For many businesses, their website is their most important online asset. It is where people just learning about their business will likely "land" first, and is the central hub of their online presence. But surprisingly, many small and medium sized business websites are lacking in one or more key aspects of website security. Here are 3 ways your website may be putting you at risk for a security breach.
1. Secure Data Transmission
Secure data transmission means that data exchanged between your site visitors browser and your website is encrypted so that anyone intercepting communications to/from your website would only see garbage characters and not clear text. In practical terms, securing data transmission means installing a "SSL (Secure Socket Layer) Certificate" on the website server (hosting account) that enables communications between the server and the visitors browser to use the secure (https://) protocol. Depending on your browser, you may see an indication that SSL is active in the form of a lock icon, "Secure" label, or other indicator.
SSL is important for any functions on your site that involve communicating personal data -- a newsletter sign-up form that has a user's name and email, for instance -- and especially any kind of eCommerce where credit card info is transmitted. But even if you site doesn't have features that transmit sensitive data, SSL is important for one very big reason: Google started warning users about non-secure sites back in 2018. While Google has looked at the presence of a SSL certificate as a minor ranking factor since 2014, the in-your-face scare that comes from non-SSL sites being flagged has caused most site owners to add SSL.
If your site still doesn't have SSL installed, do it now! Most web hosting companies are now offering free basic SSL certificates and "one-click" installation. After that, there are a couple of easy settings that need to be made on your website. The entire process of adding SSL to your website should only take a few minutes, but if you're not comfortable doing it, find someone who is. The benefits far outweigh the minor inconvenience of setting it up.
2. Secure Data Storage
The second consideration for security is data storage. While this may not apply to everyone, chances are that it applies to many website owners who do not realize that their website is storing personal information. If your website allows users to create logins, it is storing personal information. If you have any kind of form (e.g. "Contact Us", "Join our Newsletter", etc.) on the site, it might be storing personal info, depending on how the form is implemented. If you accept payments on your site, it also might be storing personal info, again depending on how the payment function is implemented.
Note that a data storage breach can have disastrous implications for any business. Besides the loss of confidence in your business, there may also be legal penalties. For instance, the medical profession is governed by the HIPAA laws which provide for a fine of $50,000 per violation (record) and jail time in cases of "willful neglect" where the firm knew they were at risk of a data breach and chose to ignore the problem. In the case of a data breach, it is more likely that multiple records will be accessed, so a single incident HIPAA violation involving many records could easily put a medical practice out of business!
Having secure data storage starts with the web-hosting provider, so this is why it is important to choose a well-known and reliable company that implements good security practices. But secure data storage also relies on you keeping your site software up to date. Even if your hosting company has everything locked down, outdated software might provide an opening. Think of it this way, even if the doors of your house are locked tight, an open window makes it easy for a burglar to slip in.
3. Secure Site Software
This third security risk with websites is around the software that implements the web site and web server. Just like with your PC, there are bad actors who are constantly trying to break into your site. We implement security hardening and monitoring for a number of our clients and see multiple hack attempts every day! While best practices such as using non-trivial passwords are important, just like with your PC, there are frequent software updates that must be applied to patch security holes as new "exploits" are discovered.
On the web server side, we are to a great extent reliant on hosting companies to implement strong security practices, so this is again why it is important to deal with a reputable hosting company. I have actually had a customer support rep from one of the larger and immediately recognizable hosting companies admit to me that they intentionally don't upgrade their servers because doing so would increase the likelihood that their customers' sites may break if those customers aren't keeping up with updates on their sites as well. To the hosting company, it is cheaper to deal with the occasional hacked website than to create a lot of support issues for people who don't know better. But for the business owner, a hacked site can be disastrous, even to the point of putting them out of business!
Sadly, for many business owners, their web site is "out of sight, out of mind". Unless they are adding content regularly, many site owners rarely log in to their website's "back end" where the site software updates are made, so they may not even realize that an update is needed. Missing a required update that closes a security gap can have extremely dire consequences! For business owners who don't login to the admin area of their website (and don't want to), we offer Website Care Plans that take this off our clients' plates and give them peace of mind.
