For any company conducting business over the internet, the impact of a website security breach can have far-reaching effects. Loss of data, fraud or unauthorised access to confidential information can devastate a company financially. It can also jeopardise the reputation and competitiveness of a company and in some instances the integrity of brands that have taken years to establish.
The Basics of Website Security
As a bare minimum, businesses should ensure that they have a correctly configured firewall which is kept up to date with all the latest hotfixes and patches. Many of the latest firewalls incorporate new anti-spyware and features that protect against the threat of viruses, which often come hidden in email attachments and can cause serious damage to systems and lead to loss of data. For businesses that rely heavily on web-based applications to interface with customers and suppliers, application auditing can be carried out by a third party. If on the other hand, your business makes extensive use of emails to reach customers on a regular basis, you should implement a Sender Policy Framework (SPF) to reduce the threat of spammers forging your communications and damaging the reputation of your company.
Hosting Considerations
No less important is the decision as to where to host your company’s website. For most small and medium-sized businesses constrained by cost, shared hosting is the preferred solution. Shared hosting implies that your website will sit alongside many others on a shared server which could be located anywhere in the world. The particular vulnerabilities associated with shared hosting centre on the fact that some sites that share the server may well be unscrupulous. This not only means that the owners of these sites could, with a little know-how, access your data, but there are other dangers that could potentially damage your reputation with the search engines and thus lead to a reduction in traffic to your website. These focus on the sharing of class C IP addresses, with some search engines known to apply “dampening” factors or even complete blocks on the IP addresses of servers known to host spammers, adult sites, or sites that may otherwise be construed as malicious. There are a number of useful online resources including DNSStuff.com which can provide useful information relating to a specific IP address or domain name in this regard.
Secure Socket Layer (SSL)
For sites transacting with consumers via Payment Gateways or perhaps capturing and displaying personal or other sensitive information, protecting selected functionality and areas of your website via SSL has become a basic industry standard in terms of website security. It involves the purchase of an SSL certificate via one of a number of official certificate authorities such as Verisign. Once successfully installed the SSL certificate generates the trustworthy ‘padlock’ icon as well as the familiar ‘https’ header at the beginning of the URL. On a technical level, this indicates that the website is making use of the Secure Socket Layer protocol which provides additional security in the ongoing battle against fraudulent activity and information theft.
Platform and Server Vulnerabilities
Both Windows and Linux web hosting platforms are constantly updated to combat known vulnerabilities. You should ensure that your hosting company is applying the latest security patches to your server. Where you have a control panel or remote desktop access to your web server, be sure that the passwords are changed on a regular basis and that only key staff has access.
Backups
Hope for the best, plan for the worst. Keep regular off-site backups of absolutely all elements of your site source code, databases, graphical resources and any other component required to re-create your site. Malicious attacks can cripple a server and require a complete re-installation. Many firms have, over the years, seen a hacker wipe the hard drive of their server only to discover that source code backups were out of date or that all the site images had been lost forever.