How can I secure my website?
Whether you develop your website yourself, or use the services of a third party, you should pay careful attention both to the development and the maintenance of your website. Dealing with cybersecurity incidents could have a high impact on your business or your brand (e.g. diminished brand reputation), as they can disrupt your services, lead to a loss of trust on the part of your customers, and possibly even regulatory sanctions and lawsuits. Such incidents could be theft of your customers’ data, alterations to information on your platform, your website being shut down, confidential information about the organisation leaking, etc.
It is also very important that you take inventory in advance, prior to any security breach. What information is mission-critical to your organization? Where does it live? How quickly can it be reinstated if it’s taken out in an attack? You ought to perform a complete audit of your systems, take note of the most important components, and track everything. Make sure you are not the only person aware of this document.
Before entering into discussions with hosting providers, you should reflect on three core aspects of information security, i.e. the confidentiality, integrity and availability requirements of your website and services, and determine the service level requirements needed.
In order for your system design to be secure, you need to require some strict guarantees and make sure that the following facets are protected:
• Confidentiality, i.e. protecting information (e.g. credit card numbers, personal information) from disclosure to unauthorised parties. This can be done, for instance, by setting up a proper authentication mechanism (such as two-factor authentication solutions). Another possibility is to use encrypted connections (HTTPS; SSL Security protocol) in order to ensure that only the right people have access to/can read the information.
• Integrity, i.e. protecting the information from being altered by unauthorised parties in order to be sure that the information is accurate and trustworthy. Carrying out a daily check for altered files, foreseeing security testing for your website and services (in order to avoid any simple attacks such as SQL injections), or setting up an intrusion prevention system can all help achieve this.
• Availability, i.e. making sure your website is up and running all the time. Implementing an emergency back-up power system and rigorously maintaining all hardware are two of the keys to this.
|Access to all data systems should only be granted on a ‘need to know’ basis in order to ensure the three facets are complied with.|
From the moment a breach happens, the trust customers place in you is at stake and a fast response is needed to limit adverse effects. It is important that you inform your customers about what happened. For example, if passwords are impacted, you should make your customers aware of this so they can change them as they are often used not solely for your website.
As aforementioned, once you know what is most important, make sure all the relevant players are aware as well. For this purpose, it’s advisable that one person is nominated as IT owner in the event a security problem is detected.
This individual needs to be readily available in case of an emergency, and equipped to manage the many internal technical components involved with recovering from a breach.It is also advisable to create a data breach notification policy (which could be included in your privacy notice). This should say how and when you will notify your customers (e.g. via mail/e-mail notifications) when personal data is breached. It is likely that this good practice will become a legal obligation in all EU countries in future (and be accompanied by an obligation to notify the Data Protection Authority once you become aware of the data breach).
In addition, determine the cause of the breach. Ensure that this is done in such a way that evidence can eventually be used in court (e.g. if it can be established that the breach did not occur because not enough security measures were in place). If financial information, such as credit card information, is impacted, inform the provider handling your financial transactions so that they can take the necessary measures.
In summary, what is really key is that there is an actionable plan developed which provides specific, concrete measures and procedures to follow a security incident. The procedures should address who has lead responsibility, how to contact critical personnel, and what data, networks, and services should be prioritised for recovery or who needs to be notified (data owners, customers, or partner companies) if their data, or data affecting their networks, is exposed.
Note that security breaches may simply be the results of inadvertent human/staff-related error. Make sure you train your employees, if any, to identify and report on breaches, as well as to be cautious. Employee negligence (e.g. because a laptop or mobile phone is stolen) is a massive cause of data breach incidents.
Select your country and visit the national website of the Computer Emergency Response Team (CERT), a team of security experts responsible for the management of security incidents (such as reporting and responding to security threats). They can give you information on what to do and who to turn to for help if you are under any type of cyber-attack. They also publish alerts about vulnerabilities and threats in your country.
|Austria||Computer Emergency Response Team Austria: http://www.cert.at/|
|Belgium||Computer Emergency Response Team Belgium: www.cert.be
Download the Belgian Cyber Security Guide: adopt the 10 key security principles, and implement the 10 “must-do” actions.
