As hackers grow faster, more numerous and more efficient, many companies are struggling to protect their websites from cyber threats. Statistics don’t lie:
• Over 360,000 new malicious files are discovered every day
• There were 1,188,728,338 known computer attacks in 2017.
• Damages to businesses from cybercrime are expected to reach $6 trillion by 2021
• Global spending on cyber security is likely to exceed $1 trillion between 2017 and 2021.
These staggering figures clearly show why organizations must make website security a key priority. There are various types of cyber attacks and malware. It is critical that every IT department understands the following risks: viruses and worms, trojans, suspicious packagers, malicious tools, adware, malware, ransomware, denial of service, identity theft, cross-site scripting (SQL injection), password brute force attack , and session hijacking. When these cyber intrusion attempts are successful (which is often), the following can happen:
• Website defacement – unwanted content placed on your website
• Websites are down (your website is down)
• Data is stolen from websites, databases, financial systems, etc.
• Data is encrypted and stored for ransom (ransomware attack)
• Server abuse – spamming webmail, to serve illegal files
• Server abuse – part of a distributed denial of service attack
• Servers hijacked for Bitcoin mining, etc.
While some attacks only pose minor threats such as a slow website, many attacks result in serious consequences such as massive theft of confidential data or indefinite website downtime due to ransomware. With that in mind, here are 15 best practices your IT department should be using to protect your organization from malware and cyber hacking.
1. Keep your software up to date.
It is crucial to keep your operating system, general applications, anti-malware and website security programs up to date with the latest patches and definitions. If your website is hosted by a third party, make sure your host is reputable and keeps their software up to date.
2. Protect against cross-site scripting (XSS) attacks.
Hackers can steal login credentials and cookies from users once they’re accepted or registered by injecting malicious JavaScript into your coding. Install a firewall and protection against injecting active JavaScript into your pages.
3. Protect against SQL attacks.
To defend against hackers injecting rogue code into your site, you must always use parameterized queries and avoid standard Transact SQL.
4. Double data validation.
Protect your subscribers by requiring browser- and server-side validation. The double validation process will help block the insertion of malicious scripts through form fields that accept data.
5. Don’t allow files to be uploaded to your website.
Some businesses require users to upload files or images to their server. This poses significant security risks as hackers can upload malicious content that will compromise your website. Remove executable file permissions and find another way for users to share information and images.
6. Maintain a robust firewall.
Use a robust firewall and limit external access to ports 80 and 443 only.
7. Maintain a dedicated database server.
Keep separate servers for your data and web servers to better protect your digital assets.
8. Implement the Secure Sockets Layer (SSL) protocol.
Always buy an SSL certificate that will maintain a trusted environment. SSL certificates create a foundation of trust by establishing a secure and encrypted connection for your website. This will protect your site from rogue servers.
9. Establish a password policy.
Implement rigorous password policies and ensure they are followed. Educate all users about the importance of strong passwords. Essentially, require all passwords to meet these standards:
• Length is at least 8 characters
• At least one capital letter, one number and one special character
• Do not use words that can be found in a dictionary
• The longer the password, the stronger the security of the website.
10. Use website security tools.
Website security tools are essential for internet security. There are many options, both free and paid. In addition to software, there are software-as-a-service (SaaS) models that offer comprehensive website security tools.
11. Create a hack response plan.
Sometimes security systems are bypassed despite the best attempts at protection. If this happens, you will need to implement a response plan that includes audit logs, server backups, and contact information for your IT support staff.
12. Set up a background activity logging system.
To track the entry point for a malware incident, make sure you track and log relevant data, such as login attempts, page updates, coding changes, and plugin updates and installations.
13. Maintain a backup security plan.
Your data should be backed up regularly, depending on how often it is updated. Ideally, daily, weekly and monthly backups are available. Create a disaster recovery plan that fits your type and size of business. Make sure you keep a copy of your backup both locally and off-site (there are many good cloud-based solutions available), which allows you to quickly retrieve an unchanged version of your data.
14. Train your staff.
It is imperative that everyone is trained on the policies and procedures your company has developed to keep your website and data secure and prevent cyber attacks. It only takes one employee to click on a malicious file to create an opportunity for a breach. Make sure everyone understands the response plan and has a copy of it readily available.
15. Make sure your partners and suppliers are secure.
Your business may share data and access with many partners and suppliers. This is another potential source of infringement. Make sure your partners and vendors follow your web security best practices to protect your website and data. This can be done using your own auditing process, or you can subscribe to software security companies that offer this service.
Even a top-of-the-line computer system can quickly be brought down by malware. Don’t delay implementing the above security strategies. Consider investing in cyber insurance to protect your organization in the event of a serious breach. Securing your website from hacking and cyber attacks is an important part of protecting your website and keeping your business safe.