Five Tech Capabilities to Shape Your SMB Website Security Strategy in 2021
Website security may not cross your mind at all moments of the day, but that doesn't mean it shouldn't be a top priority. Sadly, good-intentioned small- to medium-sized business (SMB) leaders are misinformed or apathetic about website security, and their organizations suffer from business-draining cybersecurity attacks. Lack of attention to website security is the quickest path to become a hackers’ next victim. But lack of attention does not equate to a lack of importance. Website security is critical, regardless of your business’s size.
Isn’t it great? Your website seems to be a well-oiled machine: it has top-ranking content, no broken forms or shopping carts, quick-loading pages, and it helps your organization achieve critical business goals. Website security crosses your mind every once in a while, such as when someone else’s outage or breach makes headlines, but your organization is small enough that hackers won’t take aim. ...right? Wrong! Sadly, good-intentioned small- to medium-sized business (SMB) leaders are misinformed or apathetic about website security, and their organizations suffer from business-draining cybersecurity attacks. Lack of attention to website security is the quickest path to become a hackers’ next victim. But lack of attention does not equate to a lack of importance. Website security is critical, regardless of your business’s size.
Danger Ahead: Widespread Web Security Negligence
SMB business leaders are busy, and once a website is up and running, it’s a quick thing to mark off as ‘done’ and move on to other tasks. Website security is not usually a top concern--until it’s too late. Alarmingly, nearly half (48%) of small- to medium-sized business leaders think that their organization is too small, too unimportant for hackers to notice. The harsh reality is that any website or cloud-based system is a target. Hackers often utilize automated scanning tools to find vulnerable websites without regard for the size of business running the website. In Sectigo’s State of Website Security and Threat Report, January 2021 we learned that 50% of SMBs experienced a website breach-- and that is just the breaches they know about--and 40% are attacked every month. The most common attacks are malware injection, data breaches, and brute force login attempts, though many new and increasingly sophisticated threat vectors exist And all are frequently successful.
The consequences of a website attack are severe. Organizations under fire are at risk of losing revenue, customers, productivity, search engine rankings, intellectual property, and reputation. 60% of SMB website attacks resulted in site outages, and more than a third incurred revenue loss. Organizations also risk fines and even lawsuits, related to data breaches
Despite the risk, the report found that only 30% of SMBs believe they are vulnerable to online threats--including those businesses that have recently experienced a breach. It’s clear that SMBs are overconfident and do not consider their websites to be vulnerable, despite how vital their online presence is to their success.
This is a perception battle with reality, at epic proportions. It’s not a question of if your site will be probed for vulnerabilities. It’s a question of when and how often.
Evolve Beyond the “It Won’t Happen to Me” Mindset
When website security is not prioritized, your organization is exposed to risk of significant losses. The good news is that by turning your focus to five simple, automated technologies, your website managers and owners can achieve big-business web security and peace of mind using SMB resources.
1. Keep Your Tech Updated
When choosing a tech stack for your website, it's imperative that it gets proactively updated and patched to ward off vulnerabilities before the can be exploited by cybercriminals. For example, automated CMS patching, such as auto-updates to WordPress or Magento, prevents hackers from sneaking in between updates or exploiting vulnerabilities in older versions of the systems. It's critical to keep the core site version and any plugins updated with the latest revision quickly after they are released. Pay extra attention to areas on your site that request user input, such as registration forms, where many attacks occur. There are sharks in the water, and they are circling easy targets that don't perform timely updates.
2. Proactively Detect Malware and Vulnerabilities
There's a big difference between being alerted when something is wrong and having the knowledge to stop an incident before it begins. Search engines infamously blacklist websites that show signs of vulnerabilities, and it's challenging at best to earn back their trust. This is just one example demonstrating why SMBs must be proactive in detecting and averting malware and vulnerabilities.
There are many easy-to-implement tools in the market that will continuously scan for vulnerabilities on your website. For example, if your site is hosted on a Linux server, you can run scans with built-in tools such as Netstat to find any open ports from within the server. Another way to detect if there are problems with malware on your site is to monitor emails that are sent on behalf of your site. Attackers sending spam under your website's domain is more common than you may think.
3. Tool Up to Remove Discovered Threats
You uncovered a vulnerability in your MySQL database, website files, or another core component of your website. Now what? Don't get caught with the knowledge of a threat only to have no way to counter the attack. Prepare for remediation-- removing the threat. Your website admins rely on remediation software that can immediately remove active vulnerabilities without disruption. Make sure you choose a tool that prioritizes business continuity in the event of needing to remove a discovered threat.
4. Perform Automated Backups
If your website succumbs to a cyberattack, your backups are your insurance policy and the key to your recovery plan. Gain the peace of mind that if your website is suddenly unavailable, you will quickly be able to restore your website to the correct version, with all of its data intact. Version control software is widely available, and many hosting services have plans that periodically perform database backups and snapshots. Effective backup and restore tools are critical to any connected business to reconstruct lost information quickly.
5. Automate TLS/SSL Certificates
“Identity” is a critically important concept for websites. Your website visitors need to be confident that they are on your secure website and haven’t landed on a spoofed or unknown site. Digital certificates (visible as a padlock in many browsers) help visitors know that the personal information they enter is only being shared with your authentic and verified site.
The rise of security automation has made it considerably easier to issue, renew, and maintain TLS/SSL certificates, meaning that small businesses can enjoy the benefits of identity security with minimal management. Multiple levels of SSL certificates are available through hosting providers or Certificate Authorities themselves. Many products will alert website owners about the need to renew the certificate, and some even enable SSL “subscriptions” that ease the process. For web pages that collect sensitive personal data or financial information, it’s wise to upgrade from a Domain Validated (DV) to an Extended Validation (EV) certificate, which provides the highest level of trust available.
Don't Fall Victim to the Next Breach or Outage
Cyberattacks are rising in number much faster than SMB leaders are preparing for them. It’s critical to protect your organization from the catastrophe that follows by keeping your tech updated, proactively detecting malware and vulnerabilities, tooling up to remove threats, performing backups, and automating TLS/SSL Certificate management and renewal. While cyberattacks may never end, there are many resources and technology available to continue so you can be prepared for anything. The web is ever-evolving and growing, and so should your organization’s website security.