7 Ways SMBs Can Secure Their Websites
Here's what small and midsize businesses should consider when they decide it's time to up their website security.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt315184d1927d636b/64f0d3945ff3328598a63286/Slide1CoverArt.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Too often small and midsize business (SMBs) run websites that aren't secure or even have the basics, such as SSL encryption technology or a Web application firewall.
It's understandable: SMB owners are typically very busy and wear many hats. Few have an IT person on staff, let alone a professional security person. Yet few can do security on their own.
What's an SMB to do? Turning to the site's Web hosting provider to find out what security features it offers is a good start. Getting recommendations for and then interviewing at least two or three other specialty security providers would be the next steps for an SMB to determine whether a security specialist makes sense.
Working with a provider for basic website security doesn't have to break the bank, says Monique Becenti, a product and channel marketing specialist at SiteLock. Depending on the site and how much e-commerce traffic the business runs, it's possible to have a strong level of security for roughly $1,000 a year.
Pricing will vary based on how many features are required and how much real business is done on the site. The advice on the following seven slides provides an excellent game plan for when SMBs decide it's time to up their website security.
SMBs should be aware of their risk posture, SiteLock's Becenti advises. This means evaluating their environments and taking an inventory of the programs and plug-ins their sites require to operate. Are they running WordPress? Joomla? Drupal? Do they plan on accepting credit cards and doing e-commerce transactions? Are they handling sensitive medical information? The answers to these questions will dictate how security needs are evaluated.
"The main thing is to take a step back and decide if you'll need things like SSL certificates and a third-party payment system," Becenti says.
Many SMBs believe that once they install SSL certificates, they are fully secure. But SSL certificates are only the beginning of the security journey. SSL certificates encrypt the data in transport from a site visitor to your site, SiteLock's Becenti explains. So, for example, on a blog site the SSL certificate will encrypt comments that a reader makes, but it won't encrypt the data once it arrives at the site. Same for a registration form. The SSL certificate will encrypt the data the site visitor enters to fill out a form, but the data itself does not get encrypted. And, yes, SSL certificates are important because Google and the other search engines will downgrade a site if it doesn't have the secure "lock" in the lefthand corner of the URL address command line.
SMBs also should consider having a third-party provider encrypt the data before it enters the merchant's environment, advises Ruston Miles, founder and chief strategy officer at Bluefin Payment Systems. If the data gets encrypted from the start, SSL will encrypt the transport and the data will be fully encrypted and secure once it enters the site. SMBs looking to do e-commerce or handle sensitive medical data need to consider this extra layer, Miles says.
All secure websites have two pieces of technology: a Web applications firewall (WAF) and an intrusion detection/prevention system (IDS/IPS).
A WAF will both divert bad traffic away from the site and act as a load balancer, which will result in better site response times, SiteLock's Becenti says. Most WAFs also come with customizable rules. For example, companies can block and divert all traffic from Russia, China, Iran, and other countries noted for preying on US websites.
An IDS/IPS, which is part of a next-generation firewall, will inspect all parts of website traffic, looking for intentionally malformed data that aims to exploit the target application. Dmitry Ayrapetov, executive director of product management at SonicWall, says SMBs need to understand that hackers essentially take advantage of mistakes and assumptions made by programmers. An IDS/IPS will look for any such malicious code in the traffic that could lead to an exploit and block it from entering the network.
SMBs will want to have an automated scanning capability to detect and remove malware on the site, says SiteLock's Becenti. It's also important to patch and remediate all the software programs and plug-ins the site runs on. But doing so is time-consuming, so SMBs will likely want a security provider that has an automated solution that takes care of patching vulnerabilities found in outdated software, Becenti says. Along with automated scanning for the site and patching, SMBs should also be sure their security providers are scanning all databases for malware.
Backup is a "blocking-and-tackling" issue that a lot of people still don't take care of, says SiteLock's Becenti. Especially for SMBs doing e-commerce and payroll apps on their sites, it's essential to have offsite backup not connected to the site. What if the site get hit with ransomware? SMBs have to have an option so they can restore operations quickly. Short of that, and their businesses will take a major hit.
SMBs can think of their computing capabilities and websites more like a utility, SonicWall's Ayrapetov says. In a utility, outages will happen, so that's why the electric company builds in redundancy. "Same with a website," Ayrapetov says. "Breaches will happen, so it's important to have the ability to be up and running within five minutes."
Most SMB owners will want to have the ability to securely update their sites while on business travel. SiteLock's Becenti advises them to deploy a VPN so they can do administrative updates and run transactions securely from wherever they may be. While using public Wi-Fi at an airport or coffee shop, SMBs should never run financial transactions or transmit sensitive data without using a VPN, she advises.
This last point may seem trivial, but it's crucial, SonicWall's Ayrapetov says. SMBs should ask for 2FA for their administrative support. Stolen credential are rampant on the Dark Web, and it's really easy for hackers to guess a website's password. It's not 100% foolproof, but having a second factor for the administrative password will give an SMB owner an extra layer of security.
SMBs may also want to ask about some of the new passwordless authentication methods coming on the market. Over the next 12 to 18 months, they should become available options at hosting providers.
This last point may seem trivial, but it's crucial, SonicWall's Ayrapetov says. SMBs should ask for 2FA for their administrative support. Stolen credential are rampant on the Dark Web, and it's really easy for hackers to guess a website's password. It's not 100% foolproof, but having a second factor for the administrative password will give an SMB owner an extra layer of security.
SMBs may also want to ask about some of the new passwordless authentication methods coming on the market. Over the next 12 to 18 months, they should become available options at hosting providers.
Too often small and midsize business (SMBs) run websites that aren't secure or even have the basics, such as SSL encryption technology or a Web application firewall.
It's understandable: SMB owners are typically very busy and wear many hats. Few have an IT person on staff, let alone a professional security person. Yet few can do security on their own.
What's an SMB to do? Turning to the site's Web hosting provider to find out what security features it offers is a good start. Getting recommendations for and then interviewing at least two or three other specialty security providers would be the next steps for an SMB to determine whether a security specialist makes sense.
Working with a provider for basic website security doesn't have to break the bank, says Monique Becenti, a product and channel marketing specialist at SiteLock. Depending on the site and how much e-commerce traffic the business runs, it's possible to have a strong level of security for roughly $1,000 a year.
Pricing will vary based on how many features are required and how much real business is done on the site. The advice on the following seven slides provides an excellent game plan for when SMBs decide it's time to up their website security.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024