Checklist website security

The ultimate website security checklist for every business from Stephen Arndt, CEO & CIO, Silver Linings Technology.

Website security threats are on the rise. According to Verizon, 71% of breaches were financially motivated and 25% were motivated by espionage. This puts both the consumer and business at severe risks.

Cybersecurity checklist

Here is our top website checklist to help you stay secure.

1.  Spot a phishing email

It’s the perfect time for hackers to send emails with dangerous malware and viruses.  Right now, your inbox is probably filled with “COVID-19” subject lines and coronavirus-focused e-mails.

Hackers are even using a fake cdc-gov e-mail address that’s not legitimate and spamming inboxes. That’s why it’s the first point on our website security checklist.

How can you tell a phishing email from a legitimate one?  Here’s a few telltale signs:

  • Look closely at the e-mail address to make sure it’s spelled correctly.
  • Hover over any links in the email (but DON’T CLICK) to see the ACTUAL website you’ll be directed to.  If there’s a mismatched or suspicious URL, delete the e-mail immediately.
  • Watch for poor grammar and spelling errors.
  • Never download an attachment unless you know who sent it and what it is.

When in doubt, call the person who supposedly sent the email on the phone to verify it’s legitimate.

2. Secure Work from Home

Because your employees may be required to work from home, their mindset maybe, “I may as well use my home computer.”  This is a dangerous mistake on your security checklist.

Home computers and personal mobile devices could be littered with tons of downloaded music, videos, images, and more.  Because it’s more exposed, it can invite malware into your business network.

ONLY devices that are under our vigilant watch of patching, updating, and monitoring should be used by your employees to work remotely.  Provide a company-approved and secured computer/laptop for employees to use at home.

3. Secure Dropbox and other file sync apps

When employees work from home, they need access to important company files.  It’s easy to look at consumer-grade, cloud file sharing solutions like Dropbox, OneDrive, and Google Drive.  But listen up!

Dropbox secure

These applications pose a huge threat to your company because company data can be spread far and wide without central oversight of what information is being shared with whom.  Furthermore, over 7 MILLION Dropbox accounts have been hacked, giving cybercriminals a path into the company’s network.

This is even MORE important if your company has access to and/or stores financial, medical, or other sensitive data.  Using file-sharing applications like these are a clear and direct violation of data breach and compliance laws.  DON’T USE THEM FOR COMPANY DATA and use only company-approved, business-grade file-sharing applications.

4.  Cybersecurity doesn’t have to be complicated

What makes many ignore cybersecurity checklist is the great unknown. They don’t understand it. They assume it only happens to the “big guys.” So they carry on as if they aren’t at risk. 

Yet cybersecurity doesn’t have to be complicated. In fact, you can keep your practice safe from most attacks by following five simple steps.

Start a training program. 

Any employee who handles company data or devices should have to go to mandatory cybersecurity awareness training regularly.   

Take email security seriously. 

To protect your company from phishing attacks, be sure you have a good spam filtering system installed. 

Ensure your website is safe. 

Make sure you patch vulnerabilities, monitor suspicious behavior, and install firewalls to keep potential problems away. 

Protect your data with a VPN. 

With mobile devices, company travel, and work from home days, access to your data is no longer driven solely from inside your office building. Instead, employees access data from all over the world. A virtual private network (VPN) adds a layer of encryption to ensure your data stays safe no matter how or where it’s accessed. 

Create a response plan and web security checklist.

What happens if you are attacked? Have you thought about the consequences? Seeing the other side can open your eyes to vulnerabilities and help you install better security practices. 

5. Simple steps for a DIY cybersecurity audit

How important is your data? Silly question, right? For a medical practice, your data is everything.

When was the last time you performed a data security audit?

Don’t wait for an official audit to determine your weaknesses. Or worse, a breach. A self-audit can be very useful to show you where simple changes can make all the difference.

