Audio Version: 10:36
Security has become a hot topic in our culture. From privacy-related suits against Google and Facebook to wholesale credit card theft from stores like Home Depot and Amazon and card skimmers at gas pumps and on ATM machines.
Our identities have become more than flesh and bones, now we have digital aliases that are vulnerable to abuse. In this new digital landscape, government jurisdictions have made significant strides to protect our privacy. The European Union passed the GDPR laws, and recently California passed the California Consumer Privacy Act (CCPA).
So what does this mean for a business owner? A webmaster? An eCommerce manager? In this article, we’re going to take a look at commonly collected website data, what your website security needs to accomplish, and how to know if you’re protected.
What kind of data is collected?
There are two primary ways that data is collected on a website. You either actively submit data into a website, or you provide data passively as you browse.
Information You Submit
Most businesses use their website as a virtual storefront for their business in real life so that they can make human-to-human connections or product-to-human connections. Depending on the website security, some or all the information you submit can be collected on any particular website. This includes credit card and social security information. The following are types of data that is collected that you submit to a website.
Most websites have a contact form where you can send an email to the business, ask some questions, or apply for a job. Here it’s common to give your name, your email, or your phone number.
We’re all familiar with online purchasing. Every time you make an online purchase, you’re submitting private information through a website. With eCommerce, it’s more than just your name and email, but it’s also your shipping and billing address, as well as your payment information.
Passively Shared Data
Every time you browse online, you’re creating new data points about you. Have you ever noticed that you feel like you’re being spied on by businesses that you frequently do business with or websites that you only visited? Your browsing behavior is collected through the use of “cookies.”
Cookies are little pieces of information that a browser asks to store on your computer. Usually, cookies are used to personalize your experience to give you a better experience when browsing and shopping. They’re also used to choose advertisements to display to you. If they know you like to watch football on Sunday, that may be a clue that you would be interested in some chips or chicken wings.
Where Does Your Website Security Need to be Implemented?
Any time data is transmitted, it’s at risk. Distilling down website security into 1 or 2 bullet points is oversimplifying the problem. You need to consider security at multiple levels of your website to provide a safe browsing experience for your users.
Let’s start with security checkpoints that are very close to your user, and gradually get further away.
Spammers like to use contact forms to upload dangerous scripts to your site where they can be deployed and infect your entire website. Many contact forms use a service called ReCaptcha to help block malicious behavior from attacking your site.
Every time a contact form is submitted, data is transferred. A ReCaptcha is a tool that is commonly used to verify that the form user is a human. ReCaptcha uses logic or math questions that bots may not be able to answer correctly. A correct answer helps to verify that a malicious bot isn’t trying to attack your site.
Code Level Security
Web code is regularly maintained to close security patches that malicious bots and spammers look for to spread viruses and steal data. One of the most common ways that websites become infected is by using old code. Spammers look for any website that is using out of date technology because they know exactly where the security holes are, and they can attack those vulnerabilities with ease.
Security at the website code level often means that you’re using up-to-date code, up-to-date plugins, and up-to-date CMS versions (like WordPress). Save yourself from unnecessary headaches by keeping plugins and code up-to-date, and removing old plugins and code you no longer need.
If you are using WordPress, the Dashboard has some features that help you to know if you need to upgrade some plugins, themes or your CMS. At the top left of your WordPress menu, under Dashboard, there is a notification that tells you if you have some plugins, a theme, or your CMS out of date. Or if you go to plugins, there are notifications letting you know which plugins are out of date.
Also, when installing new plugins, check to see the last time the plugin was updated. If it’s been many years since the developer updated it, it’s possible that the plugin and its code is no longer maintained. This is a sign that there may be vulnerabilities in the plugin and you should try to find a different option.
Server Level Security
When a user opens your website in their browser, their browser asks the server to show the web page. If the user is filling out a contact form, that data is being transferred from your contact form to your website database. As this data is transferred, it’s vulnerable to being intercepted by malicious hackers. What if you could encode this data so that it only makes sense to your website and not to others?
At the server level, you can install an SSL certificate so that data submitted through your site is encoded, kind of like Morse code, but only your server has the key to understanding it.
Most browsers today require that your website has an SSL or your website will display to visitors as an unsecured site. Most payment solutions will detect that your site is missing an SSL, resulting in the payment solution not displaying on your site, and eliminating the possibility to accept payments through your website.
You know your site has an SSL if your website URL starts with HTTPS instead of HTTP. Think of the extra S as meaning “Secure.” Also, browsers will often show a lock, or a shield next to your URL when it has an SSL certificate.
It’s also a good security practice to completely block users from geographic areas that you don’t do business with. If your server detects that a website user is from a foreign country, your server can block the request from the server so that the page will not display. If you don’t do business there, there is no reason to let their hackers have access to your site. However, certain marketing channels such as Google Ads may require that your site not use geographic blocking. Talk to your digital marketing consultants about whether this applies to you.
You can have all of the above security vulnerabilities completely closed and still be wide open to security risks because another level of security exists at the domain level.
When a website user types in your domain into their browser, there’s an extensive directory, similar to a phone book, that ensures that www.yourdomain.com shows your website, and not someone else’s.
A method called Domain Name Server (DNS) spoofing, or DNS Cache Positioning, is when your information in that extensive directory is changed. When this happens, your users think they’re logging into your eCommerce store to make a purchase, but they’re actually handing their personal information, address, and credit card information over to a thief.
There are DNS obfuscation services that can be used that will make your data in the directory hidden, and often those services will also protect you even more by not showing your real website, but a copy of it, making it all that much harder to steal your information or mimic your actual website.
Who do I talk to in order to ensure that I’m protected?
Now that you have a feel for the complexity of your website security, how do you ensure that you are protected? What other things can you do to communicate to your website users that they are safe doing business with you?
The short answer is to keep 4 people close to you: your web developer, your hosting provider, your marketing provider, and your lawyer.
Your web developer should be able to help you with the website level security, plugins, CMS, and technology upgrades. They should be able to help you keep up-to-date and troubleshoot any compatibility problems you may discover as you stay up to date.
In most cases, your marketing provider will be installing and using many of the plugins and technology on your site. You’ll need to work with both your web developer and marketing provider (who may be from the same company) to ensure that best practices are covered.
If you’re looking to beef up your server-level security, the first step is talking to your hosting provider. But keep in mind, they may need to upgrade the technology on your server, which may not be compatible with the code of your website. If this is the case, you should consult with both your website host as well as your developer to ensure that improving your server-level security does not break your website.
Your web host should be able to help you with your domain-level security. Your host may not actually control your domain though, but most hosting technicians understand the technology well enough to help you make the necessary configurations required to keep you safe.
For more on hosting providers, see our article, How to Choose a Hosting Provider.
Having a website opens you up to online security risks, but you can be smart and protect yourself from many threats. That’s why we recommend that you develop strong relationships with your web developer, website host, and digital marketer and of course ask your lawyer if you are compliant with new laws. These people are the experts that stay up to date on best practices, latest news and obsess about keeping you and your customers protected.
If you have more questions on website security, we recommend that you give us a call and we can help guide you to the right people or solutions that are right for your needs.