When you run a small business, it’s no secret that you’re the wearer of many hats. A fancy CEO hat that I imagined to be adorned with the finest sustainably-sourced feathers, a very sensible bookkeeping hat that yeah, is a prudent mid-grey, but it is also undeniably fashiôn.
Now I could keep describing all these imaginary fascinators (and to be honest, I would love to) – but let’s skip to an often forgotten chapeau – that of the website security officer.
I know website security ain’t sexy. And if you’re expecting a very sexy blog right now – I’m really sorry but I fully peaked with the raunchy hat talk.
There’s just no denying that website security is hella important. Failure to follow minimum security protocols can leave you in a whole host of trouble from website breaches through to manual and automated hacks.
AND sure – you could lose your order history. You could lose your website files. You could lose all that amazing copywriting you did. Those would all suck for you.
BUT you could lose your customer data – and under most circumstances, not only does that utterly suck for your customers and their perception of your business – but it would pop you in some sticky legal waters too.
I asked Rachael Wooles from Sassy Security, a Bristol-based cyber security expert if she could add some stern but encouraging words on small business website security;
“Cyber security is vital in a digital age where technology is relied upon for running small businesses. Taking the time to implement cyber security and data protection measures can give your business a competitive advantage, and helps to build trust with customers and partners.
It also lowers the chances of becoming the victim of cyber crime, which can cause significant disruption and reputational damage that small businesses simply cannot afford.”
Website security hacks vs website security breaches vs data breaches
Before we dig in, we need to iron out a couple of the website security definitions that are going to come up in this blog article, namely hacks and breaches.
A website security hack is a malicious incident whereby someone has gained access to an account or system without the permission of the owner. This ranges from a proper Naughty Sausage accessing their ex-employers website in order to cause mischief, through to Shady Organisations using automated scripts to exploit vulnerabilities.
A website security breach is an act of negligence on behalf of that account or website owner. For example, it could be said that the ex-employer above was negligent in not disabling their Naughty Sausage employee’s logins.
Even victims of the Shady Organisation could be construed as negligent if, for example, the vulnerability being exploited was known and enough time to implement a fix had passed.
A data breach is an incident where sensitive data is accessed outside of the conditions for which it was shared. Like if Naughty Sausage nabbed their old employer’s customer database and emailed them all a pic of their naughty sausage, or if Shady Organisation sold the data they exploited to an Even Shadier Organisation.
A website security breach can often instigate a website security hack, and a website security hack can often end with a data breach.
As a business owner, even as a burgeoning creative small business owner, you have a legal obligation to ensure your customers’ have their data rights protected. So here’s 10 cataclysmic website security no-nos ya just need to know so that you can totes avoid ’em.
1. Short passwords
You’re about to notice one heff of a website security theme right now – we’re obsessed with password best practices and protection. I tried proper hard here to find the stats on just how many malicious website incidents originated with a password ‘hack’ but apart from a lot of sources that say “well, loads” – I couldn’t spot anything concrete.
I do recommend diving into 66 Password Statistics That Will Change Your Online Habits from Panda Security though, it didn’t have the info I needed but did scare me into resetting my email passwords a few more times.
Weak and poorly managed website passwords are the easiest security breaches for hackers to exploit. This is because every website, no matter what technology it uses or what platform its built upon uses admin accounts, and every account needs a password.
So let’s start with short passwords – they’re some of the simplest to break in a brute force attack, where a malicious bot runs through common email and passwords to gain access.
As a simplified rule, the longer a website password is – the harder it is to crack. This sounds like a great opportunity to introduce a fun tool, How long to hack my password by Random ize.
According to Random ize, it would take 13 hours and 48 minutes for a brute force attack to access my account with the password ‘gloucester’ – whilst that feels like a pretty epic amount of time, you need to remember that these automated bots who don’t need to sleep, eat or binge watch season 5 of Kim’s Convenience on Netflix the week it comes out.
13 hours and 48 minutes really isn’t that much time at all. So let’s upgrade the city of gloucester to the county of gloucestershire – with 5 additional characters the estimated hack time is 18,994 years and 10 months. Even a pesky robot can’t wait that long.
2. Single dictionary-word passwords
Password brute force attacks have been common fare for evvvveeeeerrrrrr, which means years of creating more intelligent bots and scripts taking shortcuts to increase their chances of website hacking success.
And that means prioritising words from the dictionary, because us humans love using real words to help increase memorability. Instead, try putting together strings of 3+ words – it’s a slightly bigger inconvenience but will make your password security way tighter.
This is also why you are encouraged to use different casing, special characters like # ! and £, numbers, and nonsense. Each deviation from the ‘norm’ decreases your chance of falling victim to a brute force attack.
3. Using the same password across multiple websites
How many times has your data been breached in an attack? You can actually find this out using the gloriously named website, have I been pwned?. Accounts using my Studio Cotton email address have been breached twice. Accounts using my old personal email that I’d used for about 10 years – 9 times.
Including Neopets?!? I can’t believe you’d do this to me.
If I used the same email and password combo on the hacked websites as I do my own, those hackers could gain access to my customer data.
