As a startup looking to make it big, you’ll be getting PR exposure and some of these exposures may attract the attention of hackers and competitors who play below the line.
Whether you’re an established business or a startup, cyber security for startups should never be neglected as attacks can happen to you. Whether it is a jealous competitor, a hacker looking for his/her next victim and randomly came across your startup on the news or someone with beef with your brand, attacks can happen and it is important to be prepared. As a web developer, I’ve seen it happen to too many websites in the few short years I’ve been doing this professionally. The good news is there is something you can do about it to reduce the risk that it happens to you.
What’s the Worst That Can Happen?
This is a screenshot of a real hack I had to clean up. This company is a small service based business in the USA that relies on their website to process all sales. A hacker gained access to this site and replaced their entire site with the page in the screen shot to the left.
I came across this as I was going to their site to do some routine updates to the contents.Within 24 hours of finding this page, my own computer was so severely infected that I had to spend 10 days and $300 in repairing it and upgrading my security software. It wasn’t a pleasant experience for me and a much worse experience for this client who could not make any sales at all until the site was fixed and brought back online.
While fixing a hacked website is critical, it’s better to take steps to prevent it from happening in the first place. This makes it all the more important to have good security measures for your startup. Below is a few tips startups can implement for their website security.
The Login: Your First Line of Defense
Your login consists of a Username and Password and both must be correct if someone wants to log in and gain access to the admin panel. Ideally, your username and password should be something you can remember but secret and unguessable by others.
Most people who pay any attention at all to security for startups will have heard of the importance of having a strong password, those who want to be more secure should have a strong username as well. Why the username? You may ask. Simply put, the username counts for half of the information needed to log into your account. Even if a hacker were to figure out your password, unless they also know the username that goes with it, they still won’t be able to log in. While most websites use generic usernames (below), having a secure username can add a lot more security to you site as both must be correct when logging in.
The Strong Login
Some tips to keep in mind for building yourself a strong login for your accounts is to start with choosing a username that’s hard to guess. You need to avoid common names and info that’s readily available as most hackers use an automated system to attack websites and these systems generally have certain usernames they will attack as a sort of shot in the dark approach.
If you ask experts who speak on security for startups, they would say the followign are common weak usernames to avoid:
- <your company name>
- <your website address>
- <your personal name>
- <your email address>
Whenever you have a choice, it’s best to avoid these types of usernames, or any combination of them as these are the first things a hacker will try. If they can’t get a valid username, they can’t log into any account, so no password will work for them. This is really your first line of defense.
Also, whenever you can, have a publicly displayed name that’s different from your username to throw them on a wild goose chase. This is definitely a good idea if you have blog posts, or other content that displays an author’s name associated with your account. This means the name people see, and the name you use to log in with are different, and this does make a hacker’s job just that much more difficult.
While this does still get the most attention, it is still the most secure part of the login and the part you’re in the best position to protect. This is the second half of your login and your last line of defense in protecting your login and experts consulting on security for startups recommend that you should never go lightly on passwords.
The tips I gave for choosing a good username also hold true for your password as well, however there are a few more things to keep in mind too. In addition to the things to avoid in usernames, you also want to avoid these types of passwords as well:
- password (strangely enough, people do actually use this when they can get away with it, so it’s one of the first things a hacker will try).
- your username (this is also surprisingly common, when someone can get away with it, this again defeats the purpose of needing to bits of info to login as both are the same, again one of the first things a hacker tries).
- Any of the bad username choices
a proper name, especially one that others could link to you with some personal knowledge or research
- this can include the name of a person, a pet or a place
- a proper word out of the dictionary (hackers will eventually try every word and common variation in the dictionary, so this makes it easier for them to guess)
In general, the closer to the top of this list your password is, the more vulnerable it is (And on the topic of security for startups, you do not want to be there). Nowadays most user registration systems will block you from using some of the worst choices, but they can’t block all bad choices, so it is ultimately up to you to learn how to come up with a good password and ensure good security for your startup.
One way you can do that is to start with a short phrase you can easily remember, but that others would have a hard time guessing, then scramble it up a bit by using a mix of capital and lowercase letters, then mix in some numbers and special or punctuation characters. Make sure there is no obvious pattern, in other words, the capital letters, lowercase letters, special characters and numbers could appear anywhere.
If you’re really worried you’ll forget, you can always write it down on paper, and store that paper somewhere secure, so you can look it up if you need to, but others can’t see it or steal it on you. Let no one else see it, know where it is, or even that you have any such thing.
Many sites now have complexity requirements for passwords, which will require you to use this method, however, it’s also very tempting to “trick” these complexity tests by simply throwing in a token capital at the beginning, and a token number and special character at the end. Most hackers are wise to this trick and will include it in their attempts to crack your password and access your account. Do not use this trick under any circumstances! The joke’s most likely going to be on you when you find someone broke into your account, and no one will be laughing except the hacker.
Website Firewall and Malware Scans
Most of us have these security tools for our own computers, so why not for our websites? My guess is that many people don’t know about them, or think they’re very expensive and only affordable by big mega corporations who have seemingly infinite budgets for security.
The reality is that couldn’t be farther from the truth. I run a small business and I use a service called SiteLock for my website’s security. I have both a firewall and scans for malicious programs that may have appeared on my website. The firewall is there to block that stuff from getting there in the first place, and the scans are to detect and fix anything that did get through. This service doesn’t cost that much, in fact most webhosts offer it for only a few dollars a month!
If your startup website is based on the WordPress platform a free addon that ensures security for startups in their early stage is WordFence, which does a similar thing as SiteLock. Like most plugins on wordpress, they are a freemium plugin which provides basic security features which is good enough to get started with additional features for a couple of dollars a month. These are other more affordable options for security for startups when you search the plugin store on wordpress.
These are great systems that can help keep problems out, detect them sooner if they do get in, and also help safeguard you against hackers trying to break in by trying every username and password combination under the sun by having a program keep trying at the speed of computers. This is because most firewalls have a feature to block an attacker if it detects too many failed login attempts from it, or other signs of bad intent. Security for startups should never be neglected as the costs of being hacked can be rather costly.
About the Author
Jason Ross is a professional web developer and owner of Radiant Freedom, a digital marketing firm based out of Port Coquitlam. He studied programming at Langara Collage and went back to school to study additional classes in network operating systems and network security at Douglas College. He is passionate about helping others succeed and loves working with both people and computers.