A Free Educational Resource Created by Carnegie Mellon University to Empower You to Secure Your Part of Cyberspace

Secure Website, Safe Business

When small and large businesses provide a website, they should attempt to make it as secure and safe as possible, both for themselves and their customers.

It's common for a business to have a website, but many do not implement security measures. Before launching a website for your company or employer, take steps to ensure safety for both the business and customers.

Earn trust

First of all, purchase a digital certificate--a secure way to verify the identify of a user or a computer--from a well known certificate authority (CA), such as Thawte or Verisign, who are third-party organizations that verify the identity of your company and its website. Digital certificates inspire confidence in customers. At the same time, be sure to keep the certificate up-to-date. Expired certificates may lead to a loss of confidence.

Handle data responsibly

If you request information from Web visitors via a registration process or some kind of form, it is essential to use a secure, encrypted connection, such as SSL, to transmit data securely. Customers expect you to handle their personal information securely. Make sure you store data in encrypted form, and not in clear text, on any data servers that you use.

Additionally, make sure that you perform correct verification of data that is entered by the users, so that attackers cannot compromise your system via popular hacking techniques, SSL injection and buffer overflows.

Maintain your tools and software

At your end, your computer and server software need to be kept up to date. Your systems need to have a firewall and must run anti-virus software and anti-spam software. These practices help to prevent viruses or attacks on your systems.

Back up your website and all your data on another system. Often, DOS attacks--which are used to overload a website--cannot be prevented because they overwhelm firewalls and other intrusion detection systems. Often, companies mirror the website on another server, so if a DOS attack takes down the primary website, the company can switch to the mirror version with very little downtime and few customer complaints.

Ensure usability

If your website installs cookies on the user's computer, you should inform the user about it. While cookies can be helpful for personalizing the website for users, some cookies have been used for malware and spyware. Users who set their software to block cookies would need to disable this setting in order to use your website.

Similarly, if your website uses pop-ups, and the user has set the browser to block pop-ups, inform the user so that they may temporarily disable pop-up blocking.

Regularly monitor the website's content

Periodically check the content of the website from various locations, outside of your workplace. If hackers have gained access to the website and have changed some data, monitoring will help to ensure that these changes can be reverted back and keep the damage to a minimum.

Enjoy the benefits

A good company website can raise visibility and keep customers informed. Alternatively, a poorly designed and ill-maintained website can be a costly mistake. Follow these basic practices to avoid problems.

My home page