It's Time to Spring Clean Your Web Security Strategy
Spring cleaning doesn’t only apply to the home. The seasonal tradition should also extend to your website security strategy. As the front page of your business, your website is an integral part of your brand and often customers’ first touchpoint with your company. Keeping it secure should be a top priority.
Doing so requires adequate time, knowledge and a holistic security strategy. Of course, that’s not an easy commitment for a busy small or mid-sized business (SMB) owner to make, but the need is urgent since more than 70 percent of all cyber attacks target small businesses. In addition to disrupting normal business operations, cyber attacks cost SMBs an average of $955,429 in the 12 months following a breach, according to Ponemon Institute.
While SMB owners should set aside time to refresh their website security strategy, this practice shouldn’t only be an annual occurrence. Instead, businesses need to prioritize website maintenance and security audits at least once a quarter. When they do, here are some tips to keep top of mind:
Automate the patching process
Patches are released by your content management system (CMS) to surgically fix specific security vulnerabilities by adjusting small pieces of code. Most SMBs don’t keep up with patching at the rate they need to in order to keep their websites safe.
But the consequences of skipping out on patches are serious: In Q4 2017, 55 percent of infected WordPress sites were not running the most up-to-date and patched version of the CMS. Without patches, an SMB owner leaves multiple areas of a website’s code open for hackers to steal important data, deface the site or even commandeer the site altogether.
Patching needs to be a priority for SMB decision makers. For a busy SMB, the easiest way to handle the patching process is to automate it. This can be done using a dedicated security solution or by working with an outside security expert who handles all patching on your behalf.
Eliminate unnecessary website access
A crucial part of tidying up your website security efforts should include a careful review of all employees who have administrative access to your site. Often, a basic security audit will reveal individuals who should no longer have access, including former employees and contract-based workers. As a best practice, remove those individuals’ editing privileges to decrease the risk they could do damage intentionally or unintentionally.
For personnel who are authorized to retain administrative access on your site, ensure those individuals receive ongoing training regarding security best practices. For example, employees who work directly on the website must learn how to select safe plugins, as these tools can create an inherent risk factor. In Q4 2017, WordPress websites using plugins were twice as likely to be compromised compared to non-CMS sites.
Keep your apps and data tidy
Holding onto data, applications, and software that is old and unnecessary creates a significant website security risk. If the data or app is no longer in use and doesn’t offer any value to your operations, it’s best destroyed so it can’t be stolen or exploited. For example, if you decide that Instagram should no longer be a part of your social media strategy, delete the plugin on your site that links users to your unused page, and close the account completely. By consolidating your company’s data and apps, you can make your business a less lucrative target.
However, there’s a catch: many industries and organizations have regulations to prevent data from being deleted entirely. The legal industry is one very regulated example. But even individual companies often have data retention policies that require employees to hang on to data for specific purposes. If you can legally rid yourself of old, unneeded data, it’s recommended you do. However, perform the necessary due diligence first to ensure it’s not against policy or industry regulations.
Spring cleaning your website security strategy can be daunting when you’re busy running a business. To ensure the highest levels of security, however, it must become a standard practice for every responsible small business owner.
For some SMBs, website security spring cleaning will be a routine checkup. For others, it will be a wakeup call. If your website falls into the latter camp, rest assured the right resources for your site exist. Take the opportunity to accomplish more than just cleaning this spring and take action in tackling a holistic website security strategy to secure your business.About the Author: Neill Feather is the CEO at SiteLock