Should you care about cyber security?
After all, you are only building a website, and not working on the iPhone 8 or the next Game of Thrones episodes. Plus, cyber security can cost you a lot. So, is it really worth it?
Now let us think the other way around.
You must be aware that your website can be attacked at any moment, even a few hours after it is online. Now it is not Halloween and we don’t want to scare you either but let’s face it: the danger is real.
Let us imagine that your brand commercial website has been hacked…
PART I – HACKED: TROUBLE IS COMING
A hacker just found a breach and hacked your website. Now it is broken. Your database is stolen. Administrator password has been changed. The whole website looks awful with some text you cannot even understand (but fear what it could mean). What can they possibly want? Ransom? Blackmail? Spreading pro-Trump propaganda ?! ?
Now you need to make your website great again. You asked your team to restore it but a couple of hours later, it has been down again. It must be fixed and you had better do it quickly. There are experts for this kind of request but urge always comes up with a certain price.
Meanwhile, your emails and social media are flooded with messages about your website being down. Your customers may even behave mercilessly: all they want is having the site back and their data safe. Also, your community manager is having a rough day trying to avoid bad buzz.
While your customers are out of your website, it is a crystal that you cannot get any revenue from it. But the worst part is that money just won’t come back with the site. Customers will need some time to trust you again. Maybe you will even have to spend money for some of them (compensation, lawsuits, etc.). Especially if your website is Ashley Maddison
Some customers talk about suing you on social media. And they are totally right to do so. It is only a matter of hours before you read your name associated with « dark net » and « stolen personal data ». Of course, the law is different for each country. European law, known as General Data Protection Regulation (GDPR) will make things better for customers and worst for companies. It will force you to contact any customer that had personal data stolen to inform them about the hack. Will they still be customers after that? Probably not.
PART II – BEST PRACTICES: HACKERS SHALL NOT PASS
At this point, we should all agree on the fact that it seems better to avoid being in such trouble. Now, let us pick another (and much better) scenario. Imagine you DID care about security in the first place.
WEBSITE CREATION REQUIREMENTS
You can make a difference when choosing the right technology. At first, you can have a website that uses https for free or at a cheap price. You can use the free Let’s Encrypt certificates to do so. This will also help you with SEO since it is highly recommended by Google.
Using https for your website will make network sniffing impossible. In places such as hotels and restaurants where you have a free wifi, sniffing data is child’s play for anyone who has the key. However, when using https, your customers will have their passwords and payment information safe. And of course, it will protect your admin access too.
Another way to protect the latter is to use a two-factor authentication. There are a lot of solutions like Google Authenticator or Yubikey. It will make it impossible for a hacker to log in, even with valid credentials.
You must also think of hackers trying to brute force user accounts. Detecting the number of bad password typings and banning temporarily suspicious IPs is a good idea at first. We also recommend you to use a reCaptcha to prevent bots from trying to log in.
Also, it is a very bad idea to store payment information. It may not be legal in some countries. Above all, it will become a big problem if a hacker manages to get them.
Should we also mention that passwords stored as clear text in the database are pure madness?
There are some simple coding practices that can prevent you from being targeted by a majority of hackers. Yet, your developers may not be aware of them, so you should consider some training with regular updates. Technology is evolving so fast!
At first, you should define coding standards and ask your developers to add comments in the code. This will make debugging process, team work and audits way easier!
The main rule is: never trust your users’ data. Any data that comes from a user can be faked and therefore must be checked. For instance, if you know that you should receive a number, then you can force it to be a number. Not doing this will enable hackers to inject code. This may lead to creating unwanted SQL queries or reading of unauthorized files.
Server and app configurations are very important too — and not only for performance. The less information you send, the less you help hackers find a breach. Sending the web server software name and version will never be a good move. It will only help them find a specific weak point, called « exploit ».
Cyber security is a specialized branch of the development work. There are companies that can check your website and help you fix the issues they have found.
There are two methods: white box and black box.
With this method, you let the auditor access the source code and server configuration. It will allow him to look deeply on the website and search for specific mistakes.
With this method, the auditor will act like a real hacker, without knowing anything about the code. It is a more realistic — yet less complete — way of approaching problems.
You can always ask the auditor to look closer at some part of the site. Of course, he should guarantee you that he will not reveal the weak points and personal data he has found during his investigations in order to prevent leaks. You should also be informed of the cost and duration of the audit.
Finally, beware of people reporting you a breach they have supposedly found. At first, because it is illegal to look for them without a signed contract, and also because it may not even be true.
As your website will evolve along with technology, audits have to be done regularly. After all, you check the fire security regularly, so why not cyber security?
CYBER RISK MANAGEMENT
You should not only care about your developers. Your whole team needs to be aware of all cyber risks. You must know that 30% of cyber attacks exploit human mistakes. A hacker could call your company, tell your employee he works for any kind of IT services and asks for a password. Don’t underestimate such a simple method: it works more often than you could imagine.
You should also have an IT usage policy signed by all your employees. This document should obviously include cyber security rules.
You lock your home and ask your insurance to pay if it is not enough. A cyber insurance works the same way. It will cover all the trouble mentioned in the first part of this article if you put some basic security on your website. The cost of a hack is far beyond the money you are losing when the site is down. The insurance can cover any expense you need to handle regarding your customers’ complaints, your brand image, and potential lawsuits.
Thinking about cyber security from the beginning of your project is the best way to reduce long-term costs. But cyber security is not only a matter of cost and risks. You should see it as a tool to build a trusted relationship with your customers. Show them that the security of their data is your priority and they will naturally choose you in return.