"An ounce of prevention is worth a pound of cure." said Benjamin Franklin in 1736 as he was trying to advise his fellow Philadelphians to implement the impressive fire prevention measures he had seen put into place in Boston.
And so here we also beseech you to take preventative measures. We've had multiple companies come to us to fix hacked websites, hacked email accounts and lost data. Believe me, you take these things for granted until they're gone.
Don't believe you're immune because you're just a small or medium enterprise, or in a niche industry no one cares about, or aren't very public-facing. Hackers take advantage of complacency, and know that companies that think they're off the radar can be guilty of it and hence easy targets. Not to mention a lot of hacking is automated, so their scripts come after you no matter who you are.
These are some steps you and your team can take today to help keep the bad guys away:
Yes, it's simple, oft-repeated, and maybe obvious, but have you done it?...
It's not uncommon that a client contacts us after many months or so after last doing some work for them, asking how to change or fix something on their website, and if we can help do it. Sure thing, we try with that same old password as when we delivered the website, it works, so we log in and get it done.
Convenient? You betcha. Is this a secure protocol? Unfortunately not, no. How well has that password been protected during all this time? How many people had it saved, but didn't save it securely? Was anyone's email or chat communication that shared that password compromised all that time? You can trust SEIRIM, but if you used another agency, how many people came and went in that time period, and left with what data?
Also use a unique password (and usernames) for your website, your server, your databases, anything and everything you do so that if a password for any service is breached, every one of your services isn't also breached. And this goes for your employees too, if they set their password for the website as the same for their social media, and their social media gets hacked, your website is next in line to go down...
So, when it's convenient to do so, change passwords to something new and complex (not easy to guess, random letters, numbers and symbols, you know the drill), only share them with others that really currently need it, and save it somewhere secure.
But now that you're using unique passwords for all of your services, and they're complex, you have too many to remember and they're hard to do so. Important point here, don't just save your passwords in a Word document and call it a day. Get a password manager, we like RoboForm, and save them in there, well secured where they are encrypted and unhackable until you unlock the vault of them (with yet another password, don't forget that one and keep it safe...)
Then, when you need to share this new password for them to do some work, it's been well-preserved and minimally exposed up until that time. Can share it with them, but after they're done with the work, repeat the steps making a new password, sharing it with whoever else trusted is good for having it as a backup, and locking your website, server, email whatever it may be back down again.
And keep the passwords for all your different services unique, so that if one is breached, they all aren't exposed.
Do you and your colleagues, your content team, and your web developers all log into the website with the same credentials, into the same account? And that's probably an Administrator account, able to make any and all drastic changes to the website. If anyone's storage of these credentials slips, then hackers have the keys to the whole house.
Make accounts for your team to use that only gives the privileges required to do their work. If all they need is to add and update blog posts, then that is the right level for them. That way, if their access account and password get hacked, the hacker can do much less damage.
Also, by using separate accounts, if any issue is to occur, then it may be easier to trace it back to the source and rectify that security gap.
Illicit access can occur via one of your team's computer's being hacked, and malware there finding the website access details either stored on their computer or via keylogging. Your team's computer's that access your server and website become vectors into them, and need to be maintained well as a matter of prevention.
There are also anti-virus and malware checks you can run on your website's installation, such as Malwarebytes for business.
Do not think that running these checks are a silver bullet, however, as they only check for known and obvious viruses and malware. Bad actors are always coming up with new attacks that these may not catch, so it takes vigilance on all fronts to remain safe.
Really the greatest risks to your team's IT infrastructure and ultimately your website comes from their daily activities. It's not just the obvious "don't click on links in suspicious emails". Hackers place malicious scripts even in such places as adverts on seemingly normal websites, or hidden, hijacked into seemingly regular software. Emails can be spoofed to appear to be coming from a trusted source, even someone your team knows, and can contain malware links or downloads.
So, it isn't good enough just "to know" about this risk, your team should be conscientiously keeping their eyes open and vigilant.
They should always:
Hackers are always looking for vulnerabilities to exploit in software and this includes in your website's server OS, the CMS you use, any website themes you use, and any plugins and addons your website uses which may be many. The creators of the software are always working (ideally) to patch found issues and push updates that include these critical fixes.
Too many companies turn off updates relying on the "if it aint broke don't fix it" mentality, but that thinking is wrong here. Software that doesn't get updated becomes prime targets for hackers.
One of the worst offenders leading to hacks on SME websites are well-intentioned team members trying to optimize or add some pizzazz to their websites with well-marketed and seemingly amazing new plugins they have found. Unfortunately, every extra plugin on a website is an extra attack vector, and plugins themselves are favorite vehicles for hackers to use as malware trojan horses.
Best bet is to restrict team members from adding plugins to your website without first having your web developers or security analysts checking them out first.
There are many ways to go about backing up your website and it should be considered a requirement in preparedness for not only cybersecurity but also for website issues or server failures. Backup your website regularly to an external, separate location from your main server via automation, but also manually check that this process is occurring as intended.
Seirim is happy to help set up this process and the best procedure depends on the unique mix of your website's type and your server arrangements, your location, budget and so on.
This is a strong extra barrier of defense that, along with secure passwords and password storage, can go a long way to securing your digital assets. Many CMS's and servers now offer 2FA, including WordPress via plugins, DotNetNuke via products, natively in Joomla, natively in Drupal, and more. Our favorite to use is Google Authenticator and is commonly called upon by services.
Relatively easy for a web developer to implement, though take care to renew it every year. Let'sEncrypt is a free option but we prefer using SSLS.com for a few bucks. Having a SSL certificate protecting your website is critical as it encrypts the data between your server and your user's browser experience using public key cryptography, so if they send you simple data such as their email address or critical info like credit card purchasing details it stays private between them and your server. It also helps identify your website as yours, instead of a fake clone, so users can know they are at the correct location.
Because they are so important, entities like Google will 'ding' you for not having one and lower you in search ranking results and your website will appear as Not Secure in the browser url bar. Indeed, do not share personal or important data on websites that do not have SSL certificates as it's less sure your data will be transmitted safely.
This is just the start, the bare minimum! It feels like a lot at first, but it becomes second nature with time, just like checking to make sure you have your keys before you walk out and lock the door. Trust us, we've dealt with hacks; we've seen whole websites get lost and decimated, months of work down the drain, a lot of effort and data lost. Elsewhere, companies suffer billions in losses, people's identities are stolen, and more. That "ounce of prevention" is definitely worth the pound of cure, even more so don't doubt it. Secure your website, servers and digital lives today.
QA takes work! We use the best tools and processes to make it easier.
Get in touch with your website's SEO health with the best auditing tools