These days a business can live and die by its website. If your online presence disappears in the middle of a major launch it can damage a brand irreparably.
This nightmare scenario occured the day after the Australia Day long weekend to a new business that was yet to sell its first product.
A niche soft-drink importer found that his website had been hijacked by hackers who demanded a ransom of $5,000 to restore it, the Sydney Morning Herald reported today.
The importer had been visiting hotels and retailers to sign distribution deals for a cola called Turn On. It took his US support team a week to resurrect the website and the downtime cost the importer tens of thousands of dollars in lost sales.
The example showed that no business is too small a target for cyber-criminals. Cloud security is often safer than computers in your office – for a longer explanation see today’s post, Why Your Systems Are Less Secure Than the Cloud.
BoxFreeIT asked Chris Gatford, director of security testing company Hack Labs, for his tips on how businesses can protect themselves against website extortion.
Cloud hosting: One of the most important lines of defence for your website is the administrator team of the company that hosts it. The software that runs your website (called a content management system, or CMS) needs to be constantly upgraded as older versions can carry security flaws. But how do you know if your web hosting company is patching your software for you?
“I wouldn’t rely on a small ISP down the road to take care of your website hosting for you. They make their money by having thousands of customers and doing as little as possible for them,” Gatford says.
Businesses should stick to the biggest hosting companies because they have more at stake if one of their sites is breached and will spend a lot of money on security to prevent this. Businesses should host their WordPress sites with WordPress.com, which updates and patches the website software for you, rather than host it themselves, for example.
Cloud backup: Businesses are notorious for botching their backups. Those that have a regular backup in place rarely test it. Gatford recommends a 3-2-1 backup plan – three copies of your data, on two types of media, and one copy stored offsite. A hosted website should be backed up to your office or even better to a cloud provider such as Amazon or Rackspace. An automated daily backup should be fairly painless for most businesses to set up.
Cloud email: Sending your email from your office server is a high-risk option. “Outsourcing your email to the cloud is an extremely effective mechanism” against hacking, Gatford says. Microsoft Office 365 or Google Apps include virus detection and spam filtering which traps emails containing malware before they hit your inbox. But don’t get lazy – turn on the additional security controls, Gatford says. Google Apps uses SMS-based passwords and extra passwords generated by your smartphone (called two-factor authentication) to tighten access.
Password managers: “Let’s face it, everyone chooses weak passwords,” Gatford says. But you don’t want a weak password guarding your website’s content management system (CMS) or web server. Gatford recommends using a password manager such as Last Pass (for teams) or 1Password (for individuals) to remember complex, unique passwords for each website and cloud application.
Image credit: InsureMeKevin