As a small business owner, your best defense is to apply preventative measures to protect the hardware and software that supports your website and stores your content and images.
Website security can be complicated and intimidating – especially for businesses that are trying to do it themselves. There are several different technologies associated with the security of your website and your server. It requires a specialized skill set and knowledge base to ensure you are protected.
Yardstick Services understands your situation as a small business owner and the realities of limited resources. You probably don’t have an in-house IT department. You may be managing your website yourself. Doing this work in-house can save you money; however, it exposes your business to exponentially more risks if maintenance problems are deferred or are not even identified in the first place. That’s where the Yardstick team can help.
We work proactively to ensure our clients are protected at each three levels of security. These measures will help protect you and your business in the event of a cyberattack on any level.
1. Web Host
Yardstick Services ensures that the servers and hosting companies we use meet the following requirements:
- Automatic Updates: The CMS and plugins are updated with the latest versions within 24 hours of a release if they are not right away. This is very important because once a patch has been released, for example, it’s a sign to a hacker there is a potential vulnerability and indicates where to penetrate a website that has yet to be updated; it sends the signal that the exploit is still available.
- Proactive Resolutions: We work with web hosts that proactively identify and resolve security issues that could affect their infrastructure and the websites hosted therein. For instance, the best hosting companies will respond to known global security issues like the Heartbleed bug. The web host will patch the issue and then send a message to us acknowledging the issue and their timely response.
- 24/7 Support: We need support around the clock to address downtime, slow sites, resource allocation, bugs, etc., when they happen. The best web hosts offer phone and live chat support 24/7. We avoid using hosting companies that only offer email or webform ticket support. These companies are frustrating to work with and don’t align with our values of providing industry-leading service to our clients. If you want a list of good web host that we’ve worked with, please feel free to email us or comment below.
- Current Technology: The best web hosts use the latest technology. Lower-end web hosts will leave old versions of PHP, MySQL and other software running on their servers because they either don’t have the in-house resources to update the technology in a timely manner or worse, they don’t care. Not updating this core technology puts the entire hosting infrastructure at risk, which could expose your website to exploits or hacks.
- Automatic Off-site Backups: Every site should be backed up at a frequency that is appropriate for the business. Most of our clients backup their site daily or weekly. The trick is to make sure the backups are actually stored off the server. This ensures that in the event of a total disaster a copy of the website resides elsewhere that can be restored to a totally new server. We also recommend keeping several backups stored so that if the most recent backup becomes corrupted, you can restore the site to an earlier point with ease.
2. CDN (Content Delivery Network)
A content delivery network is an extra set of web server infrastructure that caches all or parts of your website. The CDN is composed of a network of servers distributed globally. This network acts to serve all or parts of your website to your visitors from their nearest data centre. This means that your own server has limited exposure to the actual users that are visiting your site. For 99.99% of your website visitors, a CDN simply functions to speed up your site and reduce the amount of bandwidth, processing power and memory your server needs to use to display your site. However, for that malicious 0.01% of users that are trying to find an exploit or hack your site, the CDN functions as a firewall that allows you to monitor their behaviour and block them from accessing your site’s files or database. The best CDNs deliver the following security benefits:
- Suspicious Sources: CDNs proactively identify suspicious IP addresses that are attacking other websites around the world. Those IPs are proactively blocked preventing more websites from being affected. It’s like being part of big pool of shared information. The more websites that are on the same CDN as you, the more information you all share about the bad guys, which automatically protects all sites at the same time. It’s like a Block Watch, but for website owners.
- DDoS Protection: DDoS stands for distributed denial-of-service, which is a specific type of attack that has associated with Netflix outages and taking down the BBC website. This is an attempt from a bot to make your website unavailable by overwhelming it with traffic from multiple sources so it crashes. A good CDN helps to identify those sources and ignore or block them.
- Scraping Content: Information scrapers will create programs (often called bots) to scan web content and pull email addresses, content, images and other items off of sites for shady purposes. The most common is gathering legitimate email addresses to create spoof emails and entice recipients to click on links or provide personal information. A good CDN will scrambles the email addresses on a site so bots can’t scrape it.
Your website obviously needs to be secured. We most often build websites using WordPress and always install one or more security plugins that help prevent the following types of attacks:
- Monitoring: Every website should have a security plugin installed to help monitor what’s going on with the CMS.
- Brute Force Prevention: A brute force attack is when someone knows your username and tries a long list of common passwords to try and log in to the site. The simplest way to prevent brute force attacks is to lock out users after a certain number of failed login attempts. Another method may be to require dual authentication.
- Malware Scans: We have a plugin that will scan your CMS and plugins for suspicious code. If any files on your website are different than the default core files, it will send you a message to indicate something has been changed. This scan is a reactive measure. But it’s just an extra layer that lets us catch any authorized changes (however unlikely) as soon as they are made.
- Alerts: It’s all well and good to have the above tools in place, but they are useless if they don’t alert you. We ensure our tools generate alerts for anything critical to the security of our clients’ websites. And, to ensure we’re providing great service to our clients and not just automating everything, we have a CTO and Maintenance and Server Technician on our team who both receive the alerts and take action in a timely manner.
4. Beyond the website
Your website is technology. But it is owned and managed by people. So, Yardstick works hard to help clients understand how to mitigate the human factor. The following are a few of the things we do:
- Password Strength: We prevent our clients from using low-strength passwords such as ‘12345’ and ‘admin.’ Hackers salivate when they come across these. And we notify our clients on proper password creation and encourage them to change their passwords multiple times per year.
- Secure Password Sharing: We use LastPass to store and share all of the logins we use with our clients. The added benefit to the client is that we don’t keep passwords saved in excel spreadsheets or on pieces of paper. And we are able to share our logins with our entire team, but each team member only sees ******** when they login. We do our very best to limit the exposure of our clients own logins to any 3rd parties.
- User Management: We also help our clients manage the users that have access to their website. This is especially important whenever there is a turnover of staff. We remove or downgrade old users and ensure new users are brought on board with the same level of awareness about website security.
All of Yardstick’s Maintenance & Support clients receive these security services on a monthly basis. While we do have proven recovery methods should they be needed, Yardstick focuses primarily on prevention. Cyber security is always evolving and is never 100% guaranteed. However, Yardstick’s preventative approach ensures our clients websites are afforded a very high level of security for a very reasonable monthly fee.
If you have any questions related to web security, or are interested in more information about our Maintenance & Support package, please send us an email or give us a call: 604.474.3631.