Protecting Against Data Breaches
The biggest disadvantage any security and defence firm faces in the online world is remote data storage. Although not having the precious cargo (data) in the field can serve as a significant tactical advantage, not being able to secure it yourself is a tough pill to swallow. No matter which industry you are in, directors, marketers, IT specialists and general staff have a responsibility to prevent private information falling into the wrong hands. Whether it’s personnel data, financial data, contract documents, or company secrets, everything needs to be secured and safe from remote or local breaches.
How Common Are Data Breaches?
2020 was the year the world turned to the use of remote work. Work from home became a necessity, and the number of cyber-attacks grew exponentially in the year 2020. A report published by DbxUK shows that a staggering 43% of businesses reported a cyber breach in the UK alone. On average, a single data breach can cost an SME £16.1k in the UK.
According to Sophos:
“51% of organizations were hit by ransomware in the last year . The criminals succeeded in encrypting the data in 73% of these attacks. 26% of ransomware victims whose data was encrypted got their data back by paying the ransom. A further 1% paid the ransom but didn’t get their data back.”
In addition to suffering a data and financial loss, an organization with a significant breach finds itself with massive reputational damage that far exceeds the tangible costs involved. Statista states a total of 1001 breaches in which 155.8 million records were exposed in the USA in the year 2020.
“Four in ten businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%).”
Besides the loss of data and customer trust, the firms under siege also must pay fines for not doing everything to protect their servers from attackers. The Information Commissioner’s Office (ICO) fined British Airways £183.4 million, which was then relaxed, and they ended up paying £20 million fine under the General Data Protection Regulation (GDPR) law.
These scary numbers show why it is essential to regularly sweep your online data and be proactive in securing everything possible. In this article, we outline some necessary actions website managers can adopt to help ensure the safety and security of their data.
Prevention is better than cure
Let us dig in and list the 9 Easy Steps for Better Website Security. It is all about being proactive and having your “defensive shields up” at all times.
Step 1: Ruthlessly limit the data you collect and hold.
No one can steal what you don’t have. Our first recommendation is to simply not collect and store any unnecessary information, and purge non-essential customer information from existing databases.
When it comes to websites, that also means religiously clearing out plugins and systems that are storing customer details, form submissions and newsletter subscriptions. You can automate this process or define a specific time period.
When creating new forms or data capture systems on your website, remember that the GDPR rules state that there must be a legitimate reason for each item of data collected. Do you need to capture birthdays or addresses?
Storing less information is not only suitable for GDPR compliance but also helps control the damage. As mentioned in the start, no one can steal what you do not have to begin with, so the less information you have, the less damage it can cause to your business, and to the individuals affected.
Step 2: Use a reputable website host.
Your Website Hosting service is where the majority of your website data is stored. It is extremely important that you choose the right host – and popularity is never a guarantee of security. Choose a web host with servers in the United Kingdom only. The safety and privacy laws in the UK are better than many other countries and, by design, are less likely to be breached by nefarious organisations and state actors.
Additionally, don’t just listen to what the company has to say about themselves; check Trust Pilot and Google for reviews. Online communities like Reddit can also offer a great source of independent information on which hosting companies offer the best service.
Here at Echo Eighty, we recommend Krystal as a great solution for most websites; you can learn more and sign up for their service using our affiliate link. All their servers are kept up to date and are located in the sovereign UK. They strictly follow the recommendations of GDPR and other internet and data storing laws.
Step 3: Regularly review user roles and administrative access.
As a defence and security organization, you should regularly check user roles. Make sure to check those accounts with admin access. If a user was assigned temporary admin access, ensure you revoke the access timely.
Make strict SoP for an HR department. They should promptly revoke an employee’s access when they go on extended leave or leave the company.
Automate the process of checking and rechecking access. Ensure that all online services connected to your website are secure, including CRMs, marketing platforms, social media accounts, etc.
Update your company’s LinkedIn page as well. Some ex-employees can gain access to your data by posing as still working for your company.
Step 4: Use a Password Manager
Weak passwords, easy to remember passwords, and common phrases are like open doors for hackers. And don’t forget that thanks to previous data leaks, many people are using passwords that have already been publicly exposed. Have I Been Pwned is the go-to resource for finding out if your personal or professional email address has been included in major data hack.
Using a password manager helps prevent security breaches by generating complex keys for each website you visit. These passwords are encrypted, and when you are on a site, page, service, or app, these managers automatically fill them – usually by browser add-on. 1Password, NordPass, LastPass and Dashlane are some options and offer organisational tools that allow different levels of visibility and access to users based on their role.
