How to Secure Your Online Business (And Increase Its Valuation)
The internet is full of security risks lurking around every corner, so much so that we are often blinded by some of the most obvious attempts to steal our information.
Whether you are new to online business or scaling your tenth acquisition from our marketplace, security should be a top priority when it comes to protecting your financial and sweat equity investment.
In this guide, we will cover some of the basic security features an online business should have in place based on its monetization and what you can do to improve the security of your online business to avoid fraud and other malicious attempts to steal your company and customer data. Not every online business will have the same type of security requirements, so we wanted to break down some of the main security risks that content, ecommerce, and SaaS businesses might have. These three types of business models will be our primary focus in this guide, and while there may be some overlap in the best security practices for all three, there are a few differences you should be aware of.
Why is Online Business Security Important?
Online security is important because billions of people use the internet to shop, make payments, and share private information. Attackers have more targets to go after, and that increases your chance of falling victim to identity theft and fraud.
Today, one challenge that many online business owners face is the threat of cyber-attacks and breaches of their customers’ data. These attacks often come in the form of different crimes and fraudulent activities. From identity theft to stealing personal details or financial information, cyber-attackers are constantly looking for new ways to hack websites or disrupt software services.
As a business owner, one of the most important things you can do is understand that the threat of cyber-attacks is always present, and you should protect your business using every security measure available to you.
First, let’s start with things to consider to improve a content site’s security, as this will cover the same initial steps you should take to secure ecommerce and SaaS businesses.
Content Site Security
When it comes to securing a content site monetized through affiliate links or display advertisements, you have the benefit of avoiding potential cyber-attacks targeting your customers’ financial data, unlike ecommerce or SaaS business models. The reason is that your visitors are not usually sharing personal information with you directly, such as credit card numbers or home addresses. With content sites, however, the one piece of information that you often collect (or at least you should be) is email addresses.
When it comes to content site security, protecting your traffic’s data, whether that be in the form of newsletter opt-in emails or lead generation submissions, is key to protecting your business reputation. Achieving a great valuation for your business is also based on how stable and secure your business looks to potential investors compared to similar assets being sold on the market. A few security improvements that you should make to your content business include:
Website Hosting
Regardless of which content management system (CMS) you happen to use, your hosting provider is the first pillar for ensuring that your business infrastructure is secure. Many website hosting companies offer some type of security measures to protect their clients’ data, but not all are created equal. Some key security factors that your hosting provider should have in place include the following:
- IDS/IPS systems that block malicious bots and attackers
- Host software providing up-to-date database services with the latest security patches
- Servers using the latest PHP version with the latest security fixes
While we are on the subject of web hosting and its role in your website’s security, it is also worth mentioning the fact that you should backup your website as often as possible!
Having a backup of your site’s data offsite in case you experience a cyber-attack is one of the best safety nets you can have as an online business owner. With a backup you will be able to restore your site should a security attack occur or should you need to revert to an older update because of improvements being made to your site.
Another way to keep your site’s data secure is to limit access to your hosting service and only share this information with essential personnel. Avoid giving your host login information to others to reduce the risk of your data being breached by attackers, who often target company employees and not always the business owners themselves.
SSL Certificates and Enforcing HTTPS Connections
Secure sockets layer (SSL) certificates are small data files that digitally bind an encrypted key to a company’s details. For those who are less tech savvy, when installed on your website’s server an SSL certificate activates the padlock you see in the left-hand corner of your web browser’s search bar and the https protocol, which provides secure connections from your web server to any device. Activating an SSL on your site is one of the first steps that many online business builders take, and some hosting providers even offer it as an incentive to use their service.
Media and Content Security
When uploading various media and content formats to your site, where you store the data is also important to the security of your content site.
Using services such as a content delivery network (CDN) can help mitigate the risk of attackers gaining access to your site’s servers. A CDN stores your media and content on individual servers that are relative to the location of your traffic. Using this service not only keeps your website servers secure but also protects your website from distributed denial-of-service (DDoS) attacks. DDoS attacks occur when a perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the internet.
Site Plugins and Theme Security
If your website’s plugins have not been updated in some time, you may want to consider updating these security weak points as soon as possible.
One way that cyber-attackers have been able to breach a site’s data is through outdated plugins offered on a CMS like WordPress or obsolete extensions used on platforms such as Joomla. Any time you add one of these extensions or plugins to your site, you are adding another entry portal to potential security attacks. Updating your site’s plugins and extensions as soon as a new update becomes available will not only keep your site secure but also help you to avoid any issues that might crash your site should a website update trigger a problem with the now-outdated plugin version.
VPN and Secure Wifi Connections
When accessing your online business using public wifi networks like those at the mall or a local coffee shop, you may want to consider using a virtual private network (VPN).
Cyber attacks are becoming more common on these unsecure public networks, with some cyber bullies going as far as setting up fake wifi network gateways to trick you into giving them your credit card or PayPal information.
If you don’t have access to a secure WPA2 wifi network at home or your desired work location, be sure to set up a VPN to prevent any unforeseen attackers from gaining access to your important data the next time you drop in for an iced coffee to check your email.
