SMB Toolkit: Secure Your Business Website
Cyber Monday is traditionally the time of year when security analysts make a big deal about shopping security, with most of the focus on how to be a safe shopper. But, the truth is, online safety should always be a critical consideration, and it’s not just the responsibility of the consumer. Online safety needs to start with businesses, which must make sure their websites are secure.
Having an online presence is practically a “must have” for businesses nowadays, whether it is just an informational site with contact information or a full-fledged e-commerce platform. Business owners need to actively manage the Website to ensure cyber-criminals haven’t hijacked the site and redirected consumers away to malicious pages. No business wants to lose a sale to such a hijack, of course, but even worse can be the long-term effects of loss of reputation they can cause—not to mention potential liability issues.
Symantec researchers identify, on average, 9,314 malicious Websites every day. Nearly 61 percent of malicious sites out there are legitimate business sites that have been somehow compromised. The compromise can take many forms, such as exploiting vulnerabilities in the off-the-shelf content management system being used to build the site, brute-forcing passwords on the FTP server, or displaying malicious advertisements using a third-party ad network.
This holiday shopping season, businesses should take the following steps to secure their Websites and protect customers from malware and cyber-attacks.
SSL is About Trust
The most important thing businesses can do to protect their customers is by deploying Secure Socket Layer on all their webpages, according to Symantec. With SSL enabled, all the information between the user and the business pass through an encrypted tunnel, making it harder for a malicious third-party to intercept the data or eavesdrop.
Businesses that offer catalogs and online shopping on their sites must, at the very least, offer SSL on shopping pages where the user will enter a credit-card number. Instead of turning on SSL only for a handful of pages related to sensitive financial data, it would be easier to maintain the site and give users a more streamlined user experience if all the pages are protected from the get go.
The easiest way for a visitor to the Website to tell whether SSL is turned on is by looking at the URL. If there is a green “https” box in the addressbar on the browser, the data is protected. Businesses can “build customer trust” with that green browser bar, Symantec said.
Security experts generally recommend users not shop on sites that aren’t using HTTPS, and definitely not enter credit or debit card numbers if the page isn’t secure.
“When I shop online, I always check the address of the payment website, making sure it has the Secure Hyper Text Transfer Protocol (Https://),” Catalin Cosoi, chief security strategist at BitDefender told PCMag.com.
“Recognized trust marks” should be displayed in highly visible locations on the Website, Symantec said. One such trust mark is the Norton Secured Seal, which informs shoppers that the Website is verified, trusted, and likely free from malware.
Businesses should also get digital SSL certificates from established, trustworthy certificate authorities, Symantec said. There are plenty of fly-by-night operations offering SSL certificate at a low cost, but there is no guarantee the certificate authority is following security practices, warned Melih Abdulhayoglu, president and CEO of Comodo. Not all CAs have strict procedures in place to ensure the applicant actually owns the domain and is not trying to get SSL certificates for sites owned by someone else, Abdulhayoglu said. Digital signatures are one area businesses shouldn’t trust unknown organizations with their Website and customers, or looking for the lowest possible price.
“I check if the Certificate Authority such as VeriSign is recognized by the browser,” Cosoi agreed.
Monitor the Network
Symantec also recommended businesses regularly scan their sites for malware, monitor the infrastructure for intrusions, and keep a close eye on traffic for malicious activity. Administrators should check the logs for attempted connections to known malicious or suspicious hosts from your servers, which would indicate something on the computer is trying to “phone-home” to a remote machine. The Website should be daily checked to see whether it is loading up malware to site visitors, whether it is vulnerable to Web attacks such as SQL injection, and whether there are any unusual login attempts or intrusions on the Web server. Many malware variants compromise the Website by modifying certain files or injecting a malicious script into the site’s directory.
It’s Not Just Online
It’s important to remember that securing the Website starts with physical security. Businesses have to make sure servers and other assets are protected from physical theft. In the case of a cloud host, the business has to make sure the cloud provider is making sure only authorized personnel are allowed in the data center.
Back to the SSL, organizations have to store private keys in secure, tamper-proof, cryptographic hardware devices to protect the integrity of the digital certificates, Symantec said. These private keys are saved in these secure devices so that cyber-criminals can’t easily intercept the keys or trick site owners into giving them up.
1.5 million people are victims of cyber-crime every day. Business owners can protect their customers—and by extension, their own bottom lines—by doing their part to make sure their sites aren’t a cyber crime vector.
By Fahmida Y. Rashid, PCMag