29 Mar How to Improve Website Security for your Design Business
How to Improve Website Security for your Design Business
Graphic design businesses are usually about the aesthetic, not what’s under the hood.
You’re used to making things look good, but website security is even more alien than a foreign language.
For that reason, most business owners ignore it completely.
And that’s not something you want to do.
We’ve previously talked about the ten essential steps you need to take as a start-up graphic design agency.
Here’s number 11: make sure your website security is taken care of. Otherwise, everything else will be for nought.
Data breaches happen to the biggest names in the business (we’re talking to you, eBay and Uber), but hackers don’t tend to go for the big guns, for the most part.
Why? Because they usually have strong website security in place.
Instead, it’s all about the easy pickings. That’s you.
If you want to avoid keeping the figurative front door of your website wide open for hackers, then follow the tips to improve website security laid out below.
Create Strong Passwords
“Passwords are like underwear: don’t let people see it, change it very often, and you shouldn’t share it with strangers.” – Chris Pirillo
The concept of weak passwords has been known for a while.
Yet people keep making the same mistakes, so we feel compelled to repeat this advice: don’t use admin or 1234567 as your passwords (yes, they rank near the top of most popular ‘secure’ options!)
The problem isn’t just a lack of imagination, however. People are lazy.
They think it’s not going to happen to them, or they just have so many passwords to keep track of that they just give up and use variations of the same thing.
With that attitude, you’re going to end up on haveibeenpwned.com. To keep your passwords safe, you should do this:
● Use secure website tools. One of our favourite third-party tools is LastPass. It allows you to keep track of all your passwords using a single master login. The tool also suggests strong passwords for every site you sign up for.
● Use 2-factor authentication. Relying on just your password isn’t enough. Use 2-factor authentication, for example, by using a text message code or Google Authenticator.
● The longer, the better. Stick to long passwords; they’re harder to crack. Instead of random letters, use a sentence. Easier to remember, but surprisingly also more difficult for a computer to guess.
Backup Your Data
We’ve already mentioned it: even the big brand’s website security gets hacked.
So we suggest going with the assumption that you’re going to be a victim at some point (even if it never actually happens!)
Website security is an obvious priority, but you also want a fallback. Enter data backups.
Hackers often have a disturbing amount of malicious fun, merely destroying websites with DDOS attacks or vulnerabilities.
They don’t necessarily care about stealing credit card data or making money.
The thrill of destroying a business is enough.
If your website has been hacked and turned into a meme, you want to be able to revert to the most recent working version of your website.
The best way to backup your data is to have a multi-pronged approach.
Firstly, you want to have a decent hosting option.
If you try and go for the $1 per month variety, don’t be surprised if it all blows up in your face.
We suggest going for a cloud solution, with Cloudways, WP Engine or Kinsta being solid bets.
Get Your SSL
Load up your browser and look to the left of the URL of your website on the address bar.
You should see a padlock. If you don’t have that, you’re missing the fundamental level of website security you can offer your users.
These days, SSL is a requirement. And yes, even if you have a simple ‘brochure’ website that doesn’t take customer details.
SSL certificates used to be quite pricey, and you needed a little know-how to install them properly.
Luckily, you can now get them for free. Let’s Encrypt; a non-profit organisation is a leading source for this.
Most decent quality hosts have hooked up to the service automatically, which means all you need to do is click a couple of buttons and you’re done.
Invest in Application Security
We get it; you want to keep costs low. Every small business struggles with cash flow, and you’d rather spend your money elsewhere.
And even though most companies don’t end up using it, it’s always good to have an extra layer of protection (you have health insurance, don’t you?).
Apps form an essential part of the modern website security apparatus.
Open-source content management systems such as Drupal and WordPress, for example, offer a range of plugins and modules to help keep your site safe.
If you don’t want to fork out the cash, there are a handful of very decent free options out there.
Train Employees
Website security is not an afterthought. Every single staff member needs to know what your company policies and procedures are when it comes to site security.
They need to know what to do and, perhaps more importantly, what not to do.
Create a user manual that you always have available both in the cloud and on physical copies.
