Learn
How to Build and Maintain a Secure Website
There's no doubt about it: a website can boost the profile and positive perception of any business, from carpentry to legal services companies. But in today's era of cyberattacks, hacks, and identify theft, your website needs to go one step further: it needs to be secure.
Kristin Judge, founder and CEO of the Cybercrime Support Network,1 a non-profit helping businesses fight cybercrime, says a secure website is essential for any business. "Websites are another tool for criminals to gain access to valuable information, steal away customers, or harm a business reputation," she says.
Among the threats to websites listed by the U.S. Cybersecurity and Infrastructure Security Agency2 are website defacement, compromised customer data, website outage, and hackers taking control of a site.
The stakes are high for businesses looking to protect their websites against cyberattacks. But it can be difficult to understand what it means to have a secure site, let alone how to create and maintain one.
“Business owners do not have to become experts on website security if they have a trusted company they work with."
What is a secure website?
Before you can set up and maintain a secure website, you have to understand what the term "secure" means in this context. Judge offers a good working definition: “Secure sites," she says, "encrypt data at rest and in transit, and limit access with multi-factor authentication."
Breaking it down, that means a secure site encrypts sensitive data on the server hosting it, and while transmitting information to and from customers and company employees interacting with it. You can immediately recognize whether a site is secure by the lock icon in the address bar of your web browser and "https" in the URL.
Secure sites may also take additional steps to verify the identity of customers for financial transactions and to handle sensitive information. For example, while a news site may not need more than a simple password to verify users, a retailer should secure customers' credit card data through multi-factor authentication, which asks not only for passwords but also for security codes sent by email, or text, or for additional verification factors, for example, a fingerprint or face scan.
As an added bonus, a secure site gets a boost in search engine rankings.3
Small business owners may be intimidated by putting together a secure website, but Judge says they needn't worry. “Business owners do not have to become experts on website security if they have a trusted company they work with."
Building a secure website
Critical to creating a secure website, Judge says, is to find a hosting company with a strong focus on security. “Use trusted hosting providers and ask them to show you how they are securing the site."
Some business owners choose to rely on their hosting company for web design, for example through templates that the site owner can modify even if they have no coding knowledge. Others may bring their own skills to the project or hire outside web developers. Whatever the case, the host should provide strong security, Judge says. “Even if you use a 'do-it-yourself' website provider where you set it up on your own, interview the company first to learn about their security offerings."
Although Judge stops short of recommending specific website hosting providers, she does have tips for finding a good one. For example, name recognition can go a long way. “Although any company can be compromised, stick with names you know and trust."
Even if you plan to use templates, a website developer can provide information about the security features you need, Judge says. She suggests looking for one at techstak.com,4 because it's based in the U.S. and pre-screens IT professionals before matching them with business owners. General-purpose freelancer sites that display reviews of providers can also be a good source of IT talent, including web developers and designers.
Keeping your website secure
Once you have your site up and running, it's time to make sure it stays secure. It's the job of your web hosting company to install on schedule all the security patches released by the software vendors behind all the plugins and other systems your site relies on. That's why Judge recommends asking any hosting provider you are considering whether they automatically apply patches.
In addition to ensuring you choose a web hosting provider that performs regular security maintenance, it's also important to perform regular cybersecurity checks on your site. The site that Judge recommends for finding web talent, techstak.com, also offers cybersecurity checks 5 that look for website vulnerabilities and provides customized plans for addressing them. It's just one of many sites6 offering website vulnerability checks and scanning tools.
If the worst case scenario should come to pass, Judge points business owners to fightcybercrime.org,7 a website maintained by her organization that provides resources for individuals and companies to help them recover from attacks. For additional resources and information about cybersecurity, Judge recommends that business owners visit the Cybersecurity for Small Business page of the Federal Trade Commission.8
Website security should be a priority of every business, large and small. But it doesn't have to intimidate small business owners who may lack the expertise to address it themselves—not with the wealth of outside resources available to them.
Important Disclosure Information
This content is general in nature and does not constitute legal, tax, accounting, financial or investment advice. You are encouraged to consult with competent legal, tax, accounting, financial or investment professionals based on your specific circumstances. We do not make any warranties as to accuracy or completeness of this information, do not endorse any third-party companies, products, or services described here, and take no liability for your use of this information.
- Cybercrime Support Network, https://cybercrimesupport.org, accessed March 10, 2020. Back
- Cybersecurity and Infrastructure Security Agency, "Security Tip (ST18-006)," accessed March 2, 2020. Back
- Brian Dean, Backlinko LLC. “We Analyzed 1 Million Google Search Results. Here's What We Learned About SEO," published September 2, 2016, accessed March 2, 2020. Back
- TechStack, https://www.techstak.com, accessed March 10, 2020. Back
- TechStack, "Identify Your Cybersecurity Risks," accessed March 10, 2020. Back
- Open Web Application Security Project (OWASP), "Vulnerability Scanning Tools," Accessed March 11, 2020. Back
- FightCybercrime.org, https://fightcybercrime.org/, accessed March 10, 2020. Back
- FightCybercrime.org, https://fightcybercrime.org/, accessed March 10, 2020. Back