Malware and Ransomware
Setting up a firewall, encrypting the data you send via email, and installing anti-virus/malware software on your device will limit your risk of security threats. Updating this software often and running system scans will bring potential threats to your attention and alert you to problems before a security breach occurs.
General Data Protection Regulation (GDPR)
Not so much a direct threat to your business, the general data protection regulation is an EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
It addresses the transfer of personal data outside the EU, with a primary aim to give individuals control over their personal data and to simplify the regulatory environment for international business inside this jurisdiction. The regulation contains provisions and requirements related to the processing of personal data by those who are located in the EU and EEA. It applies to any enterprise—regardless of its location and the data subjects’ citizenship or residence—that is processing the personal information of individuals inside this area.
This is important to note, because if your business is generating a majority of its traffic from the EU, following this regulation is crucial to ensure your business is not at risk of being shut down.
Two-factor authentication (2FA)
While strong passwords alone offer little security when your business is breached, 2FA offers an additional line of protection against cyber-attackers and malicious attempts to gain your valuable information.
2FA works by adding an additional authentication step before any user is granted access to the desired account they are attempting to log into. A few authentication factors most commonly used in 2FA applications include:
- Knowledge factor – something the user will know, such as a password or pin
- Possession factor – such as a phone or mobile app to approve authentication requests
- Biometric factor – such as a fingerprint or face scanner
- Location & time factor – notifies you of the location and time each login attempt took place
There are plenty of 2FA options being used online to authenticate login attempts, so feel free to choose one that best suits your needs. Adding one (preferably all) of the security updates mentioned in this guide so far is not only great for you as a business owner in terms of security but also increases the valuation of your business should you decide to make an exit. In case you didn’t know, there are thousands of online business buyers looking to acquire a secure, stable content business that generates a consistent cash flow.
As we mentioned at the start of this guide, security for content sites will provide you with the basic building blocks to secure more complex business models, like ecommerce and SaaS businesses. Because these business models often involve the exchange of more valuable information like credit card details and shipping addresses, additional security measures should be taken.
Ecommerce Business Security
Ecommerce businesses require the exchange of credit card and financial information from customers directly, so a few additional security measures are needed to make sure these transactions are secure.
When we say ecommerce businesses, we are not referring to Amazon FBA business models, as Amazon is the payment gateway for the customer and therefore handles the security of your customers’ data. Ecommerce brands with a direct shopping cart located on their website through an application such as WooCommerce or a storefront like Shopify provide additional security measures to help you mitigate the risk of a security breach of your data. A few security factors to consider for an ecommerce business include:
Transport Layer Security (TLS)
TLS is the successor of SSL and acts in the same way to provide secure communications over a computer network. Ecommerce businesses exchange extremely valuable customer data, so it is important to have the most up-to-date security certificates for your business.
Multi-factor authentication (MFA)
Similar to 2FA, MFA is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to satisfy an authentication mechanism. Similar to 2FA, where knowledge, possession, and inherent factors need to be verified, MFA gives you more options to authenticate your login attempt, adding additional security to the standard 2FA setup. While it may seem the same as 2FA, the more login steps you place between you and malicious attackers, the more difficult you make it for them to breach your business.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI standard is mandated by bank card brands but administered by the Payment Card Industry Security Standards Council. This certificate of standard was created to increase controls around cardholder data and to reduce credit card fraud. This certificate acts as an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data.
PCI DSS is a security standard, not a law, so it is not required. However, compliance is mandated by the contracts that merchants sign with the card brands (Visa, MasterCard, etc.) and with the banks that actually handle their payment processing.
Speaking of payment processing, a few security measures that SaaS businesses need to consider on top of all the factors we have covered in this guide so far are directly linked to the payment processor for SaaS business models.
SaaS Business Security
When it comes to cyber security attacks, SaaS business models may often be a favored target of website hackers, as they will often have two or less gateways to breach prior to gaining your customers data.
Unlike content and ecommerce businesses, where customer data is often stored with a third party, SaaS business models have a shopping cart or payment portal as one of the first steps in gaining access to the platform. Once inside, without these security measures in place, you might be vulnerable to attackers stealing your customers’ information.
Payment Portal Network
It is highly advisable that if you maintain a payment portal connected to your SaaS solution, the payment gateway should be on a separate network from the one your SaaS is on.
The reason for this is that your payment portal will have all of your customers’ valuable information on it, and if this is connected to your site or SaaS platform it’s much easier for hackers to breach your payment portal when connected to the service directly. Consider a third-party payment portal when scaling an SaaS business, as it will offer the most protection for your customers’ data (when using a reputable payment portal source, that is).
ISO 27001 and SOC1/SOC2 Assurance Reports
SOC1/SOC2 are reports on the controls of a service organization related to security, availability, processing integrity, confidentiality, or privacy. In short, these reports provide a detailed report of the systems the service organization uses to process users’ data and the confidentiality and privacy of these systems.
