Last week, we were hacked. Badly. It was partially our fault. We had not updated some of our website plugins – something we knew we needed to do but got so caught up in the current client work that we let our own site go without tending to it. Well, big mistake. Apparently, a malware virus got through to our website from one of those plugins and took over our website for at least 12 hours (displaying a fake McAfee phishing scam.)
Luckily, we were able to get our development team together, with our hosting provider Cloudways and found a great malware removal service. Together we were able to restore a slightly older version of the website without any malware. It will now cost us an additional $300 annually (which we’ll gladly pay).
But it got us thinking. The website is one of the most visible and important aspects of any small business. And this attack could’ve absolutely devasted our business. So, what are some ways you can keep your website healthy and secure? Here are four things we recommend doing today.
No. 1: Installing a Malware Removal Service to Protect Your Site and Your Customers
Sadly, for a lot of small businesses, cybersecurity fraud (which often occurs through a website or your database) will end up costing a lot more than what it cost us. According to Verizon’s 2023 Data Breach Investigations Report, for companies with 500 employees or under, the average is $3.31 million in losses.[1] That’s a huge amount of money.
And that’s just one aspect of the many cybersecurity threats that exist out there. In addition to malware trojans mentioned above, there are distributed denial of service (DDOS) attacks, ransomware, phishing and spam, cryptojacking, spyware, adware, SQL injection, and a lot more.
Small businesses don’t have a lot of resources to defend against these attacks, but the costs of doing nothing can also wipe out a business completely.
What you can do. We were lucky to find Sucuri (Sucuri.net) – a malware removal service that can both get rid of malware on your site and which can help you implement a firewall against future malware attacks. It’s worth it at the cost of $300/year. Make sure to also create a backup of your website. You can backup your website through your hosting provider (C Panel), an FTP software such as Filezilla, or a third-party service such as BackupMachine, Codeguard, and Dropmysite that does it for you. Ask your developer to help.
No. 2: Control Your Website Access and Get a Password Manager
I was lucky to once meet the late Kevin Mitnick, a former hacker turned cybersecurity consultant who basically showed how easy it was to hack into someone’s email or password on a website. His advice: Make sure all your passwords are at least 25 characters long and store them in a safe password manager. We see so many businesses that don’t do this or have rather easy-to-guess passwords. Create longer, random passwords and access them in a safe platform such as 1Password each time you need them. In addition, we would recommend:
-
- Clean up the access to your website (and all your marketing platforms). It’s especially important remove former employees, past agencies from keeping or gaining access as they may not have your best interests in mind. One thing: As a small business, it’s critical that you are also the admin on EVERY account so you can access it and not need to depend on others.
- Be careful about sharing passwords with agencies or other entities via email. We’ve seen too many instances where individuals’ emails have been hacked and the hacker gets access to passwords in a number of different platforms.
No. 3: Reduce Your Website Security Risks by Eliminating Plugins
We love WordPress, as it’s a great content management system with just about every tool you can imagine needing through its open-source community. The problem, of course, comes with community tools (plugins), which can be susceptible to viruses and other potential security risks. As we learned the hard way, it’s important to:
-
- Make sure your plugins are up to date with the latest versions. Typically, companies will update their software to patch security holes and other issues.
- Remove plugins that are not being used. If you’re not using a plugin, even if deactivated, it could potentially be a source of risk. Remove all that you don’t currently need (this will also speed up your page loading as well).
No. 4: Keep Your Customers Data Secure for Site Purchases Through a Secure Payment Provider
For most businesses, you’ll probably choose a payment processor (PayPal, Stripe, etc.) that will allow customers to submit their credit card for purchases securely and then potentially store that card using a token-based system. These systems are generally all PCI compliant, which refers to a set of 12 security standards that secure businesses use when accepting, transmitting, processing, and storing credit card data. For small businesses, PCI compliance involves some strict requirements, including:
-
- Encryption of cardholder data
- Updating antivirus software
- Managing firewall
- Assigning unique IDs to each customer
Many businesses outsource this function to a payment processor for a fee. But this isn’t the law that all small businesses have to comply with and for some who want to store the cards themselves, it definitely pays to have a secure system as the last thing you’d want is for your customers’ credit cards to be stolen due to your negligence. Our advice: Rather than create your own system for this, it pays to go with an established provider that can help you safely store credit card data and encrypt it on your behalf. Why reinvent the wheel after all? Also, never, ever store credit cards on paper in files at your office or any place where they can be easily discovered.
Conclusion
These are just a few of the tips for your small business. We hope you don’t have to learn them the hard way like we did. As always, if you need any additional marketing support or want to get our insights on something, feel free to contact us for a free consultation.
[1] https://www.business.com/articles/smb-budget-for-cybersecurity/