And if you’re sat there thinking “well that wouldn’t happen to me”, one of the times I was pwned (using both my work and previous personal email) was the great Canva breach of 2019. Hundreds of thousands of creative small business owners use this creative software, and became instantly vulnerable.
What’s more, I don’t even use Canva. Both account were created to take advantage of free trials that I never stuck with – but you need to remember that every username and password combo you ever create will always exist, and will always be vulnerable to a breach.
4. Using the same password with subtle or consistent variations
Gloucestershire. Gl0ucestershir3. Gloucertershire33. #Gloucestershire. These are all subtle variations of the same password and none are good enough. Ya know I mentioned those bots are getting hella smart? Well combine that hella smart bot with the username and email address that was scraped from a data breach and you’ve created a wonderful security breach opportunity.
And mate. I know too many of you will be doing this because I see it all the time, but popping the name of the brand into the same password, e.g. GloucesterCanva, GlocuesterAnthropologie GloucesterPayPal, GloucesterShopify would be a real bad mistake.
Again, these bots are smart, and y’all just gave them the not-very-tricky key to all your darn accounts.
5. Sharing log in credentials amongst multiple individual team members
Every time a password is shared, it becomes less secure. Loose lips sink ships, and loose password protocols cause data breaches. I’m not sure that’s catchy enough to convince Fall Out Boy to change their lyrics though.
If one team member loses their laptop or leaves their phone on the 8:00 from BRI to PAD, you’ll either need to disable their logins – or disable the login for everyone. The first is a lot less hassle.
Now let’s bring back Naughty Sausage, who this time didn’t have their own login – but shared the same admin account as their team. Not only did Forgetful Muffin from HR forget that Naughty Sausage knew their website admin username and password, but they also have no way of tracking which user was responsible for the recent naughty sausage pic incident.
This is getting into gross negligence territory – and that’s certainly not a trip you wanna take.
6. Using ‘admin’ or your domain name as the username
We’ve talked about passwords, but they’re only half of the log in credential sandwich. Now let’s talk usernames. Sure, a lot of the time you won’t have any choice other than to use your email address. When you do, you should try to avoid emails starting with [email protected] or [email protected]
And you should never ever ever every ever use ‘admin’ – which I know a lot of ya pesky WordPress users are drawn towards. You should also avoid a username that matches your domain, e.g. studiocotton. Both of these open you up to some of the less sophisticated robots in brute force attacks, reducing the time it would take to hack your small business websites.
7. Sending log in details via non-secure channels
Big shoutout to our clients: please. PLEASE. Stop sending us your account passwords via Slack. Please, pllleeeeaaassssssseeeeee stop sending us your account passwords via email.
These channels are not encrypted, which means they are vulnerable to meddling from malicious stinkers. It also creates multiple records of the login credentials, shares them with multiple people, and pops an additional security burden on both parties that doesn’t need to exist.
We use a couple of different solutions for sending sensitive data when there is no alternative to sharing the same credentials, e.g. Instagram account logins.
- LastPass: a service that allows you to store and share passwords, licenses and payment details securely
- One Time Secret: a really quick lil website that creates an encrypted message that can only be read once
Our much more preferred method is to be added as a user using our own account details, which is really simple with services like Google Analytics and MailChimp.
Unfortunately, there are quite a few digital services that charge extra for more users, personally, I think it’s a bit rubbish to monetise security like this – but ah well.
8. Opting out of two-factor authentication (2FA)
Ya know that supes annoying thing where you get a text message or push notification with a six digit code? That is Two-factor authentication or 2FA/TFA. Using my previous examples, hacking a website or digital account requires two things, a username/email and a password.
2FA adds a third thing. Yeah, can be super annoying – just ask our own Lyzi who has to chase me 2-3 per week for the text code to get into our MailChimp account – but it’s our own fault because as humans, we generally suck so much at good password management.
Even the weakest form of 2FA – those text message codes – have been shown to prevent 100% of automated attacks and 96% of bulk phishing attacks. If a service offers 2FA, embrace it bbz, even if it drives your Lyzi a bit around the bend.
9. Leaving old admin accounts active
Am I like obsessed with Naughty Sausage? I think I might be. One of the easiest steps to minimising your website security breaches is to make sure peeps who don’t need to access a website, can’t access a website.
When a member of your team moves on, remove their access. Even the nicest people who left under the nicest possible circumstances leave their laptops on the train. And yeah, some of those disgruntled ex-employee urban myths are true too.
Remove access to your Nice Sausages and Naughty Sausages as soon as they no longer need to use a system.
10. Granting access that isn’t required
It’s nice to end on a super mild, super avoidable website security no-no. Do not share access or permissions to a website or system unless it is needed to complete a task.
- When that access is definitely needed:
make sure the account is assigned to a specific person as opposed to a brand or business.
- use the lowest permission level possible, especially where personal data is accessible.
- force them to set their own password.
- ensure they follow your password guidelines.
- remove their permissions the moment they are finished.
And that’s it. I bet you didn’t plan on reading 2,000 words on website security today, but hopefully I kept you entertained and informed even without the imaginary hat chat. Now go turn on 2FA, delete your defunct users – and pick a way stronger password.