Cyber security 101: Run a website? Here's how to protect it from hacking

Protect your website even if it doesn't have valuable data, because hackers can mess it up or use it to mine cryptocurrencies and make money for themselves

Business owners run their own websites are at a high risk of having them hacked. A total of 22,207 Indian websites, including 114 belonging to the government, were hacked between April 2017 and January 2018, according to data provided by Indian Computer Emergency Response Team (CERT-In). This was revealed in a recent written submission made to the Parliament by Minister of State for Electronics and Information Technology K J Alphons. These numbers underline the need for business owners to grow more aware of security issues and put in place systems and practices that will make their websites less vulnerable to attacks.

Many website owners believe that it doesn't matter if their websites get hacked since they don't have any valuable data on them. But hacking can have other negative consequences as well. The hacker could, for instance, put up something undesirable on your website. He could also use the processing power of your web server to mine cryptocurrencies, which means that he would highjack the resources you pay for to make money for himself. "The biggest risk arising from a hacking incident is the harm it does to your reputation. People will have less trust in dealing with your firm if your website has been hacked," says Centre for Internet and Society's Executive Director Sunil Abraham.

The silver lining is that you can take a number of steps to make it harder for hackers to hack your website. Experts suggest that you use a popular, free and open-source stack (combination of technologies) to build your website. "Free and open source technologies tend to have a better security record. Each of those technologies would have been audited and their codes verified, so they are more trustworthy," says Abraham. Similarly, you should use free and popular content management systems (CMS). For instance, you could use FreeBSD or Debian as your operating system, Apache as your web server, Python or PHP as your programming language, Maria DB as your database server, and Typo 3 or Mediawiki as your content management system (CMS).  

Next, pay a third party — a cyber security firm or your web server administrator - to monitor the software applications that are part of your stack, and also your CMS, extensions and plug-ins. Besides monitoring for vulnerabilities, this third party should also regularly install patches and upgrades whenever they are released by the vendor or the research community.

Also, commission periodic security audits by a cyber security company and address issues that come up during the audit. Have a recovery plan in place — a plan of action as to what you will do if, despite all your precautions, your website does get hacked. This will include things like how to deal with customers' queries after a hacking, how to resecure their data (you could issue new passwords), how much backup to maintain, and so on.

Experts also suggest that you should harden your server before putting it online. "A server has an open architecture. Enable only those features that you require and disable the rest. This is referred to as hardening," says Shomiron Das Gupta of NetMonastery, a threat management provider.

Ensure that the applications written for you are secure. "Most attacks happen because the code that has been written is vulnerable. These vulnerabilities get exploited and data gets hacked. Your programmers must know how to do secure coding," says Das Gupta. Before an application goes online, have it tested for security flaws by cyber security experts. Your website should also be SSL (secure sockets layer) encrypted. This will ensure that any data that passes between your web server and browser remains secure.   

Five tips for securing your website

• Use open-source tools to build your website, as they have a better track record in matters of security
• Get a third party, a cybersecurity firm or your web administrator, to monitor your systems and install security patches and updates
• Commission security audits periodically, and address the issues thrown up by the audit
• Have a recovery plan in case a hacking incident does occur
• Get your applications coded by programmers well versed in security issues