What You Need to Know About Website Security

Lock your sites with SSL
Lock your sites with SSL. Image courtesy Pixabay

From high profile hacks of major companies, to leaked photos of celebrities, to the revelations that Russian hackers likely influenced the 2016 US Presidential election, the reality is that we live in a scary time when it comes to online security.

If you are owner or even just the person in charge of a website, digital security is something that you absolutely must be knowledgeable about plan for. This knowledge must be cover two key areas:

  1. How you secure the information you receive from customers to your website
  2. The security of the site itself and the servers where it is hosted.

Ultimately, a number of people will need to play a role in your website’s security. Let’s take a high-level look at what you need to know about website security so you can ensure that everything that can be done to secure that site is being done correctly.

Securing the Information of Your Visitors and Customers

One of the most important aspects of website security is making sure that your customers’ data is secure and protected. This is doubly true if your website collects any kind of personally identifiable information, or PII. What is PII?  Most often this takes the form of credit card numbers, social security numbers, and even address information. You must secure this sensitive information during the acceptance and transmission of it from the customer to you. You must also secure it after you receive it in regards to how you handle and store that information for the future.

When it comes to website security, the easiest example to consider is online shopping / Ecommerce websites. Those sites will need to take payment information from customers in the form of credit card numbers (or perhaps PayPal info or some other kind of online payment vehicle). The transmission of that information from the customer to you must be secured. This is done through the use of a“secure sockets layer” certificate or an “SSL”. This security protocol allows the information that is being sent to be encrypted as it goes from the customer to you so that anyone who intercepts those transmissions will not receive usable financial information that they can steal or sell to others. Any online shopping cart software will include this kind of security.  It has become an industry standard.

So what if you your website does not sell products online? Do you still need security for transmissions?  Well, if you collect any kind of information from visitors, including name, email address, mailing address, etc., you should strongly consider securing those transmissions with an SSL.  There is really no downside to doing this other than the small cost of buying the certificate (prices vary from $149/yr to a little over $600/yr depending on the type of certificate you need). 

Securing your website with an SSL can also carry benefits with your Google search engine rankings. Google wants to make sure that they pages they deliver are authentic and are maintained by the actual companies who the site is supposedly for. An SSL helps to authenticate where a page comes from. This is why Google recommends and rewards sites that are under SSL.

On final note on protecting customer information – remember that an SSL will only encrypt files during transmission. You are also responsible for that data once it reaches your company. The way you process and store customer data is as important as transmission security. It may sound crazy, but I have actually seen companies who printed out customer order information and kept hard copies on files in case of any problems. That is a clear violation of security protocols and depending on the state you are doing business in, you could be fined a substantial amount of money for that kind of violation, especially if those files were eventually compromised.  It makes no sense to protect data during transmission, but then print out that data and leave it easily available in an unsecure office location!

Protecting Your Website Files

Over the years, most of the more publicized website and data hacks have involved someone stealing files from a company. This is often done by attacking a web server and gaining access to a database of customer information. This is another aspect of website security you need to be concerned with. Even if you properly encrypt customer data during transmission, if someone can hack into your webserver and steal your data, you are in trouble. This means that the company where you host your site files must also play a role in your site’s security.

Too often companies buy website hosting based on price or convenience. Think about your own website hosting and the company that you work with. Perhaps you have hosted with this same company for many years, so it is easier to stay there than to move elsewhere. In many cases, the web team that your hire for a site project recommends a hosting provider and a company simply agrees to that recommendation since they do not have any real opinion on the matter. This should not be how you select website hosting. It is fine to ask for a recommendation from your web team, but be sure to do your due diligence and ask about site security. If you are getting a security audit of your website and business practices, a look at your hosting provider is sure to be a part of that assessment.

Finally, if your site is built on a CMS (content management system), then there are user names and passwords that will grant access to the site and allow you to make changes to your webpages. Be sure to secure this access with strong passwords the way that you would any other important account that you have. Over the years, I have seen many companies use weak, easily breakable passwords for their website, thinking that no one would want to hack into their pages. This is wishful thinking. If you want your site to be protected from someone looking to add unauthorized edits (like a disgruntled former employee hoping to get a measure of revenge on the organization), then make sure that you lock down site access accordingly.