By Maile Ann Schunk
As a small business, you’re probably pretty careful about what you spend money on. You wouldn’t rush out to spend hundreds of dollars on any service unless you knew you really needed it. Let me introduce the service you might need – like yesterday. That service is cybersecurity.
[Just a note that I do not sell cyber security! This is my attempt to make lemonade from lemons. Please learn from this experience, it will save you some moolah].
Whether you need help from a cybersecurity professional depends on 2 things. 1) What sort of website you have (simple, blog, or e-commerce). 2) What features your website has (comments, forms, purchases). I’ll break down some guidelines so you can tell for yourself. But first, let me tell you how this might be oh so relevant.
I had the good fortune of working with an e-commerce client who had just updated their website. I had worked with them before, but now their website was looking fancy!
Not only did their site have more functionality – including drop down tables – they had a new third party online registration. How wonderful to be able to do more Facebook Ads tracking with their new online registration vendor.
Little did I know that their website had malware on it. There were some red flags.. I couldn’t access their home page some days.. My cybersecurity friend pinged their site and said it had a slow response time. But I was hopeful for their upcoming Facebook ad campaign and didn’t think too much of it.
Wouldn’t you know their website went down at a critical juncture in their Facebook ads promotion. It went down during the last weekend of a sale. So essentially they lost the full benefit of a Facebook Ads campaign that cost them hundreds. I estimate they just broke even, since they did get some registrations despite the outage.
Here’s how you can prevent this from happening to you. Ask yourself these questions:
#1 What type of website do I have: simple (no interaction), blog (with comments), e-commerce (payments)?
Some businesses have simple websites. The main point of the website is to convey information about products and services, so there aren’t places to comment. It’s likely this type of website is not open to hackers. Hackers need a place to send code to you (for example, via comment or form) to get into your system.
If you answered blog, you might still be safe. A hacker can inject some code into your website by typing the code in a comment. But if you use a major website content management system, i.e. WordPress, or hired a web professional with a cyber security background, you’re likely safe.
If you hired someone off Fiverr or Upwork to create a form, probably not. You really need a professional setup that prevents hacking. Using major third-party apps like jotform, are probably safe also. Notably, those forms aren’t on your website (their forms actually lives on jotform.com), so you wouldn’t directly know about hacking. But a large vendor like jotform is likely to pay cybersecurity professionals to keep everything functioning well.
If you answered e-commerce, now you are entering the arena where hackers are looking at your website. As one Cyber Security Professional told me, having a website that takes money is a neon light for hackers online. They will come to see if they can get into your website in an attempt to get the money and/or information of customers.
What’s a business to do? Be sure to only use established website service providers (ie NameCheap) and website professionals with a web applications security certificate to upgrade your site for susceptible features. (More on certification in a hot minute).
#2 What features does your website have (comments, forms, purchases)?
As mentioned, the main weak spot in any website is where there is interaction. Wherever there is an opportunity for someone to input information (comment, form, purchase), there is an opportunity for a hacker to put code there and thereby inject your website when they submit it.
You want your website to be “sql injection proof”. If you are working with a major website service provider like WordPress or a major 3rd party application like WooCommerce, you can bet they have put things in place to prevent this. But once you go off the beaten path and hire an independent specialist, you really need to check that they are certified to do the work.
#3 If you used an independent web specialist, did you check their web applications security certificate?
Basically, if you go with an independent web designer that is creating one of the aforementioned interactive features (comment, form, purchases), you need to check their web application security certificate. There are different computer industry organizations (ie CompTIAA , Cisco, IC2) that certify computer skills by administering tests. Once computer professionals pass a test, they get a specific certificate. It’s like the SAT for the computer industry, where professionals take a test to prove their level of knowledge.
If you hire an independent professional to do work that requires knowledge of cybersecurity, ask them to get their certifying organization (CompTIAA, Cisco) to email you their certificate. Then you can be sure their cybersecurity knowledge and recommendations are legitimate.
There you have it! I wasn’t previously aware of the specific instances that it’s important to have a cybersecurity professional check your website. I hope these tips save you some trouble. I’m sincerely interested in knowing if you’ve run into similar issues with malware. Let me know in the comments!