Define the audit

Think of your audits as pop quizzes. They can be general or narrow in focus. You can look at your practice as a whole, or niche it down and look at very specific things. Define your security perimeter to create your list of things to consider.

Define the threats

Define all of the threats that can impact everything within your security perimeter. Think small – how can one employee trip up the system? Think big – what happens if a hurricane/tornado/earthquake/fire hits? Think everything in between.

Define the risks

Each threat has its own chance of happening within your business. Can you put a price tag on it? Can you prioritize how likely it is to occur? While you can’t predict everything, with common knowledge and a little bit of gut instinct you can determine how likely you are to face each risk.

Define the controls

If you know where your risks are, you can devise a way to improve the process. You can improve on activities you already have in place, or you can implement action steps that are missing. You can also establish timelines for upgrading on a regular basis.

6.  Phishing Protection

  • Invest in technology to block phishing emails. While it’s not perfect, it can prevent some potential threats from getting through.
  • Use 2-factor authentication where it makes sense. This adds an extra security factor to the most sensitive data.
  • Run phishing email simulations regularly to ensure all of your employees are properly trained.

 When was the last time your organization ran a phishing email simulation?

7. ASK

  • Avoid – Avoid posting personal information online. Always ask yourself if you’d hand this information over to a stranger before you type it out on your computer.
  • Secure – Are you doing all you can to keep your systems secure? Take the approach that a hacker is trying to get into your system every day. What can you do to thwart their efforts?
  • Knowledge – Educate your staff to never click on a link unless they know who it’s from. And think twice before clicking – would this person really ask for the information they’re requesting? When in doubt, give them a call or send a separate email just for verification. 

8. If this type of alert pops up, DON’T click on it!

You’re working at your computer when all of the sudden – BAM! – you get a pop-up notification that your PC is infected with a virus and you must “click here” to run a scan or install antivirus software. This is a common scareware tactic used by hackers to get you to click and download a virus. 

Often it will appear to be a system alert or a Microsoft operating system alert. Regardless of how legitimate it looks, NEVER click on the site or the pop-up. The safest thing to do is close your browser; do not click on the X, “Close” or “Cancel” button in the pop-up or on the site because clicking on anything on the page or pop-up will trigger a virus download. If that won’t work, bring up your task manager (hold Control + Alt + Delete on a PC and Command + Option + Esc to “Force Quit” on a Mac) and close the web browser or application where it appeared. 

9. If you installed it, you must update it! 

There are thousands of hackers who get up every morning with ONE goal in mind: to find a new vulnerability in a commonly installed software (like Adobe, Flash or QuickTime) to access your computer. That’s why these companies frequently issue patches and updates for KNOWN security bugs; and once a KNOWN vulnerability is announced via a patch, hackers get to work like crazy trying to figure out how to use the vulnerability and access those users who are lazy about installing updates. That’s why it’s important to update installed software programs as soon as possible.

10. DON’T use public WiFi until you read this

We’re all guilty of it: connecting to free public WiFi. Whether it’s at the coffee shop, hotel or airport, the temptation to check e-mail and surf the web is just too strong to resist. So BEFORE you connect to any free, public WiFi, make sure the connection is legitimate. 

It’s not uncommon for hackers to set up fake clones of public WiFi access points to try and get you to connect to THEIR WiFi over the legitimate, safe public one being made available to you. Before connecting, check with an employee of the store or location to verify the name of the WiFi they are providing. Next, NEVER access financial, medical or other sensitive data while on public WiFi. Also, don’t shop online and enter your credit card information unless you’re absolutely certain the connection point you’re on is safe and secure. 

11. Set up bank alerts – NOW!

Here’s a tip that just might save your bacon: set up withdrawal alerts on your bank accounts. Many banks will send you an e-mail alert whenever money is withdrawn from your account via check, debit card or transfer. Setting up those alerts will allow you to spot and report fraudulent activity BEFORE the money has already been siphoned into a cybercriminal’s hands. 

Do you also have some checklist points? Let us know in the comments.

Related Post

Leave a Comment