The ISO 27001 certification validates that an organization meets a standard set of requirements, and like many other standards, certification is possible but not mandatory. While these security standards are not required, they offer users proof that you are going above and beyond when it comes to protecting their valuable data, improving your business reputation. Your customers are more likely to return when they feel this sense of security using your SaaS solution.
Security Threats that Online Businesses are Vulnerable To
Now that we have covered some of the most common security updates you can make to your online business based on the specific business model you operate, we should cover some common threats that many business owners often fall victim to.
Phishing
Far from casting a reel out in hopes of catching a free dinner, phishing is a malicious attempt that cyber attackers make to gain your information.
Phishing comes in many forms, but the most common phishing attempts come in the form of an email. This email might catch your attention with an urgent title or a free offer. Beware of these attempts to gain your information, as they are often linked to a cyber-attacker attempting to gain your information, or worse, have you give your credit card information to pay some mysterious bill you had no recollection of.
- Insider TIP: Check the address of any suspicious email you receive to verify the person sending the email. If you receive a request from your grandmother to send money for her back surgery, make sure the email address is in fact from your family member (this will save you some headache down the road should you be kicking yourself for sending money to Johnnyfireball1991 when you thought it was going towards your grandmother’s back medication).
SQL injection
SQL injection is a code-injection technique used to attack data-driven applications, through which malicious SQL statements are inserted into an entry field for execution. These attacks allow hackers to spoof identity, tamper with existing data, cause internal issues (e.g., voiding transactions or changing balances), gain access to all data in the system, destroy the data or make it otherwise unavailable, or become administrators of the database server.
In a study conducted in 2012, it was found that the average web application received four attack campaigns per month, and online retailers received twice as many attacks as others. We won’t go into a detailed list of all the steps you should take to prevent this from happening to your business, but there are several cybersecurity vendors and open source developers that offer automatic SQL injection tools to identify potential vulnerabilities. Even if you have little to no database knowledge, many tools offered on the market today include error-correcting features that can help remove some of the risks discovered during a site audit.
Cross-site Scripting (XSS)
Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS attacks enable hackers to inject client-side scripts into web pages viewed by other users. An XSS vulnerability may be used by hackers to bypass access controls, such as the same-origin policy (something that 2FA and MFA also helps to mitigate). XSS vulnerabilities are very common, and XSS is probably the most common web security vulnerability. A few ways you can mitigate the risk of your business experiencing an XSS attack would be to filter your inputs with a whitelist of allowed characters and use a library such as Google Guava to HTML to encode your output for HTML contexts. Another approach is to use JavaScript Unicode escapes for JavaScript contexts.
E-skimming
E-skimming, also known as a “Magecart” attack, is when hackers gain access to your online store and inject skimming code into payment card processing pages of the website. These hackers can gain access to the network using a phishing email or by hacking administrative credentials, which can then be used to place the skimming code inside the online store using this compromised account.
E-skimming gives attackers access to personal information, such as your customers’ name, date of birth, location, address, user login and administrative credentials, credit card and debit card data, account number, and more. Most of what we have already covered in this guide will help to mitigate your risk of experiencing an e-skimming attack on your business, but there are a few best practices you should be aware of to help limit the possibility of this happening to you.
Best practices for Online Business Security and Final Thoughts
In addition to what we have already covered in this guide, another important step you can take to help prevent a security breach from happening to you is to update your passwords at least every 90 days. Updating your passwords often will keep cyber-attackers from gaining access to your accounts, and it makes attacks more difficult to perform when you diversify your passwords across all of the networks and platforms you use. A great option for improving your password security is to use a service such as Lastpass to keep all of your passwords secure and in one easy-to-find place. When using multiple passwords across all of your accounts, it can be quite a challenge to keep track of these updates, especially when you change the passwords every few months.
Another best practice in terms of mitigating your online business security risk is making sure you avoid giving out vulnerable information to others, even if you think the request is coming from someone you know or someone within your organization.
One last final thought when it comes to improving the security of your online business (and increasing its valuation) is to obtain a trademark or patent for your business’s product or service. This is a crucial part of ensuring the security of your business, not in terms of cyber attacks but in setting your business up for success and mitigating the risk of competitors entering your space. Obtaining a trademark for your business not only mitigates the risk of your competition coming in and stealing your target audience away from you but also keeps copycat and “me too” products from becoming a serious threat to your brand.
We often refer to the practice of obtaining a patent or trademark as deepening the moat around your castle. The harder you make it for copycats to replicate your product or service, the deeper the moat protecting your castle (or business in this case) becomes. This is not only important in terms of securing your business’s future in your desired industry; it will also increase your online business valuation should you decide to make an exit and gain a large amount of capital to use on your next passion project.
Have you reached a point in your business where you have started to consider the idea of making a profitable exit?
If you are like many online business owners who have already improved their security features using the strategies we covered in the guide, you may want to set up an exit planning call with one of our business advisors.
New to the world of online business and looking for a turn-key solution that already has some of the security measures mentioned in this guide set up for you? Head over to our marketplace and register your free account to discover new online businesses listed every Monday in the largest curated marketplace for buying and selling secure online businesses.