I just came back from the annual convention of the Sheet Metal and Air Conditioning Contractors’ National Association (SMACNA) in beautiful Colorado Springs, Colorado. SMACNA asked me to talk about digital threats to businesses.
A big threat is clearly the potential for a company’s website to be hacked. Even if a website doesn’t contain any private or confidential information, hacking can lead to defacement, loss of reputation, lost revenue, lost leads, and lost staff time. What can you do to keep your website secure? My IT team tell you there are thousand and one things to do, but here are some easy things to check on.
Keep Your CMS Software Updated
I’ve mentioned it before, and I’ll mention it again. These days, software vendors issue releases and patches on a regular basis. Not upgrading your CMS because you don’t have budget or because you don’t “need” the new functionality in the new version is a mistake. Most of these upgrades contain important patches to security vulnerabilities.
Audit Admin Accounts Regularly
When a staff person or volunteer leader leaves, organizations often fail to disable accounts in content management systems. But these accounts could be a possible attack vector, especially if the person left on bad terms or the password is weak.
Require Strong Passwords
Most systems these days do not allow short or weak passwords, but it’s still common for us to find client passwords that are short, weak or obvious. Even if the CMS allows a password like “password” or ABCadmin,” educate your staff about what a strong password looks like and explain the consequences of a website breach.
Invest in a Web Application Firewall
Most of us are familiar IP firewalls, which inspect and filter out traffic based on IP addresses. A web application firewall (WAF) inspects incoming HTTP requests, checks to make sure the destination URL is not being spoofed, checks for SQL injection and cross-site scripting attacks, disallows certain types of requests, and much more. WAFs often add to your monthly hosting fee and can result in false positives (which show up as errors when accessing a web page) but we think the costs and inconveniences are well worth it.
Disable Services Yon Don’t Need
This last recommendation often requires the cooperation of your hosting company. For example, if you never FTP into your server, turn off FTP. If you don’t allow uploads from WWW through the CMS, disable uploads. And never allow uploaded files to be executed from directories that accept uploaded files.
At Matrix Group, we think of security in layers. We put in place layer upon layer of security so that even if one layer is breached, other layers help protect services and data.