Security Audit 101
Operating a business on the web has always been akin to the Wild West. There are dangers around every corner and without taking some basic precautions, you could quickly end up on Boot Hill. Unless you operate your own site, if you allow anyone else to handle your business website, be sure to employ some basic precautions and reasonable amount of care in defining and protecting your data assets.
The misconception that the internet is just a big friendly pool of people just waiting to do business with you, can be reckless. Every day, potential threats are knocking at the door from inside and out, intentionally or unintentionally and in ways that nobody could even imagine.
Business owners feel this directly through the daily onslaught of robo-callers, but online, responsible business owners should always recognize and take steps to define and protect their online business assets, or wind up at the mercy endless vulnerabilities.
Annual or quarterly security and policy reviews are highly recommended.
Let’s briefly examine ways your online business might be at risk…
Passwords make the top of our security audit list. Weak passwords are the top way to allow your online accounts to be compromised. A weak 7 character password takes an incredibly short 0.29 milisecods to hack using a simple i5 processor with a dictionary brute force method. This article on Estimating Password Cracking Times can test sample passwords to see if it would take minutes or millennia to discover. It is recommended that you regularly change passwords using 12 to 16 characters. If you can’t remember all those passwords, try using a password manager such as LastPass.
Antivirus protection is basic common sense and an absolute requirement. This protects your local machines from outside intrusion. There are many anti-virus services to choose from, these services include:
- Iolo – System Mechanic
PC Magazine is a great place to find current anti-virus options. There are many.
In the past, almost all sites used unsecured http:// protocol. This meant that any data transmitted from forms could be intercepted by a third party. Last summer, Google announced it would flag all non-https:// sites as un-secure for Chrome browser users.
Today you can get a FREE Let’s Encrypt SSL ( Secure Sockets Layer) certificate for basic encryption. Paid SSL certificates are recommended for businesses and will run between $50 and $200 per year. A wise investment that shows you care about the security of your transmitted data.
Protecting Web Forms:
One big headache is having to explain to clients that a web form result they just received is a bogus solicitation. You may be getting several per week and it’s a sign of a basic security problem . An unprotected web form allows automated robots to submit spam directly to your form, as if a human filled it out and hit send. This can lead to phishing acts that can jeopardize yourself or your company. There are many free solutions. Google reCAPTCHA v3 is latest and most popular solution for stopping web bots in their tracks. If it’s not already on your site or if you are still using v2, CONTACT US and we can help you get it installed.
You’ve hear the term, but how does it relate to your website? Think of having no firewall as having the door to you home or business wide open 24/7 with nothing to stop anyone in the world from coming in. Sometimes those people come in so fast, your business would fill in seconds, shutting down all operations. This is called a DDoS attack. A flood of robotic visitors design to do just that, shut you down.
There are many possible firewall solution, but the most affordable is Cloudflare. As the name implies, Cloudflare is a cloud based security AND caching service that offers the ability to block entire countries and bad actors while also improving your website’s speed performance.
Email Security, Disclaimer Notices:
This is one important issue that all but the most diligent companies overlook. Healthcare providers and attorney’s typically tag their email correspondence with privacy and confidentiality disclaimer notices. This is a warning to anyone who might inadvertently or otherwise receive sensitive information. This is not restricted to email sent from a PC. It should also apply to any email sent from a web form that you consider sensitive or confidential. Failing to include these notices is like working without a net. The solution is easy; simply add your desired notices to your email signature or form web forms, to the form template.
Service Policies, Terms and Conditions:
Every company that uses the internet should display a link to their Terms of Service or ToS. This is not something I can personally offer advice on, since that is totally up to your company and it’s legal department. A basic ToS displayed on your site can protect you if a company decides to take action over even the smallest perceived act, especially for those who voluntarily choose to use your services. There are several free services that will generate a terms and conditions for you.
For example, Microlinx Technologies LLC displays a Terms link at the bottom of every page of our site including provisions for the use of this site and the services we provide to provide transparency for those deciding to use our site our services.
If you do business internationally, you need to comply with the new GDPR directive designed to harmonize privacy policies across the European Union. Consult with your legal department or check out a site that can generate the proper policy statement for your business. Many are free services.
Digital Asset Ownership:
When you use third party services, your domain names and server can be owned by the provider and rented back to you. This reliance means that you will be at the mercy of the third party’s terms of service and you risk the possibility that the service goes out of business or simply becomes unavailable. This is more common than you may think. You should always own your domain names in a single business account (GoDaddy is a great choice and provides Pro access for web designers) AND if possible, get direct hosting from a data-center, not through a web designer. However, because most clients don’t want to wade through all the technical complexity, they opt for hiring one party to do it all. If that is the case, get written agreements otherwise the browse through terms of the web designer will typically be the only terms enforceable.
In conclusion, using these basic guidelines to perform basic security audits at regular intervals is the key for a safe and successful online business.
Disclaimer: This article is informational only and NOT as legal advice in any way. See our terms of service.