Updates
Depending on what add-ons you have on your business website, you can also set them to auto-update plug-ins and other applications. Even with auto-updates turned on, be sure to have a schedule for checking your website for needed updates or vulnerabilities from outdated software.
Backing up your website means saving all the information or data, like email addresses, payment methods, and photos. Website backups keep you from losing important information if you’re blocked from your site after a cyber attack. You can backup your website by using a specific service or by using a plugin offered through your website provider.
To backup your business website on WordPress, you’ll need to:
- Go to your admin dashboard by signing into your WordPress business website.
- On the left-hand side of your admin dashboard, click Plugins
- Search for backup plugins in the available features
- Select one that has the additional benefits you want, like auto backups and security monitoring
- Once selected, go back to the plugin dash
- Select the backup plugin you picked and go through the setup steps
A good habit to have is to backup your website every time you update it or on a schedule. Backup your website more frequently if you have a large site with lots of traffic and transactions.
If you are the only owner and member of an LLC or corporation, you only need to keep yourself aware of these website security components. Companies with multiple members and employees need to make sure everyone is aware of cyber attack risks, like phishing. Phishing attacks are when a hacker uses fake communication to gain access to your website.
For example, you receive an email from a hacker pretending to be a website administrator requesting you update your password. Once you click a link in the email or provide the sender with your password, you’ve given a criminal a key to your website and potentially your computer. To protect your business from phishing and other cyber attacks, make sure you and your employees know how to identify cyber attacks. The Federal Trade Commission offers educational resources like quizzes for small business owners and their employees.
Types of Website Cyber Attacks
There are numerous types of cyber attacks that affect business websites. Knowing the difference between them is a helpful way of identifying and stopping these assaults on your business. Here are the five most common business website cyber attacks.
A data breach is any type of attack where someone who shouldn’t access sensitive information does. Data is just another word for information. Data breaches can relate to an unauthorized employee accidentally viewing client credit card information or a hacker taking your clients’ email addresses. Business websites that have e-commerce features like online shopping are major targets for this type of cyber attack. On top of jeopardizing your visitors’ information, data breaches harm your website’s reputation and put you at risk of litigation.
Denial of Service (DoS)
A denial-of-service or DoS attack is a malicious cyber attack that is meant to disrupt traffic flow to a website by overloading the site with fake visitors called bots. DoS attacks can take a website offline for hours or even days. Another type of DoS attack is called a distributed-denial-of-service (DDoS). A DDoS is a DoS attack on a massive scale using multiple attackers from different locations, making it harder to track and stop the attack.
A ransomware attack happens when a hacker gains access to your website and demands ransom to give it back. In some cases, hackers steal information from your website and hold that for ransom. For example, a hacker may gain access to a therapist’s patient notes and medical records and then demand money to turn them over. Depending on your business and the ransom requested, it is often cheaper to pay than fight the attack.
Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is a cyber attack aimed at forms or links on websites. The hacker’s goal is to steal users’ data, redirect them to a bad-faith website, or track their movements on your website. For example, a hacker hijacks a signup form on your site asking for visitors’ email addresses and names. In some cases, hackers can even steal details like credit card information or passwords.
An SQL injection or SQLI is a hack targeted at company databases like client information or payroll processes. SQL stands for structured query language. It is a type of programming language used specifically for databases to manage, process, and store data or information. An example of an SQL injection is a hacker installing a code onto your computer or website through phishing. Once the code is on your website, it tricks your site into allowing the hacker access to your business databases.
Common Signs of a Cyber Attack
The longer a cyber attack happens, the harder it is for you to gain control over your website again. While some attacks can be quiet with little to no signs that your business website has been compromised, most cyber attacks have signs.
The red flags that your website is under attack include:
- Slow load speeds
- Loss of access to pages or files
- Unauthorized password changes
- Frequent pop-ups
Cyber attacks can cause irreversible damage. The sooner you notice and respond to signs of a potential attack, the better your chances of recovery and halting the attack.
What to do During a Cyber Attack
Your success rate of stopping a cyber attack before it wrecks your website is higher the faster you respond to it. In the case of a cyber attack, you’ll need to:
- Disconnect your computer from internet or turn your WiFi off
- Inform staff, stakeholders, and potentially clients
- Remove malicious software or files
- Check for unauthorized charges to business bank accounts and credit cards or new accounts and loans
In some cases, you’ll want to hire a website security professional to make sure your website is secure after a cyber attack.
What to do After a Cyber Attack
After you’ve contained or halted a cyber attack, you’ll need to assess the damage and notify the required agencies. If your company experienced a malicious data breach due to the cyber attack, you’ll need to follow your state’s laws on security breaches and report to local authorities to document the crime. Report identity theft or fraud concerns to the Federal Trade Commission. For business owners who operate in the health or medical field, you must report any data breaches of personal medical records to the Federal Trade Commission and possibly the U.S. Department of Health and Human Services if you’re covered by the HIPAA Breach Notification Rule.
The HIPAA Breach Notification Rule is a federal law requiring all HIPAA covered businesses or entities report data breaches to the US Department of Health and Human Services. There are other laws on the state and federal level that you’ll need to comply with after a cyber attack. For example, Florida has a State Cybersecurity Act that outlines the laws state agencies must follow when dealing with cyber attacks, while in New York there is the New York Security Breach and Notification Act all businesses must follow. So be sure to check your state’s laws on website security and cyber attacks.