Website security. Two words that make most people cringe. Consumers worry about it, businesses worry about it, and your website developer worries about it. At least they should… But do they really? They might tell you they do, but do they really do everything possible to keep your website as secure as it needs to be? Again, you hope so, but that’s a lot to ask of hope. But do you really know for sure? Have you come straight out and asked them? If not, you should. But since you’ve come this far, here’s some food for thought before you before you give your website developer some sleepless nights…
Are the security requirement the same for all websites?
Absolutely not. There are different categories of websites. This is the first thing to keep in mind when you begin to think of website security. Let’s face it, Suzy Bracelet or Sally Lifecoach has a totally different website than, say Wells Fargo or Bank of America. And the security measures that Suzy or Sally’s website needs, is nowhere near the security necessary to lock down a nationwide banking website. So the first thing you must remember before you go rifle your website developer with questions, is that you only need to be concerned with the security of your website. There are some concerns that need to be addressed if your website is using a shared host, but we’ll get into that in the next installment.
This was intended to be a single blog post, but there are so many things that are worth mentioning, we decided to make it a series of articles instead. So, stay tuned for the rest of the discussion…
A quick and non-inclusive breakdown
So let’s break down some of the different types of websites where security can be an issue.
Informational or Brochure websites
These type of websites typically act as the online presence of a business. They are primarily informational in nature and the level of functionality necessary is usually minimal. So you would think that security might not be an issue. But most of these type of websites use a contact form that sends an email to the website administrator (or the business representative, depending on the situation). Because this form allows user input, this is a potential area that can be targeted for an attack by someone with bad intentions.
Many times these type of sites are hacked because the attacker is simply being malicious or they want to broadcast their message, using your website to do so. From a security perspective, these are nuisance attacks. If the website has been properly backed-up, it can be put back in proper working order relatively easily. The security hole still needs to be plugged, but the damage is usually minimal.
From a business owner’s perspective this can be not only embarrassing, it could be devastating. It could affect how potential clients view the site and affect not only sales, but the businesses reputation. No one ever wants to get the call that sounds like; “I just went to your website and saw… ” (insert: child porn, white supremacy, islamic fundamentalism… etc., etc.). I think you get the picture.
E-commerce Websites
Any website that is capable of taking credit card information should be considered an e-commerce website, regardless of the situation. You don’t have a site the likes of Amazon before you concern yourself with the security of your e-commerce process. Even if you only have a single product or service for sale on your website, the security of the transaction should be of paramount importance to you. Even if you ‘only use PayPal’ for that transaction. If someone can acquire your PayPal email address, they’re on their way to gaining access to your PayPal account.
These type of sites are usually hacked for one reason and one reason only. Financial gain. The hacker is looking for your credit card information, your merchant account information, anything that they can exploit to gain access to your financials. Once they have that, they can gain access to your account information and then your money.
Membership websites
Membership websites are actually a sub-set of e-commerce. The thing that makes them more apt to be attacked is there are many more points of entry than a website with a single user or administrator. This problem can be compounded exponentially if the members of your website have the ability to create their own content or upload files to their personal area of the site. Another point that you should consider is the security of the passwords that you require for your members. If you don’t force them to use strong passwords, you might create a ‘weak-link’ inadvertently.
Scared yet? You should be…
In the next installment in this series, we’ll delve into website security a bit further. But you should walk away right now with something of value. The best way to prevent your website from getting hacked lies in your passwords. The stronger your password is, the less chance it has of becoming compromised. That’s why we recommend that you use a password that is a minimum of twelve (yes 12!) characters long and is comprised of upper and lower case letters, numbers and special characters.
I know, I know… I just saw that big eye-roll… But there’s a reason for this. Most hackers use something known as a rainbow table to try and decrypt your password. And I mean all of your passwords, your server, your FTP, your website admin and even your email. Rainbow tables are comprised of hundreds of thousands of records, with every combination of password imaginable in them. Because of their size, it takes a while to use one to crack a single password.
If your password is only four characters long, chances are the rainbow table will have it figured out in a relatively short time. But the longer your password is, the longer the time it takes the attack to happen. Even with the advances in technology, it will take a lot of the computer’s resources for it to run a rainbow table that is extended out to twelve characters. Many hackers just don’t have the time or technology to accomplish this feat. And the ones that do, they’re after bigger fish…
So remember, keep your passwords long, complex, and change them regularly. Yes, it is a pain in the ass, but an ounce of prevention…
Stay tuned for the next installment of How Secure is YOUR Website?