What is a secure website?
Before you can set up and maintain a secure website, you have to understand what the term "secure" means in this context. Judge offers a good working definition: “Secure sites," she says, "encrypt data at rest and in transit, and limit access with multi-factor authentication."
Breaking it down, that means a secure site encrypts sensitive data on the server hosting it, and while transmitting information to and from customers and company employees interacting with it. You can immediately recognize whether a site is secure by the lock icon in the address bar of your web browser and "https" in the URL.
Secure sites may also take additional steps to verify the identity of customers for financial transactions and to handle sensitive information. For example, while a news site may not need more than a simple password to verify users, a retailer should secure customers' credit card data through multi-factor authentication, which asks not only for passwords but also for security codes sent by email, or text, or for additional verification factors, for example, a fingerprint or face scan.
Small business owners may be intimidated by putting together a secure website, but Judge says they needn't worry. “Business owners do not have to become experts on website security if they have a trusted company they work with."
Building a secure website
Critical to creating a secure website, Judge says, is to find a hosting company with a strong focus on security. “Use trusted hosting providers and ask them to show you how they are securing the site."
Some business owners choose to rely on their hosting company for web design, for example through templates that the site owner can modify even if they have no coding knowledge. Others may bring their own skills to the project or hire outside web developers. Whatever the case, the host should provide strong security, Judge says. “Even if you use a 'do-it-yourself' website provider where you set it up on your own, interview the company first to learn about their security offerings."
Although Judge stops short of recommending specific website hosting providers, she does have tips for finding a good one. For example, name recognition can go a long way. “Although any company can be compromised, stick with names you know and trust."
Even if you plan to use templates, a website developer can provide information about the security features you need, Judge says. She suggests looking for one at techstak.com,4 because it's based in the U.S. and pre-screens IT professionals before matching them with business owners. General-purpose freelancer sites that display reviews of providers can also be a good source of IT talent, including web developers and designers.
Keeping your website secure
Once you have your site up and running, it's time to make sure it stays secure. It's the job of your web hosting company to install on schedule all the security patches released by the software vendors behind all the plugins and other systems your site relies on. That's why Judge recommends asking any hosting provider you are considering whether they automatically apply patches.
In addition to ensuring you choose a web hosting provider that performs regular security maintenance, it's also important to perform regular cybersecurity checks on your site. The site that Judge recommends for finding web talent, techstak.com, also offers cybersecurity checks 5 that look for website vulnerabilities and provides customized plans for addressing them. It's just one of many sites6 offering website vulnerability checks and scanning tools.
If the worst case scenario should come to pass, Judge points business owners to fightcybercrime.org,7 a website maintained by her organization that provides resources for individuals and companies to help them recover from attacks. For additional resources and information about cybersecurity, Judge recommends that business owners visit the Cybersecurity for Small Business page of the Federal Trade Commission.8
Website security should be a priority of every business, large and small. But it doesn't have to intimidate small business owners who may lack the expertise to address it themselves—not with the wealth of outside resources available to them.