The security of your website can often be critical for your business. A website can act as the public face of your business and you may have critical services and information connected to your website.
An interruption to your website may lead to a loss in business revenue and negatively impact your reputation for current and future clients.
Ensuring you maintain the security of your website should therefore form a core part of your business strategy.
However, for many businesses, particularly new businesses, when considering hiring a cybersecurity professional and conducting a security audit or penetration test, the costs can quickly add up.
This unfortunately deters many businesses from conducting a security assessment against their website, which may be indefinitely delayed, until budgets aren’t as tight and more resources become available.
While the cost of hiring a security professional may limit parts of a security audit, there is a range of publicly available information and tools that can be used to review your website security and allow you to conduct your own security audit.
A range of security solutions that can be implemented for small businesses, including free vulnerability scanning tools, is detailed in the following post. This can allow you to cover many of the security fundamentals that should be reviewed, with little or no cost other than your time.
Follow Security Best Practices
For operating systems, software, and services, there are many best practice security guidelines that are published, such as through the Center for Internet Security (CIS).
These publications provide a set of security benchmarks, detailing what the issue is which is being addressed and how the issue can be resolved.
For any of the devices or software that you set up, it is recommended to work through each of the recommended security settings and create a secure environment for your website to operate within.
Review Your Hosting Solution
Your website may be self-hosted or hosted by a third party. Each of these options has some security considerations to review.
Self-Hosting
Your web application will be running on a server and will likely have access to the internet managed by a firewall, and the server may have network access to other devices.
All of the network connections your web server has should be considered from the perspective that at some point the server may be compromised.
In this type of worst-case scenario, access to any other devices and services should be limited wherever possible to limit the impact that any compromise may have.
The web server itself should be configured in line with best practices and security guidelines for the operating system that it is running. Similarly, the web service that you are running should also be configured in line with its own set of security best practices.
Where a firewall is in place, this should be set up with a default rule to drop all connections, and then only the necessary connections required for your website and business should be enabled. This ensures that no unnecessary ports and services are exposed to the internet.
Third-Party Hosting
There are many hosting providers available for your business website and there are some key considerations for the security of your site.
How is your website hosted in relation to other websites? A hosting provider will manage multiple websites, and while you maintain the security of your own site, if another website is compromised, this could impact the security of the server, which can have a knock-on impact to your website and business.
Many hosting providers will set up each website within isolated containers or environments, preventing the compromise of any one site from impacting others, however, it is important to understand the security measures your hosting provider is using to maintain security.
Where you are using a hosting provider, many of the security principles that you may follow will be delegated to a third party. Ideally, your provider will follow security best practices, and compliance standards, maintain regular updates and security patches, and have secure authentication standards in place.
However, these are considerations and questions you should ask the provider to determine if your website will be safely maintained.
Conduct Regular Vulnerability Scans
While some vulnerability scanning software can require a license, there is also a range of solutions that offer free-to-use options. These often have some limited features, but the core vulnerability scanning system should still be available.
Even with regular patching and maintaining security best practices, it can often be the case that not every security issue has been addressed.
A vulnerability scanner can provide an additional tool to manage your website and provide assurance that there are no overlooked security flaws that can be identified.
Review All Submission Forms
Where your website makes use of submission forms and contact forms they can be subjected to brute force attacks.
This type of attack involves the form being submitted hundreds, or even thousands of times, using automated tools, which are designed to test for a range of vulnerabilities, including if websites are set with restrictions to the mass submission of forms.
This type of activity can have several negative impacts on your web application.
The site and its allocated resources may gradually become consumed over time, slowing down the performance and responsiveness of the site and decreasing the user experience.
In more extreme examples, the number of requests can continue to overwhelm the application and its resources and prevent others from being able to access the site, known as a Denial of Service attack.
Where the forms generate emails or other messages for your team to review, it can also overwhelm this system, with thousands of spam messages being generated.
This will then need to be addressed and filtered or removed, which can waste time and resources that should be focused on legitimate business interests.
Implementing solutions such as rate limiting, to restrict the number of requests that can be made, as well as CAPTCHA solutions to prevent the mass submission of forms can prevent this type of issue from being exploited within your application.
Manage Your Authentication Portals
Account compromise is a common method of exploitation for many attackers. Where you log in to your website will often be found in a standard location, especially when using common solutions such as WordPress.
Restricting the possibility of account compromise and your logins being targeted for attack is therefore important for the continued security of your website.
You can initially review if access restrictions can be put in place for your login portal. If you only need limited people to access your log-in, and from a known set of known locations, restriction methods could be put in place based on IP Address, which can greatly limit any potential of an attack.
For each of your accounts, you can also ensure they are configured with strong and complex passwords that are unique from all other accounts.
A common pattern for compromise is from a security breach in another system, which may be managed by a 3rd party, and results in credentials being exposed. Where you reuse passwords across multiple systems this can lead to the direct compromise of your website.
Multi-factor authentication (MFA) should be enabled for each of your accounts accessing the website, this provides an additional level of security to your accounts in the event a password is compromised.
Security Assessments
With each of the security considerations for your website covered, including conducting your own vulnerability scans, there is often still a requirement for a manual security assessment or penetration test.
While the cost may sometimes delay many businesses from carrying out a security review, it can still be useful, as there are often security considerations that have not been accounted for, vulnerabilities that a scanning tool has not been able to detect, and best practice configurations which have not been applied as intended.
A security audit conducted by a professional can be expensive, and each of the security methods you can make on your own should be carried out before contracting a third party.
However a security assessment shouldn’t be delayed indefinitely, and ideally should be planned as an annual expense and included as part of your company’s security budget.