Skip to main content
GeneralSecurityWordPress

Cyber security for small businesses

By March 31, 20152 Comments

Cyber security - bug

Last Thursday (26/03/2015) I attended the HM Government talk ‘What you need to know about cyber security’, at the Essex Networking on Sea event. The event was well attended and had speakers from both the Essex Police and Cyber Security & resilience – Department for Business.

Cyber security is about protecting your computer-based equipment and information from unintended or unauthorised access, change, theft or destruction.

The threat to businesses, big and small, is now widespread and no longer the reserve of a few highly skilled individuals.

How to manage the risks of cyber attacks

Managing cyber threats is divided into three sections, planning, implementing and reviewing. Here’s a quick summary of some of the points raised in the free handbook.

Planning

  • Access what your level of risk is, have any of your suppliers, customers or similar businesses been attacked
  • Do you collect personal data, or even credit card payments (I strongly advise you leave this to payment gateways) and do you comply with the associated legislation
  • Identify the financial and information assets critical to your business and the IT services you rely on
  • Assess the IT equipment (including mobile and personal devices) within your business
  • Assess the security level of all password used (12+ characters recommended)
  • Ensure staff are aware of the possible threats and have sufficient training
  • Have a recovery plan if your business is compromised
  • Could cyber insurance protect against the impact of a cyber attack

Implementing

  • Install anti-virus protection and keep browsers up to date
  • Increase network security with firewalls, proxies, access lists and other measures
  • Create a secure standard configuration for all IT equipment and software. Change any default passwords
  • Restrict staff and third party IT access to the minimum required. Very few people should have full admin rights.
  • Ensure sensitive data is encrypted when stored or transmitted
  • Restrict the use of removable media, such as USB drives, to prevent the spread of malware
  • Monitor the use of all equipment and IT systems. Collect activity logs.

 Reviewing

  • Test, monitor and improve your security controls regularly
  • Remove any unused software or equipment. Delete staff accounts when they leave and remove data off old equipment
  • If your business is attacked, ensure that the threat is traced and removed. Address any gaps in your security.
  • If you fall victim to online fraud or attack, report the incident to the police via the Action Fraud Website. You may need to notify customers and suppliers if their data has been compromised.

How to reduce the risk of a cyber attack on your website

Platforms & Frameworks

Make sure your CMS software is kept up to date. WordPress can now be set to update automatically, whilst updating software such as Magento would be a bit more involved and would likely need a professional web developer. Reading the update logs will give you an idea of how critical a new version is, with patches sometimes available instead.

Plugins

Keep the number of installed plugins on your site to a minimum. This will make it easier to update your CMS software and reduce the potential hacking routes into your site. Make sure that the core plugins that you do use are regularly maintained by the author and you’re using the latest version. Before using any plugins make sure to read reviews and look for complaints about the code quality or bugs.

Remove any unused plugins.

Use a well known security plugin (WordPress)

WordFence monitors attempts to access your WordPress site, whilst helping you to secure it.

Server Security (LAMP)

Using Open Source software such as WordPress, means that hackers will already have a good idea of your site architecture. They’ll know how to find the default login page and database structure. An Apache password will help to block unwanted visitors from finding your admin pages.

Your hosting company will also give you advice as to how to best protect your site, as they have an interest in keeping their servers malware free. This can include changing the write access to files and removing old installation files.

Themes

Be careful of premium plugins that are bundled within paid themes. This is a known issue with some WordPress theme providers. These bundled themes commonly break the WordPress update path, so you won’t be informed of any critical updates.

Again look to reviews to get an idea of how well the code has been written.

Stay Informed

Sign up to a newsletter such as WordFence, for WordPress security information, to receive news on cyber security issues and plugin flaws early.

Code Reviews

Poorly written code can often leave the door open for SQL injection attacks and other ways to compromise your site. Bad code is at best inefficient but could be opening the door to much worse.

Use Secure Passwords

Use long, random passwords for logins. A site such Norton Identity Safe can help to create these.

Restrict the use of Admin

Use restricted access accounts for everyday tasks. If your account is then compromised a hacker will then also have less access.

Keep Backups

A breached site will often be used to distribute malware or offensive material. If you keep regular site backups, you’ll have an instance of the site to return to, although you’ll still need to correct the security hole they used to access your site.

Logs

Logs can give you more of an idea as to what activity is happening on your site and servers. WordFence again can be useful here, to see what efforts people are making to gain access to your login or admin areas.

PCI

Let more experienced companies deal with the headache of storing and charging credit cards.

Be Vigilant

Be careful when opening email attachments and links, especially from unusual sources or unknown recipients. Simple cyber attacks rely on a user being logged into their admin areas, whilst clicking on a malware link.

Legacy code

Hoping that your software is too old or bespoke to attract the attentions of a hacker, is far from best practice. Many hackers do use scripts to look for common flaws in old WordPress, Magento or osCommerce installs, but a dedicated hacker would have a field day if they found out your codebase was older than they are.

Summary

I hope that these points might help anyone trying to secure their website from cyber attacks. There’s lots of great advice out there on sites such as becyberstreetwise.com and wordfence.com.

If your site has been compromised, let us know and hopefully we can help. Also if you’re a WordPress site owner, be sure to read WordPress – How to prevent brute force attacks.

 

 

 

Andrew Taylor

A senior UI designer with over 25 years of web design and web development experience working for some of the largest companies in the UK. An expert in all things Magento and WordPress.

2 Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.