Blog > How to Keep Your Business Safe Online
Posted By Jack Ricketts
Protecting personal data is one of the biggest responsibilities you have to shoulder as a website owner. Did you know that 53% of businesses have reported being impacted by cyber-security breaches? *1 Many business owners aren't taking enough steps to protect themselves or their customers and are leaving themselves at risk of being easy targets.
Read on for some of the actions you can take to ensure you’re doing the right things.
Protecting from Attack
Attackers can do anything from infecting your computer with malware, to intercepting your credit card details, and they are constantly coming up with creative new ways to get hold of your data. You need to make their life as difficult as possible and by doing so, you ensure you’re not an easy target for them.
Here are a few things you can do:
Install Security Software
When you bought your laptop or computer, someone may have spoken to you about protecting your machine and most likely tried to sell you their recommended software. While you may not have liked their sales spiel, it is important to have some kind of protection against malware.
So what is Malware? Malware is a piece of software that has been created to damage, disrupt or gain access to a computer system. It comes in many different forms such as trojans, viruses, spyware… You can read more about the different types of malware here. Regardless of how it gets onto your computer or why it’s there, you can be sure, that it will definitely cause you problems.
So this is where security software comes in useful because it can detect, prevent and remove* malware (*to an extent). There are some great free versions available (such as MalwareBytes) but with some of the premium software, you do get some brilliant additional features.
As a website owner, your data could be compromised by malware so it’s important to scan your computer regularly, and if you think your computer is behaving in an unusual manner and doing things you don’t expect. Being pro-active and setting up a security suite can help give you peace of mind that your system is protected.
Strengthen Your Password
If you’ve heard it once, you’ve heard it a thousand times. Your password is your first line of defence against attackers. Despite how cliche it is to go on about the strength of your password, Google released a study last year showing that hackers are still swiping around 250,000 passwords a week. *2
This is down to people still opting to go for easy-peasy, plain text passwords like “Password123” or “123456” or “Qwerty1”. Those are three examples, but there is a whole list of passwords that have been hacked previously. You can check to see if your password is on the list here. It has been estimated that over 70% of people are still using passwords that have been previously hacked. If it has been hacked before, it can be hacked again!
Struggling to come up with a strong password that’s memorable? Here’s a nifty trick to get you started:
Think of a phrase, at least 8 words in length
“I really fancy eating a slice of pizza”
Take the first letter of each word
Capitalise two letters
Switch one letter to a number
Switch one letter to a symbol
Because hackers use dictionary programs to pick out words and common phrases, this password is less likely to be guessed.
Of course, you then have the job of remembering it, but there are password manager programs available that can store all your passwords for you.
Don’t Share Your Login Details
So you’ve created a sucker-proof password. No one is getting past it. You’ve got it completely under wraps… But then you give it to someone so that they can, for instance, log into your business bank account and make a payment. You have to trust that this person is going to follow the same, strict, measures to protect the information that they now have access to, as you do. Not only that, but you could be in violation of the terms and conditions you have agreed with your bank.
Where possible, always provide people with the means to create their own separate login to access any software or sites you use.
This ensures that:
- Any activity conducted under separate logins can be monitored.
- Any sensitive data is protected under your own login details.
- They can’t change your password and take control of your accounts.
- You will be more compliant with GDPR and PCI DSS
If you are giving out your password to people, you are taking a risk with your sensitive data. Especially if you use that password to log into other online accounts and software. When you are faced with the consequences in business, it is not enough to just “trust” someone with your password. You need to be able to take steps against it.
If you use Create, our Website Administrators Feature is a great example of how you can work with someone without compromising your own login details. You are able to delegate site responsibilities, block access to certain pages and invite admins to create their own login details. This keeps you compliant with the standards and keeps everyone’s data safe.
Know How to Spot Phishing Attempts
Have you ever had an email that looks like a well-established business is telling you to click through a link? But then there are misspellings everywhere and their email address doesn’t match up with what you would expect? This would be a phishing email and you are right to be suspicious.
So what is phishing all about? In most cases, a fraudster creates a website and mailshots hundreds of people in an attempt to get them onto this website where they would be prompted to put in some of their details. A common phishing email tells you that your account details have been compromised somewhere and asks you to confirm them. It can look very legitimate, but there are some things you can do to check an emails authenticity:
- Check their email address - If they are using PayPal's logo but their email is something like zXY24@paypa1.com, you can assume something is off. Look out for letters that have been changed for numbers, and randomly generated sequences of letters, numbers and symbols.
- Look out for misspellings - In a lot of cases, these emails are riddled with misspellings. A reputable company simply would not stake their reputation on bad spelling and grammar. This is one of the most common indicators of a phishing email.
- Contact the company by phone - They will be able to confirm with you whether or not the email is phishing or not.
By no means should you click any links in an email you are unsure of. This is another way that your computer could be infected with malware. In fact, it is suggested that 92.4% of all malware attacks happen via email according to Verizon 2018 DBIR.
If you find yourself on a new website that you are unsure of, there are a few more tricks you can use to check if they are phishing for your details:
- Check that the URL is what you would expect - Like in the emails, if the URL for what you expect to be amazon.com turns out to be amaz0n.com, you are on a phishing website.
