Event ticket provider Ticketfly found its website down for days last month after a hacker hijacked the site. The hacker initially informed Ticketfly about a security vulnerability, demanding a ransom payment in bitcoin to provide details about the flaw and help fix it. When Ticketfly refused to pay, the hacker defaced the site and leaked over 26 million usersâ€™ email and home addresses. Password and credit card data was not released, but the hacker has threatened to reveal more information if the ransom is not paid.
This type of attack can be devastating to your business operations as well as your reputation. Here are four fundamental steps you need to take in order to protect your site from becoming the victim of a cyberattack.
Enforce Strong Password Policies
The most common way hackers breach websites is by hacking user passwords, according to Google. To prevent this, itâ€™s vital to use strong, hard-to-guess passwords, with a minimum length of eight characters (12 or 16 is even better) and a mix of letters, numbers, and other characters. To enforce this, security professionals recommend digitally forcing users to choose strong passwords and then storing the passwords in encrypted form, so that if passwords are stolen it will be difficult for a hacker to use them. You can automatically generate strong passwords by using a password manager program.
Additionally, your website team should avoid using the same passwords on other accounts, which prevents a hack of one account from leading to other accounts being compromised. Using two-factor authentication can further strengthen your password security.
Use Secure Software
Another way hackers gain access to sites is through insecure software. One vulnerability is outdated software, which may contain known security holes that hackers can exploit. All web server software, content management system software, plug-ins, and add-ons should be continually kept current with the latest versions. Themes and plug-ins that are not being maintained by their developers may also contain security flaws and should be avoided. On the other hand, installing a good security plug-in from a reliable provider can help you automatically detect security vulnerabilities in other software on your site.
Allowing users to upload files to your site can also introduce malware. Ideally, prohibiting all uploads provides maximum security. At a minimum, restrict which types of files can be uploaded, and donâ€™t allow users to directly access or execute files they have uploaded. Some malware files attempt to spoof valid file types by including their extensions within their file name (for example, img.jpg.php can be used to smuggle a php file onto a site), so automatically renaming files upon upload to force the file name to end with a valid extension is recommended.
Protect Data through Encryption and Minimization
Failing to employ encryption can also expose your site to the risk of security breach. Hackers can exploit unencrypted sites through a number of methods, such as spoofing your site URL and intercepting passwords or payment information that visitors send to the spoofed site. Using HTTPS with an SSL certificate can protect you and your site visitors against this type of attack.
While HTTPS can protect payment information sent over your site, there is no real need for you to collect payment data in the first place. Your best defense is not to collect payment data through your site at all, but instead to send your site visitors to a secure third-party processing service for payment transactions, removing any possible risk of the information being stolen from your site. Security professionals call this strategy data minimization, an approach summed up by the saying, if you canâ€™t protect it, donâ€™t collect it, says Richard Bejtlich of the Center for 21st Century Security and Intelligence.
Have a Recovery Plan
Following sound security strategies can help reduce the risk of your site being hacked, but there is no guarantee a clever cyberthief will not find a way around your defenses. Even among the most-visited sites on the internet, one percent are hacked each year, a University of California San Diego study found. This makes it essential to have a recovery plan in case your site is hacked.
Subscribing yourself and your staff to an identity theft protection service can give you an early warning if stolen user information starts turning up on the dark web, enabling you to respond more quickly to a data breach. If you are breached, you might also consider offering such protective services to your customers to help you mend customer relations. Additionally, you should back up your data regularly in order to protect yourself from ransomware attacks and other disasters. For instance, you can schedule automated backups to an external hard drive, with additional backups to a cloud storage service so that you have an extra copy of sensitive data in case of a hardware malfunction or other mishap.
Sound password policies, secure up-to-date software, data encryption and minimization are some basic strategies for preventing hackers from infiltrating your site. A recovery plan that includes identity theft monitoring and data backup can help restore your site and your business in the event that you are hacked. Following these procedures will reduce your siteâ€™s risk of being compromised by hackers, protecting your customers and the reputation of your business.