Protect your website

View transcript

So you’ve got yourself a website and are charging full steam ahead into the online world of business. Nice! But don’t move onto your next job just yet, you’ll want to make sure you’re taking steps to keep your website safe and secure.

You might be wondering what could go wrong in this respect – well like any system or platform that’s connected to the internet, your website is vulnerable to a cyber attack.

Hackers could infiltrate the site with the aim of accessing customer information, or your domain name could get hijacked and someone posing as your business could start receiving money on your behalf.

Now there are steps you can take to prevent this from happening. This includes keeping on top of software updates and avoid clicking that ‘remind me later’ button. Get into the habit of either enabling auto-updates, or clicking ‘install now’, since some updates are there to fix weaknesses that could leave you under threat.

Two-factor authentication is another easy way to keep your website safe. This is when single factor authentication (e.g a username and password) is taken one step further. It’ means another factor eg a verification code or mobile phone notification is required upon logging into your site. This is a setting you can enable if your site is hosted by Wix or Squarespace, for example.

And just in case something does go wrong, keeping backups is also important.

Backing up your devices either to the cloud or to a hard drive, or both, gives you the peace of mind that your business operations won’t be impacted too drastically if hackers take a hold.

But, how will you even know if your website has been accessed by an unknown entity? Well, many website builders such as squarespace provide access logs and change logs. These live track who has accessed your site – when and from where and what changes were made at what time. It’s a good idea to check in on these from time to time to make sure you’re the only one logging into it and that there are no irregular activity.

And there we have it! We love a safety-first approach to business. You’re doing a great job. We’ll see you soon.

The risks

Like any system or platform that’s connected to the internet, your website is vulnerable to an online attack. For example, hackers could:

infiltrate your site to try and steal customer information, or
use your website to host phishing or other attacks.

How to protect your website

Here's how to keep your website safe and secure.

Secure the data across your website

Your customers trust you to keep their information, and the communication you have with them, safe. An easy way to give your website added security and privacy is to enable HTTPS.

HTTPS keeps the information transferred between you and your customers confidential by encrypting it. This makes it much harder for attackers to get the login details or credit card information customers submit on your site.

Benefits of using HTTPS across your website

Update software and devices

Updates add new features, but they also fix issues or vulnerabilities that allow attackers to get your information. Most software companies work hard to make sure security holes are fixed in each software update.

As the business owner, it’s your responsibility to make sure your website’s software is updated and any security patches are applied. This includes things like plugins on your content management system and your web server. Give yourself one less thing to think about by automating your updates.

Keep up with your updates

Get PCI DSS compliant

If you accept payments online, the Payment Card Industry Data Security Standard (PCI DSS) helps ensure transactions on your website are safe and secure, and that your customers' card data is protected from attackers.

Most banks require PCI DSS compliance when accepting online payments, so talk to yours about what’s involved.

Accepting payments online

Renew your domain

If your domain name expires, an attacker could claim it and set up their own scam website selling fake goods or serving malware using your business’ name.

Ask your domain provider about auto-renewing your domain.

Manage my domain name – Domain Name Commission

Use a strong and unique login password

Logins are a point of vulnerability for any website. Create a long, strong and unique login for your website – we recommend a passphrase of four or more words that aren't based on any personal information.

How to create good passwords

Turn on two-factor authentication

Any systems you can log into over the internet are susceptible to attack. We strongly recommend adding two-factor authentication (2FA) to your website. That way, an attacker would need your 2FA code as well as your password to access your site.

Protect your business with two-factor authentication

Back your website up regularly

Having a recent backup means you can restore your data quickly and easily if it’s lost, leaked or stolen, for example if:

your web server gets hit with ransomware and stops responding
your website’s compromised by another sort of online attack
you accidentally delete a section.

Backups are most useful if they’re recent and cover both the pages themselves and any data your website holds, like customer databases.

Ensure you or your provider set backups to take place automatically. It’s preferable to make a couple of copies and store them in different, secure (but easily accessible) places. That way, if one backup is compromised, you have a spare.

Backups for your business

Review your website regularly

It seems pretty obvious, but one of the best ways to keep your website safe is to keep an eye on it. The more familiar you are with your website, the more likely you are to spot something that’s out of place, for example:

the appearance of unfamiliar or unusual content – it might mean someone else has access to your site and is using it to host bad content
an unexpected drop off in online sales – it could mean someone has gained access and modified your website to make payments go to their account.

Understand your privacy obligations

It’s important to be aware of your obligations under the Privacy Act, particularly those about collecting, storing and disclosing customer information.

You're required to include a privacy statement on your website outlining:

why you collect customer information
how you use customer information
how your customers can find out what information is held by your business.

The Office of the Privacy Commissioner (OPC) has a handy Privacy Statement Generator so you can quickly create a privacy statement that's right for your business.

Privacy statement generator – Office of the Privacy Commissioner

Under the Privacy Act 2020, if your business has a privacy breach that has caused anyone serious harm – or is likely to in the future – you must notify the Privacy Commissioner and anyone else who's affected, ideally within 72 hours of becoming aware of the breach.

Report a privacy breach – Office of the Privacy Commissioner

Create an incident response plan

Having a step-by-step plan in place before a cyber security incident occurs will help you:

take control of the situation
navigate your way through
reduce the impact on your business, and
get back on your feet quickly.

Your plan should include contact details for your IT and communications support people.

Creating an incident response plan

Get help

If you experience – or think you may have experienced – a cyber security incident, report it to us at CERT NZ. We’ll:

help you identify the issue and let you know the steps you can take to mitigate it and prevent it happening again
use the information you provide to create advice and guidance for others who might experience the same issues
use the information you provide to create advice and guidance for others who might experience the same issues.

The more information reported to us, the better able we're to help everyone.

Get help now

Resources

Secure your business website: Checklist [PDF, 124 KB]

What to read next

Business basics

Set up logs and monitoring for your website

Browse all Business basics

Outdated browser