Now that 2019 is here, we’d like to take a look back at 2018 to review a few key trends and see what we can learn from them. It’s no secret that cyber threats are on the rise. Malware, ransomware, phishing scams, you name it—the threats are there.
But contrary to popular belief, threat actors don’t generally “break in” to these systems; they exploit known vulnerabilities in website security that give them access. Gartner predicts that through 2020, 99% of security vulnerabilities exploited will continue to be the ones known by security professionals for at least one year.
And when you consider industry trends such as bring your own device (BYOD) that complicate business security even further, it’s clear that companies have plenty of challenges to face when securing their web assets.
Don’t worry. That’s why we’re here.
Start With Updates
Unpatched software may contain security loopholes or misconfigurations that can make your data accessible—which is exactly why unpatched software is one of the most common attack vectors out there.
The easiest way to improve your website security is to take stock of every plugin, application, and program you use and make sure they’re updated with the latest versions. Look for any available updates on the developer’s website and check to see what’s covered in each new patch.
As a good practice, we recommend setting alerts for each of your web applications and updating as recommended by the publisher. New threats are identified every day, and by automating your software patches, you’ll be sure to keep your applications as secure as possible.
And in our BYOD world, this rule holds true for your mobile devices as well: Reports by Symantec show that mobile malware increased 54% in 2018. Unpatched phones are becoming a prime target, particularly, with data showing that only 20 % of Android users are running the latest version.
Keep both your computers and mobile devices updated to prevent hackers from taking advantage of any existing security loopholes.
Fix Backend Configurations
Updating is a good start, but it’s only the beginning. Next, you’ll want to look at the backend configurations on your site. This is another common source of vulnerability, with numerous attack vectors available depending on how your site is set up and how sophisticated the attacker is:
- SQL Injections – Inserting malicious code to spoof identity, gain access to data, or manipulate databases
- Cross-Site Scripting – Injecting client-side scripts that let hackers bypass certain security checks and access controls
- Buffer Overflow – Manipulation that lets hackers overwrite existing code or insert executable files into a system
- Session Hijacking – Exploiting a valid session to gain access to unauthorized credentials or data
Work with your developers to tighten up these issues and pin down any vulnerabilities.
To take things further, enable HTTPS authentication on your web server via SSL encryption. This simple step will guarantee an extra layer of security for the transport layer of your application and help protect the data you send.
Get these data drips sealed off and make sure your website’s backend code is protected from attack.
Review User Authentication
Of course, data security isn’t all about the code—it’s about the users. Be on the lookout for threats enabled by users, both within your organization and from the outside.
External security threats like malware, ransomware, or phishing are front and center in 2019. A 2018 data breach report conducted by Verizon had some insight to share on this issue:
- 4% of malware was installed via email
- 37% of malware hashes were single use, meaning they get altered to avoid detection after being identified
- The average time it took a victim to click on a phishing scam was 16 minutes after deployment.
These attacks don’t have to do with code manipulation as much as user manipulation. A person is always the weakest link of any IT security chain, and as we move into 2019, we expect to see this particular vector receive more attention.
Along those same lines, a company’s own staff may be the ones responsible for a data breach. If users have poor security hygiene (such as using low-security passwords or sharing logins across devices), it’s easy to unknowingly create back doors for hackers to exploit.
Train your teams to prioritize data security, and always use multi-factor authentication on accounts with access to web assets. Beyond that, make sure your teams understand the dangers of social engineering and the risks they face from unknown emails. They’re not just exposing their own data—they’re putting the organization’s entire system at risk.
Hammer this idea in and make sure your team members aren’t “leaving the keys in the lock,” so to speak.
Get Used to Ongoing Monitoring
Once you’ve updated everything, configured your website properly, and trained your internal teams, there’s only one step left: monitoring to make sure everything stays secure.
Obviously, firewalls and a trusted antivirus program are a good place to start, but if you’re trying to secure your business’s assets, you might want to go deeper. Look for monitoring tools that detect aberrations in page load times, traffic, or file content.
You can even download free open source configuration testers that scan for vulnerabilities in your scripts, headers, or input fields. Security Headers is a great option, while others like Netspark offer more advanced content filtering tools.
Website Security in 2019
Putting aside all of the above, the best single thing you can do to improve your website security in 2019 is to start getting proactive.
Remember, most security issues aren’t new and unknown attacks—they’re a result of known security vulnerabilities that companies haven’t gotten around to fixing. Work with your developers and get into the routine of scanning for issues every so often. This more than anything else is the best way to improve your web security—both in 2019 and further down the line.