Everyone makes mistakes, especially when they are just starting out. But, when it comes to cyber security mistakes, it’s not just you or your business that gets affected – it’s your user as well. So, it is crucial to know how to identify them and how to avoid them.
Today, Cyber security is one of the most needed services in the technology industry today, especially after the COVID19 pandemic. Not only that many people had to work from home or other remote places, but many businesses rushed to join the digital realm in order to keep afloat.
The surge in digitalization paired with the evolution of other technologies like Mobile, Internet of Things and Cloud computing, has also introduced new threats, on top of the plethora of harmful “trends” already there.
In 2020 alone, according to data analyzed by researchers at Atlas VPN, cybercrime cost businesses, government agencies, and consumers worldwide more than $1 trillion. That amounts to around one per cent of the global GDP.
Out of that, $945 billion was lost to cyber incidents, while only $145 billion was spent on cybersecurity. Not to mention that these costs increased by more than 50% compared to 2018, when an estimate of “only” $600 billion was spent to handle cybercrime.
And still, 20% of organizations worldwide have no plans on how to protect their users’ data against cybercrime events, according to the same Atlas VPN report. That leaves a gaping hole in networks for cybercriminals to extend their attack strategies to steal even millions of dollars more.
So in this article, we aim at helping you join the 80% that do have a plan, as you learn the most common cyber security mistakes that you should avoid making when creating a new website.
Let’s dive in.
1. Forgetting to keep your domains secure
If you intend to have any kind of interaction with your users, they will have to share some of their information with you. Regardless if this means a simple email or phone number, or more sensitive data, when this interaction happens, you need to have measures in place to keep that data safe.
What does this mean? Simply put, every new domain or URL comes with a basic communication protocol called HTTP or HyperText Protocol which allows your servers to communicate with your client version. In turn, HTTPS also known as HTTP Secure is just that, the secure HTTP version.
But to get the S next to your HTTP, you need an SSL Certificate, that basically jumps in before information is sent from the client – your user interface basically – to your servers and back. This way, a) your data is harder to intercept, and b) even if it is intercepted, it’s encrypted which makes it much more difficult to read.
Using an SSL Certificate is not just a nice thing to have. In fact, SSLs are so important and so needed that browsers like Goole Chrome often refuse to open websites not using one. Not only that, but they are also showing your users a big, bright red error message that is sure to send most of your visitors running.
2. Choosing an unreliable web host
Web hosts, as the name implies, are service providers that host your website or mobile platforms on servers. Naturally, the type of host you go with depends on the type of website you’ve got.
For instance, if you run a personal blog with a few thousand monthly visitors and that doesn’t collect too much personal data from users, you can get away with shared hosting. This is because it’s cost-effective and has the resources you need to handle your modest traffic.
However, the more traffic you have, the more data you collect and the more sensitive that data is, the more you need a strong and reliable hosting provider, as an unreliable solution can expose your site to many threats.
3. Failing to back up the website
One of the best methods to keep your site safe is to have a good backup solution. And we are not talking just about your hosting provider backing up your data – you should have more than one backup option. Each is crucial to recovering your website after a major security incident occurs.
But remember, keep your backup information off-site, on a server that is not the same as the one hosting your website. A home computer or a hard disk is ideal – a place away from possible attacks. Alternatively, you can back up the data on a cloud service, which makes storing easy and you can access it from anywhere.
You should also consider automating this process using a solution where you can schedule your site backups and that has a reliable recovery system. Lastly, be redundant in your backup process — backup your backup – so you can recover files from any point before the attack occurred.
4. Using obvious passwords
This might be one of the simplest, fastest and most affordable security steps, but creating strong passwords is also one of the most important steps in keeping hackers away from your website. And yet, this problem is very low on our security list, simply because we always assume that our passwords are strong enough.
But the reality is that weak passwords are surprisingly easy for hackers to crack, especially if they’re using a password-guessing program that is capable of trying thousands of variations and breaches your systems in no time.
Not to mention that many organizations and users alike make the mistake of using the same password over and over simply because remembering new, complex passwords is tricky.
Moreover, you should ensure your users’ passwords are safe as well. For example, never store them unencrypted in your databases. You should also implement a system that requires your users to choose a strong password, and you can add an extra security step on top, such as Captcha, 2FA, etc.
5. Failing to keep your cookies secure
It is easy to overlook the importance of cookies, yet most websites use them. Cookies keep information about your website users, which in turn can inform their needs and help improve your site.
However, they can cause massive damage if they are used to store extremely sensitive information because they can easily expose users’ information to hackers, who can in turn use it for malicious purposes.
Cookies should therefore not store sensitive information and should have brief expiry dates (as session cookies) or as persistent session cookies, which have authorizations every fortnight. This reduces security risks since you know that it is an authorized user entering your website.
6. Not keeping your technology up to date
It is important that you keep your web and mobile apps up to date when it comes to the technology behind them to avoid exposing the site to risks. New threats appear every day and hackers are always scouting for them, updating your code, for example, ensures that you minimize exposure to risks.
You should also update third-party services associated with your site. All software and libraries ought to be updated as often as possible.
7. Not stress-testing whether the site is secure enough
This is mostly recommended if you store highly sensitive data, such as financial data, but good practice in upping your security is to hire a professional or an ethical hacker to stress-test your site and find any security flaws there might be.
For example, they can help avoid:
1. Cross-site scripting– where a hacker exploits a gap in web security by adding malicious code to your web application.
2. Broken authentication – a situation where a site is exposed that allows an attacker to impersonate users, like someone on the team.
3. SQL Injection attacks – this allows a hacker to implement malicious SQL statements in an entry field;
4. Coro – an application that unintentionally exposes sensitive data such as banking information (Not a data breach).
8. Skipping or neglecting outbound data security
Data protection is a two-way street, as you ensure that threats are kept at bay, you also need to keep company information safe from getting to outsiders. To avoid sensitive data from leaking out, it is advisable to embrace egress filtering.
Also, based on the risk assessment, an organization can quickly craft distribution policies for various types of confidential information. These policies govern exactly who can access, use or receive which type of content and when, as well as oversee enforcement actions for violations of those policies.
Four types of distribution policies typically emerge for the following:
- Customer information
- Executive communications
- Intellectual property
- Employee records
Once these distribution policies are defined, it’s essential to implement monitoring and enforcement points along communication paths.
9. Excluding employee training on Cyber Security matters
Regular employee training is key in the effort to keep your website safe. Threats such as phishing are hard to detect especially if an employee is not informed. Its safe to keep them updated on the current risks and how to identify them.
When it comes to cybersecurity, an enterprise needs to be savvy. Knowledge of cybersecurity and information technology is extremely important because it’s the basis for preventing a cyber breach or attack.
Employees should be educated in the realm of cybersecurity (and trained accordingly) because a security threat cannot be avoided or reported if it is not recognized! This seems obvious but you’d be surprised. The most common threat is caused by human error and is the main reason cyber training exists.
So how do you avoid most cyber security mistakes?
Employing superior Cyber Security measures should not be a matter of choice but of priority. Keeping your users’ data safe doesn’t not only benefit them but also benefits your business in the long run.
Not only that you will gain your users’ trust and loyalty, but you will also save money by investing in avoiding the risks, instead of pouring resources in a panic after an attack happens. But remember that cyber security is a team effort.
As part of management, you should keep your team informed on possible threats and what the team should do to avoid them. A well-informed team is a weary team but more importantly, they will be on the watch for risks you potentially missed.
And finally, regardless if you run a simple promotional website or blog, or collect sensitive data such as financial information – your data security should be on top of your list. Your users depend on you to keep their information safe.