Q. After returning from the Easter break I found, to my dismay, our company’s website had been ‘hacked’. I thought this was something that only happened in films and was not really much of a threat, but we had to spend nearly a week rectifying the problem, costing both time and money. What can we, and other businesses who probably don’t realise it’s such a potential danger, do to protect ourselves?
 
John Coulthard of Microsoft UK, writes:

Your business isn’t alone in its experience. A DTI survey in 2002 revealed nearly half of all UK businesses had suffered at least one malicious security breach with an average cost of £30,000. While email-borne viruses form the most common threat, you should be aware that company websites present an attractive target for the online vandal.

The first consideration in preventing unwanted visitors from wreaking havoc with your website is to choose a reliable and reputable independent software vendor (ISV) to do a risk assessment on your site. That done, three steps in particular will ensure your business website stands not only secure against attack, but can get quickly back on its feet if disaster strikes. These are a protective firewall, ‘strong’ passwords and routine backups.

A protective firewall forms your company’s first line of defence. It provides a shield around the business’ website and systems, guarding against malicious code and intruders.

Having a ‘strong’ password policy in place further tightens defences. Strong passwords are log-in codes that contain mixed strings of letters, numbers and punctuation marks. They guard against programmes that sweep the net, gaining access to secure areas by using common passwords.

However, the ingenuity of today’s hackers means no defence is completely invulnerable. In the event of web defences being compromised, getting your website up and running again should simply be a case of restoring a backed-up version of the system in its previously healthy state. The importance of having in place a regular backup procedure cannot be over emphasised.

These three safeguards should offer sufficient protection to those companies whose websites are designed as information points rather than as transactional sites.

If, however, your business’ website makes a significant contribution to the revenue stream, more extensive defence mechanisms may be required. In these instances companies should consider calling in a specialist ISV to develop a tailor-made website security system.