Website breaches are one of the largest categories of breaches the public hear about in the press on a regular basis. These don't just affect large corporates, they affect Small Businesses as well, especially since they don't not have the expertise to secure their websites. Here we look at what Small Businesses can do to secure their websites.
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Head of IT at Ratcliffe Groves, the square brackets with the initials indicate the speaker.
Introduction to Website Security for Small Businesses
[SS]: Today we're going to be looking at website security for Small Businesses. For many businesses, their websites are the first point of contact for their customers to find out about what the company does and everything and anything about it. And because it's the shopfront for the world, it's an important part of any Small Business to get the security right. I'm going to pass over to Nick to get us started.
Consider Your Hosting and Domain Name Strategy
[NI]: Thanks, Sarb. For cyber criminals, your Small Business website provides another attack point against your business. When setting up your website you might start to look at where are you're going to host your website? Are you going to host it internally or are you going to pay a third party?
But before you even have a website, you're going to need to register your domain name, this is sometimes called the web address. For example, the domain name that this Blog is hosted on is virtuallyinformed.com. There are two elements to this, there is the actual name itself, which is virtuallyinformed, then there is the bit that comes at the end, the .com. We won't go into all the commercial ins and outs of registering whatever you think is appropriate for your business, you may need to ensure that you are registering variations of the company name, as well as various levels of the domain (meaning, .com, .net, .co.uk, etc. according to which countries you wish to operate in). Some businesses will register only one, others will register all variations to protect their business. What you do, depends on countries of operation, how big you intend to be and the resources you have available.
When you register your domain name with a registrar ensure that you have opted to use two factor authentication, that way if someone with your user credentials they can't log in and add an additional sub domain or entries into your domain DNS entries. Although that all sounds technical and complex, the thing to remember is that for the criminals it's all about tricking users into thinking that they are logging onto your website when they may be forwarded to a malicious website elsewhere â€“ all unknown to use, although the URL looks like it's related it is something completely different and controlled by the criminals. This has been one of the ways that criminals have reused other people's websites to host their own malware or phishing campaigns.
Automate Domain Name Renewals
[SS]: Just a couple of points on that, we have done exactly what you say, but the other thing is when we selected our hosting company, we chose one which would keep on top of when our domain name comes up for reviewal to enable us to know that they are doing the renewal for us automatically unless we chose to do something else. And even though we've got several domain names registered, we find we still get many phishing emails, which essentially ask us to pay them to update and renew our domain name. But obviously we ignore all these because we know that we use an automated service through our hosting company.
Several years ago, there were many websites where the owners would get an email telling them that their website domain name is up for renewal, please pay us promptly to ensure that no one else takes it over, and in those days they would often send a letter as well with their official headed paper where the company name would all look worryingly official. And a lot of Small Businesses got scammed by that; and some still do today.
These companies where not the hosting company, they were scam, fraud, criminal companies looking to get paid for doing nothing. So, as Nick rightly points out, it's important to use two factor authentication where it is available. But also make sure you choose a hosting company that will keep on top of that for you so that you're not falling for any of these phishing attacks.
[NI]: Yes. A good hosting company will offer that service, or they'll even offer as an add on some protection where they won't let it lapse, that it will auto renew, and people can't make significant changes easily. Or, that you can't make more than a certain number of multiple changes in a month. There are additional protection services offered by all the major domain registers, and like you say, if you receive any emails regarding your domain, just make sure it's the company you're dealing with and not anyone else; and again don't ever just click on any links, login using your stored bookmark so that you know you are going to the correct website and not being phished. This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.
Additional security and risk information and resources for SMB's