Guest Post – Common Website Security Mistakes

Today we are featuring a guest column written by Jann Chambers at UK Web Host Review.

If there is one thing that all website owners today need to be concerned about it is website security. This is especially the case if you take online payments for your products and services.

You only need to do a quick search online and you will see news about thousands and thousands of data breaches that have occurred in recent years. Incidents like this are incredibly difficult to come back from, resulting in huge reputational damage and mammoth financial losses.

This is something that all businesses want to avoid at all costs. This begins by patching up any website security mistakes you are making. So, let’s take a look at the most common blunders in further detail below.

Treating security as the final step in website development
The first mistake you need to avoid is treating security as the last step when developing a website. Security is not something you can simply think about once you are adding the final touches before your website is published. Rather, it must be built into your project’s very foundation. It should not be overlooked as simply another feature that can be developed at any time. If you do this, misconfigurations are virtually guaranteed, leading to SQL injections and other vulnerabilities.

Failing to update website plugins and applications
Updates are released for a reason. They are designed to make sure that the tool is well equipped to deal with all of the latest security vulnerabilities. After all, cyber criminals are becoming more and more sophisticated with every year that passes by. If you do not update your software and applications, you are leaving yourself wide open to an attack.

Not enforcing a strong password policy
Strong passwords are a necessity. Hackers will regularly use sophisticated software that cracks passwords. To protect against this, a strong password policy is a must. You should require all users to create passwords that are a mixture of special characters, numbers, low case letters, and uppercase letters. Moreover, make sure that passwords are a minimum of 10 characters long. Make sure this is enforced across anyone that uses your website, as well as your entire organisation.

Trying to handle everything yourself without the experience
If you do not have any experience in cyber security, you really need to hire the services of an expert to make sure that your online presence is secure. This can give you complete peace of mind while also saving you a lot of time in the process too. Companies providing security services will be able to carry out a full website security audit so they can determine the current state of your website, making their recommendations about where security improvements need to be made. They can also be on hand whenever a repair is required, monitor for malicious activity, and frequently scan your site for vulnerabilities.

Assuming you do not need to worry about third-party security
A lot of business owners make the mistake of thinking third-party security is the whole responsibility of the company they are using. However, it is just as much your responsibility. You are using the services of this company and it is up to you to ensure that they provide sufficient security. If a breach was to occur via a third-party, you will still be held accountable, and it is important to take this seriously. You need to find online payment merchants and hosting providers that prioritise security and outline the methods they put in place to make sure that your business and your customers are protected.

Allowing data that is invalid to enter the database
Another mistake that a lot of business owners make is enabling invalid data to get into their database. Whenever your users input data, it has to be received with all defensiveness. If you do not validate what you receive, you could pay a high price for possible command injection, SQL infection, cross-site scripting, or another similar type of threat to your security.

You don’t backup data
It does not matter how solid your security strategy is, you still need to back up your data on your website on a regular basis. You need to keep backups of all of your website files just in case your data is lost or your website becomes impossible to access. Your web host provider should be able to give you backups to their own servers. There are also extensions and plugins that come with lots of software like content management programs that will automatically back up your website for you.

Failing to encrypt your login pages
Last but not least, if you do not use TLS encryption on your login pages, you are making a big mistake. TLS enables sensitive information to be transmitted securely. This information includes the likes of login credentials and credit card numbers. Any details entered on the page is encrypted, meaning if a third party intercepts it, it will be in a code that they cannot read, rendering it virtually useless to them. This helps to stop hackers from accessing your private data.

As you can see, there are lots of different mistakes that a good number of developers and business owners tend to make when it comes to web application security. If you have noticed any of the blunders mentioned above, there is no need to start panicking but you do need to put steps in place to rectify the issue.

The worst thing you can simply do is ignore the issues and think “it won’t happen to me”  – this is the sort of attitude that could have you starring down the barrel of business closure. Prioritising website security is a necessity.

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.