|Bulgaria||Computer Emergency Response Team Bulgaria: https://govcert.bg/
Find out more about some good security practices when setting up your website and other related security issues in your country (such as ‘Protecting Your Computer From Malicious Code’ guide (in English only).
|Croatia||Computer Emergency Response Team Croatia: www.cert.hr/|
|Czech Republic||Computer Emergency Response Team Czech Republic: www.csirt.cz/|
|Denmark||Computer Emergency Response Team Denmark: www.govcert.dk|
|Estonia||Computer Emergency Response Team Estonia: www.cert.ee
In order to protect your information systems, follow the cyber-security check list and other guidelines available on the website (Estonian or English).
|Finland||Computer Emergency Response Team Finland: www.cert.fi|
|France||Computer Emergency Response Team France: www.cert.ssi.gouv.fr
Find out more about simple measures that will make your business more secure, and more (such as ‘Les 10 commandements de la sécurité sur l’internet’).
|Germany||Computer Emergency Response Team Germany: https://www.cert-bund.de/|
|Greece||Computer Emergency Response Team Greece: http://www.nis.gr|
|Hungary||Computer Emergency Response Team Hungary: http://www.cert-hungary.hu/|
|Ireland||IRISS – Computer Emergency Response Team Ireland: http://www.iriss.ie/|
|Italy||CERT Nazionale: To come|
|Latvia||Computer Emergency Response Team Latvia: www.cert.lv
Visit esidross.lv which gives information on how to protect your computer and to be safe on the Internet (in Latvian only).
|Lithuania||Computer Emergency Response Team Lithuania: www.cert.lt
Visit http://www.esaugumas.lt which gives information on how to protect your computer and to be safe on the Internet (in Lithuanian only).
|Luxembourg||Computer Emergency Response Team Luxembourg: http://www.circl.lu/|
|Malta||Computer Emergency Response Team Malta: https://www.mita.gov.mt/en/Security/Pages/Security.aspx|
|Netherlands||Computer Emergency Response Team Netherlands: https://www.ncsc.nl/
Find out more about Good Security Practices when setting up your website and other related security issues in your country.
|Poland||Computer Emergency Response Team Poland: https://www.cert.pl/|
|Portugal||Computer Emergency Response Team Portugal: https://www.cncs.gov.pt/certpt/|
|Romania||Computer Emergency Response Team Romania: https://cert.ro/|
|Slovakia||Computer Emergency Response Team Slovakia: https://www.csirt.gov.sk/|
|Slovenia||Computer Emergency Response Team Slovenia: https://www.cert.si/|
|Spain||Computer Emergency Response Team Spain: https://www.ccn-cert.cni.es/|
|Sweden||Computer Emergency Response Team Sweden: https://www.cert.se/|
|United Kingdom||Computer Emergency Response Team United Kingdom: https://www.cpni.gov.uk/
Find out more at about simple measures that will make your business more secure, and more.
Suggested country specifics to be covered:
• Do you agree that the above list of country specific elements is relevant to the audience of European Digital Entrepreneurs?
• Do you have suggestions for other than the above country specific elements that are relevant to the audience of European Digital Entrepreneurs?
• What sources of information can you provide as an input for describing the country specifics?
Protect information on your website
• Samara Hart (n/a) , How can I be sure my website is secure, available at http://pixsym.com/blog/website-security/how-can-i-be-sure-my-website-is-secure/
• Justin Stravarius (2010), 15 great ways to secure your website, available at http://web.appstorm.net/roundups/self-publishing/15-great-ways-to-secure-your-website/
• Tery Chia (2012), Confidentiality, Integrity, Availability: The three components of the CIA Triad, available at http://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-three-components-of-the-cia-triad/, IT Security Community Blog
Respond to security incidents
• Experian® Data Breach Resolution (2013-2014 edition), Data Breach Response Guide
• Carl Niedbala (2014), How a Data Breach can Destroy your Startup, available at http://foundershield.com/data-breach-can-destroy-startup-infographic/
• Handbook on European Data Protection Law: http://www.echr.coe.int/Documents/Handbook_data_protection_ENG.pdf
• Ezra Steinhardt (2014), EU Article 29 Working Party Publishes Guidance on Data Breach Notification, available at http://www.insideprivacy.com/data-security/data-breaches/eu-article-29-working-party-publishes-guidance-on-data-breach-notifications/, Convington