technology, music, food & wine

JEZ JOHN’S PERSONAL BLOG

- MD OF WEBSTARS LTD
7 productivity tools
that will save you time
(pdf download)

Could your website be compromised or hacked? 7 ways to minimise risk.

Could your website be compromised or hacked? 7 ways to minimise risk.

AAEAAQAAAAAAAAZnAAAAJDA4OTc5ODU2LTQzOTctNDhlYy04NGIxLWJmNjA5Yzk2NmRkMQ

Do I need to worry?

PWC estimate that 90% of large businesses and 70% of small businesses suffered a security breach in 2015 based on a sample of 663 survey results. Whilst it might be argued that anyone who had been compromised is more likely to reply to a survey, it still makes sobering reading and more worringly figures are up year on year.

Who and why?

Hackers will compromise a network or server for a variety of reasons including:

  • Theft of confidential data. (Credit card and personal information)
  • To use the servers resources. (Hosting malware, games servers and bots and stealing VOIP traffic)
  • For the fun of it. (Script kiddies)
  • To disrupt and damage your business (competitors)
  • For political reasons (If your website has political or campaign based content)

 

7 ways to minimise risk

  1. Keep your servers and software patched and up to date. Unless you have strong skills in-house always choose a managed hosting supplier, it may be more expensive but if you use a competent host you will have a team of experts on your side.
  2. Use very strong passwords, and have a password policy to change them if staff leave and at very least every three months anyway. If possible use individual accounts so you have an audit trail and don’t use a single account with a shared user name and password.
  3. Turn off unused services, if you are not updating your site every day block access to ftp. Try to use the most secure version of each protocol, sftp (secure ftp) over ftp provides another layer of protection.
  4. Backup regularly at very least daily, retaining copies for a period of time. We keep daily copies, weekly copies and monthly copies of each site we host. We also retain a monthly backup for at leat 3 months. If you are compromised you can then restore the site using a safe backup.
  5. Have a contingency plan. Worse case scenario if your web hosting account or server is being used to launch attacks against other servers you will almost certainly be switched off. If you rely on your site for business have a defined and tested contingency plan.
  6. Update software, especially open source software, as soon as a security update is available, this includes the core application such as WordPress and plugins.
  7. Use a security scanning / penetration testing service every 3 / 6 or 12 months depending on the nature of your site. We run a penetration test as we launch a website or application then periodically thereafter.

What should I do if I have been hacked?

Don’t panic, careful planning is essential at this stage. If you have a contingency plan now is the time to put it into motion. If you are in certain industries and / or the breach could have exposed personal data to a hacker you will probably want to unplug the server from the network and take a forensic snapshot of the disks and memory to aid in defining the extent of the compromise.

Talk to your host, see if they can see when the compromise occurred by analysing the server logs. Take the site offline and make an immediate backup. Remember that this backup could contain malware or other damaging code but if you need to roll back to a safe version you may need the data between your last safe copy and this backup.

Asses the damage: was it the application (CMS, commerce platform etc….) that was compromised or the server?

Ask your host for their advice. If you are running a VPS or dedicated server you may need to install a clean version of the operating system, secure this and then restore your backup. Remember, if your email is on the same server you will be without email until the restore is complete.

Decide how to notify clients and users. If no data has been compromised this might not be required but make sure you are aware of your legal obligations under the Date Protection Act or if you are registered as a data controller with the Information Commissioner’s Office.

Learning more

If you would like to learn more about how to best protect your website from compromise please connect with me and send me a message.

Alternatively these links contain useful further reading:

https://googlewebmastercentral.blogspot.co.uk/2014/02/3tipstofindhacking.html

https://googlewebmastercentral.blogspot.co.uk/2007/09/quick-security-checklist-for-webmasters.html

Related Posts

5 essential systems you need when starting (or growing) a small business.

Distributed teams – the easy way!

Brexit – 5 things to consider as the dust settles

Why do you need a CRM – 5 tips to choosing the perfect system.

Content © Jez John
×
Close