One of the hacks used by phishing scams is to trick users into entering their passwords into almost identical web addresses and page designs. A password manager cannot be tricked using these tactics.
Step 5: Avoid predictable user credentials.
The first line of defence in an online world is to make it difficult for hackers to guess usernames, passwords, and standard URLs. When it comes to cyberattacks on websites, it’s less likely that a person is actively trying to crack a specific user’s login details, and much more likely that malicious bots are trying thousands of different combinations based on the most popular passwords and usernames.
When creating user accounts for your website, avoid using publicly listed names and common acronyms as usernames. For instance, “John”, “Admin”, “Business Name”. This halves the work hackers have to do to access your systems.
Instead, use difficult to guess admin credentials such as combinations of letters and numbers. For John Smith, you could use “JohnS.1098”, where 1098 can be either any random number or an employee ID number.
Similarly, make it a policy to use at least 8 characters (16 recommended) long passwords. These passwords must include small and capital alphabets, numbers, and special symbols.
Step 6: Multi-factor authentication.
Multi-factor authentication should always be activated where available. It adds extra layers of security that are not on the same network. Two-factor (2FA) and Multi-factor (MFA) are now widely available and usually work by requiring:
- an additional keyphrase sent to the user’s mobile phone as a text message
- a security code generated by an Authentication App
Three-factor authentication builds on the above and uses Something You Know (a password) Something You Have (an authentication code sent to your phone) Something You Are (usually biometric data such as fingerprints).
Step 7: Use a third-party security service
Instead of relying solely on the services provided by the hosting company, you can bolster your online data security by using a third-party service like a CDN based Firewall service.
CDN is short for Content Delivery Network and is a network of servers around the globe that serves customers from the nearest server to maintain speed and offer better security. Additionally, CDN servers maintain excellent firewalls. A Firewall not only saves your data from breaches but also secures the servers from brute force and denial of service attacks.
Here at Echo Eighty, we offer Sucuri as standard for all our Defence, Security and Supply Chain customers, but you can also use WPengine, Jetpack, or Wordfence as a local firewall for WordPress websites. CDNs like Cloudflare include firewall services too and can be used for most other types of websites. You should have at least one active Firewall always enabled.
Step 8: Keep themes, plugins, and core files up to date.
If you already have experience keeping websites up to date you will notice that most updates are security patches. After a major release, as soon as the developers come across any vulnerabilities, they make patches for those vulnerabilities.
You should always keep your website 100% updated at all times. Your site should remain up-to-date, starting from core CMS (Content Management System) to the smallest and lightest plugins. The most vulnerable themes and plugins are the ones that are more widely used. Hackers will find the most unsuspected means to access your data and exploit it. Theme makers and plugin developers are constantly on the lookout for those exploits and will patch them as soon as they find any.
- Always keep the core, themes, and plugins up to date.
- Remove unnecessary and unused plugins. These are not only a security threat but also slows down your site. Permanently remove deactivated plugins.
- Enable Automatic Plugin updates. This is a relatively new feature, and not all the plugins support it. However, it is a good start.
At Echo Eighty, we use a combination of automatic and manual updates on behalf of our clients to reduce the risk of unexpected compatibility and security issues.
Step 9: Only connect through trusted networks.
More importantly than ever, and with work from home on the rise, you should only allow connection to your website or business systems through trusted networks.
Security services we’ve already mentioned like WordFence and Sucuri offer excellent IP restriction tools. If someone tries to log in to your website – even with correct credentials – from a IP address, location or device that isn’t already whitelisted, they’ll be stopped in their tracks. This allows managers to decide which users can gain access to the company website from-offsite locations, and manually approve home networks and remote working locations.
An additional layer of security is to use a private VPN. A private VPN first establishes a link to the secured network, and only then you will be able to access the management side of your website.
Data breaches have real-world consequences far beyond the inconvenience of having to reset a password. For example, the 2021 Guntrader.uk data breach resulted in users being targeted by criminals trying to obtain weapons. The British Association for Shooting and Conservation issued a statement telling its members to ensure that their home security is up to date and that their guns and other firearms are secure. In this case, the data breach resulted in real-world safety concerns for thousands of individuals across the country, and the potential harm of many more members of the public.
Data and website security start by relying on an excellent server and employing the services of organisations that understand and know how to secure your online presence.
We can help with any of the above – starting from recommending the best possible servers, keeping the site up to date, implementing firewalls, and ensuring that your website is as secure as humanly possible.
In addition to this, Echo Eighty will sweep your site for weak usernames, redundant, dormant, or unnecessary user accounts and implement monthly manual updates to your plugins and underlying syste,s
Contact Us, whether you are starting fresh or want to beef up your security.