In this digital age, your company’s website is a crucial part of your business. You want it to look professional, as well as be easily navigable and highly engaging. But you don’t just want a website that looks nice and has an intuitive user interface (UI) — you also want a website that’s secure.
Website security, despite being a vital part of your overall cybersecurity posture, is far too often overlooked by small and medium-sized business (SMB) owners. As with many aspects of cybersecurity, there is an enduring belief that hackers don’t come after ‘the little guy.’ And so, SMB owners put ‘improve website security’ at the bottom of their to-do lists, thinking it can wait.
But the truth is, the ‘we’re too small’ justification for neglecting website security is paper thin; we’re seeing threat actors target smaller companies more and more. A recent study revealed that 61% of SMBs have experienced a cyberattack over the past year. Cyberattacks on SMBs aren’t rare, they’re rampant, and beefing up your website’s security isn’t preparing for a possibility, but bracing for an inevitability.
So, let’s talk about website security. Here are our Top 5 Website Security Tips for Small Business Owners …
Tip #1: Practice Good Password Hygiene
Your company’s passwords are a critical line of defense against cyberattacks. Unfortunately, poor ‘password hygiene’ is practically an epidemic, even in this dangerous digital era. The UK’s National Cyber Security Centre recently discovered that over 23 million user accounts worldwide still use the password “123456”! Statistics like this make IT experts cringe, because weak passwords make your business a sitting duck for threat actors.
Bottom line, get serious about practicing good password hygiene at your business. Set up password complexity requirements on your company’s website(s), train your staff on what makes a strong password, enlist a password manager so employees don’t have to rely on memory or sticky notes, and bolster your passwords with multi-factor authentication (MFA). Doing these things might seem like a hassle, but the inconvenience pales in comparison to the devastating effects of a serious data breach.
Tip #2: Make the Move from HTTP to HTTPS
The difference between “HTTP” and “HTTPS” might be just one letter, but what a difference that one letter makes! But what are these acronyms?
Well, any website you visit will begin with either “HTTP’ or “HTTPS.” “HTTP” stands for “Hypertext Transfer Protocol,” and the “S” stands for “Secure.” A website that begins with “HTTPS” will also display a padlock symbol in the address bar to the left of the URL. But what’s the difference?
An HTTPS site is vastly more secure than an HTTP site because it enlists an SSL (Secure Sockets Layer) certificate to create an encrypted connection between the server and the browser. In plain English: the
data that flows to and from an HTTPS site — credit card information, passwords, etc. — is scrambled, so even if a hacker manages to intercept it, it will be unintelligible — i.e., pure nonsense.
Having an HTTPS site is utterly essential if you accept sensitive information through your website, but even if you don’t, it’s still a good idea to enlist an SSL certificate for that added layer of protection against malware, viruses, and the like. Moreover, HTTPS sites receive an SEO bump from Google, which makes the adoption of HTTPS even more of a no-brainer.
So, if you haven’t already, make the move from HTTP to HTTPS — and get in the habit of avoiding websites that don’t display the reassuring padlock. Here’s a good article outlining the steps required to make the switch.
Tip #3: Keep Up with Updates
Creating a website for your small business has never been easier. Content management systems like WordPress, Joomla, and Drupal simplify the process so that even the least tech-savvy business owners can create a website with relative ease.
But as easy as it is to make your company website, you can’t just create your website and then expect it to take care of itself. Like any piece of property, your patch of digital land requires maintenance. More to the point, you have to keep up with software and plugin update requests.
Now, these might seem like a hassle, and you might not think it’s a big deal if your organization operates without the latest WordPress update for a day or day — or a whole week even. After all, you’ve ignored cell phone updates before and it’s not like your whole life came crashing down …
Stop right there! Updates are not optional enhancements; they’re necessary adaptations to an ever-evolving threat landscape. And if you’re casual about updates, you’re putting your entire organization at risk. So keep up with updates, and work with your IT provider to streamline and automate updates as much as possible, or you can expect to join the 30,000 websites hacked each day!
Tip #4: Backup, Backup, and Backup Some More!
Like updates, data backup is a security fundamental business owners can’t afford to neglect. No matter how careful you are, things happen — cyberattacks, natural disasters, simple employee errors — and data gets lost. But when the data you lose is backed up — i.e., when there’s a copy of it — it’s not truly lost. You swap in the copy and you’re back on your feet.
Of course, things are more complicated than that. If hackers get their hands on your customers’ credit card info, it won’t matter much that the data is backed up. That said, data backup does protect businesses from numerous cyber risks, and is a critical component of a sound disaster recovery plan.
But how often should you be backing up your data? Does your backup need a backup? Is it important to have a backup offsite? Can the cloud provide a sensible backup solution for small businesses? To answer these in order — it depends on the nature of your business (and your RTO/RPO), most likely it does, yes, and yes.
Creating the ideal backup strategy for your business isn’t something you should undertake on your own. Work with in-house IT staff or your IT provider/managed service provider to come up with a backup solution that fits your business’s needs and automates as much as possible.
Tip #5: Train Your Staff
The importance of employee training cannot be overstated. Your people are your most valuable asset — this isn’t just true as a general adage, but as a principle of cybersecurity! If there is one thing any business can do to immediately bolster its website security, it’s implement regular staff training. An informed workforce is an empowered one, and considering that 82% of data breaches in 2021 involved human error, it’s safe to say that businesses across the board aren’t investing enough time and resources in employee cyber risk training.
Don’t be afraid to get creative and inject some fun into your staff training. Cybersecurity is a deadly serious topic, but that doesn’t mean cyber training has to be dull and dry or all ‘doom and gloom.’ Try ‘gamifying’ some of the training. Serve cake at in-person training sessions. Send out fake phishing emails and reward employees who spot them and report them according to company protocol.
Whatever training regimen you come up with, stick with it. Cyber risk training should be ongoing and regular. And if part of your workforce is remote, make sure to train them on the cyber risks associated with working-from-home (WFH) before you let them leave the office. Remember, cybercrime has skyrocketed since the start of the COVID-19 pandemic, largely due to the rise in remote work. So don’t let your commitment to cybersecurity end at the walls of your physical office.
Protecting your growing business means protecting its website. And while following the above five tips won’t guarantee your website’s total security — sadly, no such guarantees exist — they will go a long way toward protecting your organizational and customer data, and keeping hackers off your digital land.
Don’t let website security and other IT issues overwhelm you! If you’re struggling to stay on top of IT at your business, reach out to a trusted MSP in your area for help. A good MSP will take care of your website — and your entire IT infrastructure — for a single predictable monthly fee.