No one wants their website hacked. As web developers and website hosts, we do our best to prevent it from happening. However, it seems inevitable that hackers will strike, and even government is not immune. No matter the size of your business, you need to be risk-averse and have a risk management plan in place so that if and when it happens, you are ready to get the website working again as soon as possible.
How to Prevent a Hacker
How do you prevent a hacker in the first place? There are three main things you need to watch out for:
Use Secure Passwords
A hacker often gains entry to your site via an exposed password. Several sites look for common breaches, but I highly recommend Have I Been Pwned: https://haveibeenpwned.com/. It is free to sign up, and it will help you monitor if your email address or phone number has been exposed in a breach. If you are hacked or think you may have been hacked then, immediately reset your password.
Tips for using a secure password
First, you shouldn’t reuse the same password, and you should use a random series of letters, numbers, and characters. Here is an example: 3o(t&gSp&3hZ4#t9. The problem is, how can you remember that?
There are several password storage manager apps available. C-Net has a round of up of the best password managers to use. However, if you don’t want to go that route, here are a few tips on creating unique passwords:
- Never use your name, address, pets, or children’s, grandchildren’s names.
- At a minimum, include both letters (upper and lowercase) and numbers.
- Never reuse a password.
- Use the first letters of the words or the first letter in a sentence.
- Example: The Quick Brown Fox Jumps Over The Lazy Dog would become: THqUiBrJmpSOvLzydG.
- Try not to repeat letters or numbers. If you need to repeat, consider using a number or symbol instead.
If you want more tips, take a look at these three articles:
- Avast.com - How to Create a Strong Password and Beat the Hackers | Avast
- C-Net.com - 9 rules for strong passwords: How to create and remember your login credentials
- HowToGeek.com - How to Create a Strong Password (and Remember It)
Regularly back up data
In the event of a breach, you may be able to restore your website or data from a backup version. This will require regular automated backups. At Cube Creative Design, in addition to our server backups, we also perform an offsite server site and off-server backup stored in the cloud of all our client’s websites, adding tremendous value and peace of mind for our clients.
You should install good virus protection on both your server and your personal computer and keep it up to date.
Protect Merchants Gateways
If you take payments online, use a good hosting company that works with and understands merchant gateways. Alternatively, you can use something like PayPal, which puts the burden on them.
What to do After You are Hacked
In the event you are hacked, here is what you need to do:
- Reset all passwords
- Check your personal computer system
- Verify all account details
- Let your contacts know that you have been hacked
- Run a scan of your servers
Check and Increase Your Security
Run a security audit on your site, checking for problems.
Once you have restored back-up to your site, add plugins to help manage your website security. Some programs offer a free website audit and firewall protection.
Check your antivirus software to make sure that it isn't the hacker's entry point. Never google free antivirus software as it may contain a virus.
Pay for a malware program that will help monitor your website, such as Sucuri.
Stay Ahead of Issues
Unfrortenly, every business is at risk of experiencing a security breach. As I mentioned earlier, it will help you deal with the situation appropriately if you have a detailed data response and recovery plan. Once you have created your plan it should also be updated regularly. Some experts recommend that you tell your clients that your site was hacked. Depending on what data you collect and store should determine if that is necessary. If in doubt, be transparent and alert your clients.
How to Identify a Breach
You can't recover from a data breach unless you know it has occurred. Sometimes we don't realize for a few months and find the company's data being sold on the black market. You may be tipped off to a security problem by strange programs or websites asking for your credentials. If malware is discovered, you will want to be sure that no data was compromised.
Following a Breach
If a serious breach has occurred, you may need to retain a forensic investigator to analyze electronic equipment and data. The investigation will advise your company or any legal obligations to notify clients, which will sometimes be necessary. If you have held off doing this initially, you may have to do it now. The investigator will also advise you of the best way to present the facts. You are paying him a lot of money, so use his expertise.
Informing affected Parties
Companies should send clear and concise notification letters that assist affected businesses in what to do and how to protect themselves from identity theft. Offer a remedy like limiting liability regarding their financial data if you are accepting financial transactions.
Secure Your Assets
As mentioned earlier, once you have changed your passwords and checked your account, check your social media accounts. Facebook and other accounts should be carefully checked. Update all your security malware antivirus protection. Pay for new antivirus protection if necessary.
Preventing Future Breaches
When you have had a data breach, it takes a while to get back in control. Use the horrible experience to enhance your risk management strategy, as most things can be strengthened and improved to prevent another incident from occurring.
Do some staff training around ways to minimize risk and avoid future breaches. Your employees will soon learn to recognize clues indicating compromised information. Unfortunately, we live in a world where there will be more breaches, so use them as a learning experience to build on your security.
Conclusion
Do a sweep of all equipment in the office to find any malware and security holes. Put it on your WH&S agenda (Work, health, and safety) so that a different staff member conducts an audit every month. If everyone feels responsible for identifying security breaches, you will be able to respond more effectively when one occurs, lessening the impact on your business and stress levels.