2. If your company does business online, you are a target for hackers. Why? Because you
have exactly what they want—customer credit card and personal information.
Hackers typically steal your customers’ data by either intercepting the messaging
between you customer’s browser and your web site or hacking into your network to
infect your pages with malware.
In some cases, they can even break into databases to get customer data. If you get
hacked and your customers’ data is compromised, you be held liable. And often, the
damage to your company’s reputation is irreparable.
Even if you never suffer a major data breach or see immediate damage from an attack,
you can still be at risk.
Malware infected pages take longer to load, causing customers to become frustrated and
abandon your site. According to the Aberdeen Group, 57% of users abandon a site if a
page load exceeds 3 seconds and 8 of 10 will not return to a site after a bad experience.
To protect you customers and your business, you must take action to secure your site
from hackers. Here are 9 tips and tricks you should use to stay secure.
3. 1. Use Extended Validation SSL
Your customers need assurance that your site is trustworthy. EV SSL delivers that
assurance. Any site that collects financial or personal information needs to have a
Secured Socket Layer, enabled by an SSL certificate. They provide a secure
connection between your visitors and your site.
4. But, not all certificates provide the same level of assurance. Certificates range from
“Domain Name” certificates, which simply verify that you are the owner of the domain
name you requested, to Extended Validation (EV) certificates, which verify you as a
trustworthy organization. EV certificates cost more, but can be well worth it.
Consumers are increasingly aware of the risks of online transaction and EV assures
the customer that you’re trustworthy.
2. Use PCI and Vulnerability Scanning Services
5. You need to identify and address security issues before they damage your business.
Many site operators assume that SSL is all they need to secure their site.
Though SSL provides a critical layer of protection, it does not prevent network breaches
and infection of your web pages.
PCI and vulnerability scanning services scan your web site on a regular basis to
identify issues that cause you to be non-compliant with PaymentCard Industry security
requirements and other issues that threaten your customers.
PCI and vulnerability scanning are often bundled together, but have different
objectives. Failure to use both can result in large fines and even suspension of your
ability to take credit cards.
6. 3. Use White Hat Hackers
Use penetration testing to stay ahead of hackers. If you operate your web site from
your own network, your site is only as secure as your network. In the world of network
security, hackers with nefarious motives are often referred to as “Blackhat Hackers”.
7. When an organization wants to ensure they are safe from the Blackhats, they call in the
White Hats for Network Penetration Testing. Network Penetration Testing includes the
same activities Blackhat Hackers use, except they are conducted by White Hats as a
service.
White Hats test networks and websites by simulating a hacking attack to see if there
are security holes that could compromise sensitive data. They identify critical attack
paths in a network’s infrastructure and provide advice on eliminating these threats.
They attempt to bypass security weaknesses to determine exactly how and where the
infrastructure can be compromised.
If vulnerabilities exist in your network, the Blackhats will eventually find them, and the
consequences for your customers and your reputation can be severe. Better that
White Hats find the vulnerability first!
8. 4. Use multi-factor authentication
Simply authenticating users with a user id and password is not good enough in this day
and age. Despite enhancements to SSL and advancements in network security, hackers
have demonstrated the ability to intercept user ids and passwords.
9. There are two common techniques. First, “man in the middle” attacks, in which the
hacker inserts a process between the browser and web server and captures
communications between the two. If the web server is using Extended SSL, the web user
should be alerted that there is a problem.
Second, if a hacker can infect a site, the malware they install may be able to download
key loggers and sniffers, which allow the hacker to monitor where the user goes on the
internet and steal their credentials when they sing in to sites.
You may have noticed that banks and brokerage firms don’t rely solely on a user id and
password. If you login from a new computer, they add an extra level of authentication to
make sure it is really you.
This is called “Multi Factor Authentication”, sometimes known as 2 Factor
Authentication. Google has recently implemented this technology too.
For example, you can change your Gmail settings so when you log into your account,
Google sends an authentication code to a telephone number that they already have on
file for you. You use that code with your password to log in. Unless the hacker also has
access to your phone, you are the only one that can log in.
10. 5. Use trust seals
Trust seals are images issued by 3rd parties, which attest that your site has met a set of
standards and criteria that make it trustworthy. Studies show that consumers are more
likely to purchase from sites where trust seals are present.
11. If you use Enhanced Verification (EV) SSL, most certificate authorities will authorize you to
display their trust seal on your site to tell your visitors that they can feel safe doing
business with you.
A surprising number of sites have invested in EV SSL, but do not prominently display their
seal. Today, with all of the concerns about safety and security when online, consumers
need all the assurances you can provide.
6. Update Software Regularly
12. Many enterprises do not give enough attention to updating and patching their software.
Failure to properly update software can result in major security holes that leave you
vulnerable to malware attacks.
The WannaCry ransomware, for example, spread by taking advantage of a Windows
vulnerability for which Microsoft had issued a critical advisory and security patch two
months before the WannaCry outbreak. Failure to implement this security patch resulted
in hundreds of thousands, if not millions, of computers.
Updating software is a critical part of website security. Any company that conducts
business online has to ensure that all their plugins, themes, applications, platform
installations etc. are updated and are running the latest versions.
A versatile patch management system can automatically install updates and security
patches as they are released, ensuring that security gaps and vulnerabilities are closed
before they can be exploited.
13. 7. Use a Managed DNS
Using a managed DNS service improves your network and site performance and provides
you with additional security. When you communicate on the internet, domain names
must be translated into IP addresses that identify each computer. A Domain Name Server
(DNS) provides the translation.
14. If you use a DNS from your service provider, you do not have control over it, and your
performance can be erratic. If you create your own DNS, the security is only as good as
your network. It also has to be running 24/7 for your site to be accessible 24/7.
A good way to avoid these issues is to sign up with a managed DNS service to host your
DNS. These are companies that have established their own network of DNS servers and
add features to improve performance, security, and protections. DNS performance is very
important for how fast a web page loads. You must protect your whole site and your
network to protect your customers and business.
8. Have an Incident Response Strategy in Place
15. Having a clear, actionable strategy in place for website security is a “must” in this day and
age. You can consult with security experts to help create a clear, concrete security
strategy.
There will be costs involved, but it is important to keep in mind that data breaches are
likely to cost you much more. A major data breach can even cause companies to go out
of business, so it's always best to have a detailed incident response plan crafted with
the help of security experts.
Security incidents could happen anywhere and to anyone. All companies and
businesses, big or small, need to be able to act immediately whenever a security incident
happens, and take the necessary steps to recover data and prevent their reputation and
bottom line from being damaged.
16. 9. Train and Educate all Employees
Every employee in an organization has to be trained and educated in security practices.
Your organization’s security is only as strong as its weakest link.
17. There are many instances of non-malicious employees accidentally causing data
breaches by committing simple mistakes. These mistakes have the potential to cause
wreak havoc on your organization’s bottom line and reputation and harm your
customers.
Employees must be trained in different aspects of cybersecurity, including
recognizing scams and phishing emails, recognizing and avoiding suspicious links,
applying security best practices to their user credentials, etc. Failure to train
employees can have disastrous consequences.
Want to protect your website from hackers?
We can fix malware for free!
Hacker Combat Community Hackercombat.com
Scan My Website For Malware