- Check to see if they have SSL Encryption - You can tell if they do by the start of the website’s URL. Check to see if the URL starts with https:// as opposed to http://
- Don’t trust any pop-ups asking for information - They have been cropping up on legitimate websites as well. It is better to search for a secure page with terms and conditions than to enter any information into a pop-up.
- Use fake information - Some phishing websites will give the game away by letting you in once they think they have your information or by doing something odd. But some will display an error message regardless of what you enter.
- Use an anti-phishing browser or install a plug-in - All the reputable browsers will have options available to protect you from suspicious websites.
Of course, this doesn’t just happen to individuals. According to the Wombat 2018 State of the Phish Survey *3, 76% of organisations reported that they had experienced phishing attacks in 2017.
That’s a very large portion of businesses that have, at the very least, come across a phishing email. In some cases, they are extremely difficult to spot. That’s why it’s important to be vigilant and have a procedure in place in case of attack. Following the points above and making sure the people you work with know how to detect a phishing attempt will help to keep your sensitive data safe.
We go into more detail about combating phishing emails and spam in this post.
Secure Your Website with SSL Encryption
Even if you haven’t heard of SSL, I’m sure you have seen the effects of it. Look at the top left of your screen in the web URL box. You see the green padlock? That means the website has SSL encryption enabled. If it’s not there, it tells you that the page you are on is not secure either in grey or red with a warning sign. You should always check for this green padlock before you enter usernames and passwords into a website and when you’re completing a purchase in a checkout.
SSL stands for “Secure Socket Layer” and keeps the connection between the browser and the server private so that information exchanges can’t be intercepted. Think of it in terms of having a conversation. If you have a conversation out in the open, anyone can listen in and use what you’re saying. If you take your conversation into a private room and lock the door nobody can “intercept” what you are saying. It’s completely private. This is why it is so important to have SSL encryption through a checkout process. You don’t want someone sitting between you and your customer in the middle of a transaction, gathering all the data!
SSL encryption has become an important trust factor to online shoppers, and is a key indicator that the website they are buying from is reputable and safe. According to a GlobalSign Survey, 84% of online shoppers abandon a purchase if they see that data is being sent over an unsecured connection. Your customers have come to expect this and will be actively looking to see if you have taken the steps necessary to make sure their data is protected.
Google is also taking SSL very seriously and give websites that have this encryption a boost in the search rankings. We believe for good reason. We want to work towards a world wide web that is completely secure where people can browse without fear of their information being intercepted.
If you use Create and haven't enabled SSL yet, read our step by step eBook which talks you through the change and what to do. Download your copy here.
Understanding GDPR and PCI DSS
GDPR and PCI DSS are two very important standards that relate to protecting customers data online. They are a couple of daunting subjects, but we’ve broken them down as simply as we can for you. It’s important to know and understand, how these standards affect your business so that you are handling your user's information in a lawful way.
GDPR stands for the General Data Protection Regulation and is set out by the EU to keep data protection law across all member states the same. This regulation came into effect on the 25th of May 2018 and sent lots of businesses straight into panic mode with the associated heavy fines of non-compliance.
In truth, the concept is quite simple to grasp. The GDPR gives customers the right to access, amend and delete their information from your database. It helps to make business practices transparent to customers. Whereas before, it wasn’t always clear how your data would be handled by different organisations.
If you hold information about any person from the EU that uses your website, you need to hold that information in a way that complies with the GDPR. It doesn’t just apply to countries within the EU. Which is why you might have found that some websites, that are from across the water, are no longer available to us. It’s because they would rather wash their hands of it!
The regulation takes into account two roles:
- Data Processors - organisations that process and collect data on behalf of the Data Controller
- Data Controllers - The company that then holds the data and controls what happens to it
If you have a website, and you are collecting information about your visitors, that would make you a Data Controller. The IT company that makes it possible for you to process and collect that information would be the Data Processor.
As the Data Controller, it is your responsibility to safeguard the data and to know how the data you are collecting is being processed. Not only that but as the Data Controller, you have to be the point of contact for the users if they want to access or change that information. All this needs to be done in a transparent way so users know exactly how their data is handled.
PCI DSS stands for Payment Card Industry Data Security Standard. If you are taking card payments online, then it is something you need to be aware of and have signed up to.
PCI DSS sets out that all companies that process, store or transmit card information maintain a secure environment to do so.
In simple terms, what PCI DSS is requesting you do, is to fill out a self-assessment, to outline how payment information is collected, used and stored. It wants to know who is involved in taking that payment? Which payment gateways are being used? What information is being stored? Who can access this information? Along with other questions to outline who is involved in the process and how.
Once you have clarified what the answers to these questions are, the document wants you to detail the measures you are going to implement to protect cardholder information. If you take the time to fill this document out properly, it will work as a safeguard, showing that you have recognised where responsibility lies and the measures you have taken to prevent breaches where possible.
What’s your next step?
Bookmark this blog post, work through all the steps and actions that we've set out above and don't forget, if you have a website with Create and you're not sure how this applies to you, your Account Manager is on hand to help.
What security concerns do you have when it comes to doing business online? Share your thoughts with us below.