Security tips for business
If you have just started a business, you’re probably already aware of the impact the Internet has had on all facets of our economy and culture today. You also know how essential it is for a new company to have a strong web presence.
Your website is the main channel you use to communicate with your customers online, so it should be as secure as possible to protect your data and build customer confidence. In this article we will dig a bit deeper into the basic security measures that should be taken to protect your online business.
One of the primary elements of online security is the user password. All accounts used by employees and users should be protected with a strong password that:
- Does not contain simple sequences or combinations such as 12345 or 00000. Never use “password” as your password.
- Does not contain your name, the company name, or a simple word or word combination that can be easily decrypted by a dictionary program.
- Contains lower and upper case letters, numbers and special characters such as $, #, *.
- Is at least 8 characters long.
These same guidelines apply to your Namecheap account password. Though it’s not required, we strongly advise that you choose a password using the points we have covered above.
Another security measure is Two Factor Authentication, or 2FA. This step helps keep your accounts with different services safe from trespassers who might try using your credentials on multiple sites. 2FA adds an additional layer of security by requiring access to the phone number associated with the account. You can enable 2FA in your Namecheap account by following this guide.
It’s a good idea to use password managers such as LastPass, Dashlane, Roboform and KeePass to securely store and manage your passwords. These programs can also auto-generate strong passwords that meet the above mentioned requirements.
To maintain a fully-secure work environment, we recommend you strongly encourage your employees to use these password managers for all work-related services and to never disclose the passwords for their work accounts.
Since your website uses various software for hosting and management, be sure to keep it updated with latest software updates, since, with each update, the company fixes reported errors and bugs, and minimizes vulnerabilities.
Your web hosting company should also do regular updates of their software to reduce vulnerabilities, though it is recommended that you manually update your hosting software as often as possible.
If you decide to host your site with Namecheap, you’ll always be on the safe side. We take security seriously, using only latest hardware and software firewalls. We constantly test and scan the defense systems our servers are secured with as well. Also, we update the software that is used on our servers and notify our customers about recommended updates of the services we provide. You can check all the hosting packages we provide here.
Our strong stance towards security applies to all the services we provide including email hosting, SSL certificates and domains. We have world-class anti-spam and anti-virus protection using SpamExperts technology that comes with our email hosting services. You can also keep your domain Whois contact information private with the help of our WhoisGuard service which prevents it from being listed in the public Whois database. Our PremiumDNS service provides your domain nameservers with advanced DDoS protection.
Despite having updated software, however, there’s still plenty of malware that can infect your website without you being aware. For example, sites that spread malware can implement malicious code on your website to redirect visitors somewhere else. Always schedule regular monthly or weekly security checks to be on the safe side.
Most hosting providers offer ways to securely access and check the server that hosts your site.
One of the most common methods used to securely access a remote server is SSH, or Secure Shell. This is a protocol that allows you to execute commands on a server remotely or transfer files from one machine to another utilizing a secure channel. Simple software programs with easy interfaces have been designed for SSH access, we have a list of those here. If you wish to gain SSH access to your existing hosting package through your hosting provider, we recommend contacting them for the access details. All Namecheap hosting servers can be accessed over SSH, and we have a detailed guide on that here.
File transfer is another setting that can be arranged using certain security protocols, specifically, secure FTP (SFTP). Usually, unencrypted website data is uploaded to the server using FTP (file transfer protocol). SFTP encrypts the transmitted data so that only the SFTP client and SFTP server of the current session can decrypt it. The SFTP port most often used is 22, which is configured in the FTP client. You can use SFTP with Namecheap hosting via the 21098 port. More details about this are available in this article.
If you manage your hosting using a control panel, it is most likely accessible via a non-standard port. For cPanel, this port is 2083 and for Plesk it is 8443, the general idea being to have the control panel accessible in a way other than the usual port 80 HTTP connection,( something we also encourage you to do if you want to communicate with the hosting server securely). With Namecheap hosting servers that use cPanel, you can always reach the hosting management area securely through the 2083 port.
Email is an essential part of every business that ought to be protected as well. It is possible to not only secure the connection to your mail server, but also to sign your emails with security certificates, known as S/MIME certificates.
Generally, secure mail ports are used to connect to the mail server, such as 995 (instead of standard 100 for POP3), 993 (instead of 143 for IMAP), and 465 (instead of 25 for SMTP). You may set a secure connection to a Namecheap Private email service using this guide.
We’d also like to take a moment to describe how phishing attacks work, so that you can secure yourself from them as well. Let’s say, for example, you receive an email that claims to be from “Your trusted bank”, and indeed, appears to be from the actual bank where you keep your money. The email may ask you, for example, to visita link and provide certain critical account information. The email may also claim that they simply need to “confirm” this data, or they may warn that your account may be closed or that you may incur fees if you do not take immediate action. . Regardless of the request, it is important to remember that banks and other credible financial organizations will never ask for personal information via email. You should never share any personal information via links provided in these types of emails.. If you click the link, make sure it brings you to the same location it claims to point to. As an example of this, look at the two links below: https://www.namecheap.com and https://www.namecheap.com.