Have training days (or just an hour or two, whatever is necessary) where you go over these.
Don’t do this just once; refreshers are always useful. Remember that people will find these annoying, so try and make it fun.
Fun idea: do it office pub quiz-style (sans booze!) and offer some pizza and drinks.
Limit User Privileges
We don’t suggest you create a draconian hierarchical work culture, but when it comes to security, you don’t want it to be a free-for-all.
Most organisations are either too trusting, or they don’t know how to limit user privileges on a website. This usually isn’t a problem, until it is.
There are countless stories out there of former employers hitting the proverbial NUKE button after leaving an organisation, for example.
“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” – Stephane Nappo
They may be salty about what they deem to be an unfair dismissal, or they may have a personal vendetta against someone.
Whatever the reasons, you want to make sure they can’t do anything against your business. Once they leave, delete all digital traces of their presence.
“We discovered in our research that insider threats are not viewed as seriously as external threats to website security, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever.” — Dr. Larry Ponemon
Have a Multi-Layered Approach
The most effective security approach doesn’t just rely upon a single thing.
Website security software is helpful, but it’s not set and forget.
If there are vulnerabilities while a patch is being developed, for example, your site is in danger. In addition to software, consider the following additional web server security steps:
● Get rid of the generic ‘Admin’ account. You want to personalise everything that comes out of the box, with the generic ‘Admin’ username the first to go. Why? Hackers will always attempt the default settings, knowing that people often don’t change them.
● IP limits. We usually recommend setting a single IP address (your office!) for accessing your website. This means that if someone is elsewhere (e.g. a hacker!), they won’t be able to access your site even if they have your user credentials. If pushed, give access to employees you trust that need it. Be careful, however.
● Block uploads. If your website has a community element to it, like a forum or comments section, don’t allow users to upload files. Instead, use third-party tools. Direct uploads can expose your website to hackers; only do this if you know what you’re doing.
“The knock-on effect of a data breach can be devastating for a company. When customers start taking their business—and their money—elsewhere, that can be a real body blow.” – Christopher Graham
Have a Secure Plan of Action
If you want to take website security seriously (and you should!), then you’re going to need a cybersecurity plan.
It’s not as scary as it sounds, and ensures you have proper safeguards in place should something happen.
For example, if your website is down, do you know what to do?
“Companies spend millions of dollars on firewalls, encryption, and secure access devices, and its money wasted; none of these measures addresses the weakest link in the security chain.”– Kevin Mitnick, “The famous hacker in the world”
Do you have login details safely locked away for both your domain registrar and hosting company (no, they’re not the same thing)?
Think through all of the ‘things that could go wrong’ and ensure you have a step-by-step plan.
We recommend thorough documentation here. It’s tedious, time-consuming, and isn’t billable.
But should the worst happen, you’ll be back up and running without the pain and panic most companies go through.
Practice Unagi
All right, we finish with a lame reference from Friends here!
But maybe it’ll help you remember this significant takeaway: you must be aware of the most recent developments in website security.
Sure, your bread and butter is design, but your shop window is online. You need to make sure websites security sits near the front of your priorities.
Our advice? Appoint someone in your organisation to be in charge of data, web security, sensitive information and backups.
You don’t need to hire a specific person from outside (they can be expensive!), but at least put someone in charge as part of their job description.
“A security system with several layers is difficult to hack. So, even if your data is targeted, getting through the many tiers of security will be a hassle. The simplest of programs, such as free online email accounts, have multi-layered security, too. Even if accessing your accounts takes a few extra steps, it is still worth the effort, certainly better than losing your data. Using a firewall, making sure your antivirus software is updated, running antivirus checks frequently and updating your programs regularly are all part of maintaining your personal data security.” – Doug Theis
Awareness is also about making sure you eradicate human error as much as possible.
Most data breaches are caused by a person on a web browser, not a technical glitch.
We’re talking bad passwords, not following security protocols, and being downright careless.
People in your organisation need to be made aware of how important it is to keep your graphic design business secure; their livelihoods ultimately depend on it!
