More and more of our transactions are being carried out online. As a business, you want your clients to have confidence that when they are dealing with your website, their details are going to be kept secure. Data breaches and hacking increasingly make the headlines and these can not only leave you open to penalties under GDPR and other legislation, but they can also damage the reputation of your business and lose you customers.
So, what can you do to make sure your customers’ data is secure and protected when they are using your site?
S for secure
The first step to giving customers confidence in your online security is to ensure that your site has a current security certificate. This means that the site is protected using Transport Layer Security (TLS) so that data travelling to and from it is encrypted. This also means an S is added to the HTTP of the site address. The S gives a visual indication to visitors that your site is secure.
In the past, HTTPS connections have been used primarily for payment services, but increasingly all sites are now adopting security certificates to reassure consumers that they are taking security seriously.
Stay up to date
It’s also vital for online security to keep your site’s software up to date. Many sites rely on a content management system such as Drupal or WordPress and can, therefore, be vulnerable to flaws in the underlying software.
Keeping your CMS up to date helps to ensure that your content and your site visitors are properly protected. This applies in equal measure to any other parts of your site including blogs and forums that may use specialist software; you need to keep this up to date too. Any underlying databases must be kept current too.
Blocking attacks
There are some common types of attacks against websites that you need to take steps to block. SQL injection attacks occur when a hacker uses a web form or a parameter on a page URL to gain access to the underlying database. This can be prevented by the use of ‘parameterised’ queries, a feature which is available in most web development languages.
Cross-site scripting (XSS) attacks are another common type. These work by injecting JavaScript into a page which can then change content or route information back to the hacker. The script can be introduced via techniques using unvalidated comment threads, so when a user reads the thread, the script runs in their browser and potentially steals their login or other details. You can guard against XSS attacks by having a Content Security Policy (CSP) header which limits how JavaScript can be used on the site.
Strong passwords
Many cyber attacks are made using stolen passwords. People tend to re-use passwords across many sites, so if one is compromised, they become vulnerable elsewhere. As a business, it is hard to influence people’s behaviour. However, you can help by enforcing strong password rules that insist on a minimum length and a mix of character types; this mitigates vulnerability to brute force attacks. You should also look at applying multi-factor authentication to logins.