Cyber for the Very Small Business

If you keep up with the news, you will have noticed the increasing frequency of stories relating to cybersecurity. Data breaches, theft, espionage; we are living in a new world, one with emerging and rapidly developing threats to business, infrastructure, and supply chains.

A lot of these stories focus on big companies. Fortune 500s, multinationals. Obviously, important and powerful organizations have targets on their back. But what about you, with your commercially hosted WordPress or Drupal site?

Too Small to Care?

I won’t spend too much time here talking about what could happen, and why it could happen to you, with your small business and your website. I prefer to spend time talking about what you can do to protect yourself. But I’ll give one quick example. There was (is) a bug in Drupal. It went undetected and caused what was called “Drupalgeddon.” A lot of vulnerable sites were attacked by malware and had to be taken offline. An attack like this, malicious actors scan the internet for vulnerable systems. Some won’t care who you are. Whether you are Capital One or Joni’s Pet Grooming, if you had a vulnerable system, you could get attacked.

Someone came to me and that is exactly what happened to them. Their commercial host – a very good one – took their site offline and basically said “Fix it if you want it back up.” The client had zero, absolutely zero idea what to do. Luckily, I was able to help them.

How to Protect Yourself

There were a couple of things that this client did right. For starters, they made sure that had automatic backups made of the site on a regular schedule. I was able to quickly scan the backup to make sure it hadn’t been infected (it hadn’t) and then replace the infected site with the clean backup.

So yes, you should be making backups. If you have an arrangement with a developer or something like a “web master,” they should be doing this for you. Best practice is to have the live site and at least two backups, stored in different locations, at once. So maybe on a flash drive, and one on a cloud service like DropBox. This might sound time consuming. Its not, really. And if something happens, you can be back up in minutes, and not have to miss any potential customers form visiting your site.

Lock it Down

I’m really focusing here on businesses that have a website that is hosted on a commercial provider like GoDaddy or Dreamhost. These companies are going to do their best to make their servers secure. There business depends on it, they are highly incentivized. However, Where does their responsibility end, and yours begin?

In the case I mentioned above, the client’s site was breached after the patch had been released by Drupal. But the client had no idea about any of it. So, if you are maintaining the site on your own, you should talk to your hosting provider about what steps you can take to protect yourself. this may mean subscribing to security newsletters that are sent out by the CMS, like WordPress or Drupal. If you have an agreement with a developer, make sure you discuss with them keeping the site secure. The main thing here is keeping your site software up to date. That means regular keeping plugins, extensions, modules and the CMS itself up to date. One thing I always do is install WordFence on WordPress sites. WordFence is an application firewall that can prevent certain kinds of attacks. It also sends out regular notifications about security warnings and known vulnerabilities. These will help you understand the threat environment as it relates to your site.

If you are doing any kind of activity on your site that requires users to share personal information, whether it be email addresses, credit card information, or contact information, install SSL. This is basically the little green lock that shows up in the URL bar in your browser. This makes sure that information sent from a user to your site is encrypted. Some sites might not need SSL, but it is becoming so ubiquitous now that even if users don’t understand how it works, they come to expect it, even if there isn’t a strong technical use-case for it on your site. Its inexpensive and worth the cost for peace of mind.

There are more things that can be done. Its really important that if you hire a developer that you have a conversation with them about your site’s security. A knowledgeable, proactive developer will tell you what you need and what you don’t need and help you navigate long-term solutions.

If you have questions about your site’s security posture, get in contact with me and we can discuss. You paid good money for your site, and it represents your business, let’s keep it safe.