You’ll find by clicking on them (don’t worry, they’re both safe) that, while they look identical, the first one takes you to our main page, while the second one actually directs you to the Google homepage.
So how can you tell the actual link from a hidden redirect? In most cases, you can just hover the mouse over the link, this will bring up the metadata that shows the actual website address. Often this metadata is displayed in the status message of your browser in the bottom of the browser window, though it may also appear next to your cursor or, in some cases, by right-clicking on the link itself (this action will not open the link). You can find the screenshot of the “good” and “bad” links’ metadata below:
In order to encrypt and secure the traffic between your website and visitors be , we recommend implementing an SSL certificate on your site.
SSL (which stands for Secure Sockets Layer) certificates come in various levels of security to fit the specific needs of your site. . We will briefly take a look at each of these certificates and will describe them in terms of how the validation of the domain name is arranged.
The most basic type of certificate is domain validation (DV. A DV certificate will show who owns the domain name and will provide encryption of site traffic.
To show your customers your domain ownership information as well as validation that your company is officially owned and registered by you, we recommend an organization validation (OV)certificate. OV certs display your company name and address in the certificate details. Additionally, they require you to pass a company verification process with the Certificate Authority (CA) that issues the certificate. This may include requirements such as having your organization listed in a business credit listing like Dun & Bradstreet, or a public database like YellowPages.com. Be sure your business can be validated through channels such as these before choosing an OV certificate.
Extended validation (EV) certificates are a great option for top-tier security. Like OV certificates, EV certs require your company to be incorporated, verified with the issuing CA, maintain a corporate phone number listed in a directory of your country, and be registered in a business credit listing such as Dun & Bradstreet. The verification is more thorough, and the explicit company details will be reflected on the certificate details panel in browser and on the site seal. We recommend choosing an EV cert only if your business is able to accommodate this rigorous validation process and you require the highest certificate assurance level.
Domains, hosting services, SSL certificates, software, and other services require having a managed account with one or more providers. If your business has only one person managing your account(s), it’s advisable to have a plan for when and if that person is suddenly unavailable.
We recommend that you have at least one additional person in your company that is able to seamlessly manage your web services should the need arise. This way, if the employee leaves, you will already have the resources in place to retain control of your vital accounts.
A very important part of overall security is controlling the online activity of your employees, including downloads the websites they visit. Having a strict company policy on what file formats are allowed and from which sources can help keep your business network safe from worms and malware. File formats that are most likely to be infected by viruses are: .exe, .js, .jar, or .jse. To demonstrate how dangerous such viruses can be, we’ll show you an example.
Let’s assume your company has 30 employees, all of which are pretty familiar with the company’s policy regarding the downloads from the internet. Your company manages 1000 payment transactions every day, meaning you’re storing tons of credit card and other personal customer information in your internal database. Let’s also assume you’ve implemented all the security measures recommended in this article up to this point. So, the day comes when one of your employees accidentally downloads an attachment in one of those “You have won a $10.000 lottery!” emails. The email contains a worm which immediately runs and clones itself all over your entire company network, stealing your customers’ personal data and sending it to the worm creator. At this point, all you can do is switch off your office internet to ensure the information does not go further than your internal network, and this is assuming you somehow find out how the virus actually works. Such a worm can also simply delete all the information on all your computers, taking you back to square one. As you can probably tell at this point in our example, this is not even the worst-case scenario.
All of this being said, we recommend moving your company data (or at least the most important part of it) to the cloud. Nowadays, cloud services are considerably more secure and trustworthy than they were even 2 to 3 years ago. Such services like Dropbox for Business offer enterprise-level cloud storage (for a fee) which are built to accommodate business with a significant amount of internal data. Having your own cloud in a different physical location is also an option. By having an internally-based cloud, you can not only store your information securely, but you also avoid having to deal with a 3rd-party cloud storage provider.
Last but not the least is the most obvious security measure: the traditional antivirus software. Many companies provide this type of software,Comodo, ESET, AVAST, McAfee, and Kaspersky Lab, to name just a few. These companies provide various security features to keep you on the safe side and help avoid critical situations as the one we have described above. We recommend visiting these sites to determine which company’s software best fits your security requirements.
To conclude, the best advice we can offer to keep all of your site security resources optimized is to consult with a professional web-security specialist on how best to secure your site and data. While this may present substantial up-front costs, it will save you time and money in the long run, provide you with peace-of-mind, and allow you to focus on the unique aspects of running a successful business.