How secure are your online business assets?
It usually starts something like this…
You type your website URL into your browser and you get a page that looks like this.
[yourdomain.com] server DNS address could not be found.
oops..you try again but get the same message. You feel that big ball of panic rising in your stomach. Your heart is racing. What’s happened to my website? Who do I talk to to get this fixed? What are my customers going to think?
If this has ever happened to you, then you know exactly what I’m talking about.
It amazes (and frightens) me the number of times I ask a new customer some basic information about access to their website or their analytics, and they have no idea how to give me access or who to ask. This doesn’t only apply to micro businesses, in fact they’re often more aware because they manage it all themselves.
Often what happens is that all of this ‘techie’ stuff is managed by a developer or agency working with you to build your website or provide online marketing services. Over time, you lose touch with that developer or you stop working with the agency and you don’t think about boring things like domains, servers and access again until one day, you need them, then where do you start?
Online business assets you need to secure.
If you were running a bricks and mortar business, you wouldn’t dream of leaving the doors unlocked or giving sets of keys to people like your suppliers, your plumber / electrician and your printers. Yet, with online businesses, I see owners giving people access to and in some cases even ownership of, their key online business assets.
Some key online business assets you need to secure include:
- Website Hosting
- Website (CMS) Access
- Email Accounts
- Advertising & Social Media (Google Adwords, Facebook) Accounts
- Customer Relationship Management (CRM) and/or Customer Database
Here are some of the security risks I regularly see and the implications of what can happen if you give access to the wrong people.
When you purchase a domain name, you don’t really buy it, you just ‘rent’ it from a Domain Registrar and you need to renew the rental every year or two, depending on who you registered it with.
Most Domain Registrars allow you to automatically renew your domain with a credit card linked to your account. However, credit cards expire and if that happens, your Domain Registrar may try to advise you that you need to update your details, but not always. If someone else purchased the domain on your behalf, then often their details are associated with the domain so any attempts by the Registrar to advise you that your domain is expiring will go to the person listed as a contact. If you are no longer working with them, they may not forward the notices to you. The Registrar will try to renew the registration but after a few attempts will likely give up.
Your domain registration then expires and your domain eventually becomes available for someone else to purchase.
Often the first you know there’s a problem is when you try to access your website and get that dreaded error message.
The other reason you need to know how to manage your domain is because some records need to be changed within the domain. For example, if you want to change your hosting company or email hosting provider.
Securing this asset
- Keep a record of who you registered your domain with and their contact details.
- Make sure that the domain is actually registered to you and not to the person who purchased it. This is rare, but I’ve seen it happen. If you’re not listed as the Registrant then you don’t have a claim on the domain and the owner could let it expire or choose to sell it!
- Check your domain records to make sure that you are listed as the Billing Contact and preferable the Admin Contact. You may choose to have the Technical Contact listed as a developer or a techie person you work with.
- Set the domain to automatically renew before the expiry date and make sure the payment details on file with the Domain Registrar are kept up to date.
- Add a recurring entry in your calendar to remind you of the date that your domain renews so you can manually check it
If you’re not sure where to start, use a lookup tool like mxtoolbox.com or whois.ausregistry.net.au or go back through your old emails and search for domain registration or similar.
For most business owners this is a big black hole. It’s the most technical part of running an online business and is usually outsourced to a hosting company. This may be the developer you first worked with to build your website or it might be a Hosting Provider. You usually pay a monthly or annual fee to your hosting provider and unless you’ve completely lost contact with them and your payment details are incorrect, then it’s rare for your hosting to expire. Rare, not impossible!
Without hosting your website won’t appear on the internet. You will get an error something like this:
Apart from knowing who is hosting your website, it’s also good to know how to access your website files on your server. This is usually provided to you via a cPanel or FTP login. This login will enable you to access the part of the server that your website is using and allows you to manage things like your WordPress installation, databases, domain names, email accounts and back ups with little or no technical knowledge without breaking anything!
If you want to move your website to new hosting, this can be done much easier with cPanel of FTP access because all of the information about your website can be copied and moved to another server.
NOTE: Not all hosting companies provide their customers with cPanel or FTP access which means you will need to ask them to make changes for you, including adding new email addresses, running backups and sending you your website files if you do want to move hosts.
Another thing to look into is which other websites are being hosted on the same server as yours. If your website is being hosted on cheap shared hosting, then it’s likely that there are thousands of other website sharing the server – these are your neighbours – some are good, but if you’re in the middle of a bad neighbourhood be wary. If one of your ‘neighbours’ installs a plugin or starts using up lots of resources on the server, then your website will start to slow down. Similarly if you start getting super popular and getting lots of visitors to your website, then the hosting provider might require you to upgrade to a new plan or worse – suspend your account, which means your site goes down, and then require you to upgrade to get it back up!
Other options you might want to consider are a Virtual Private Server (VPS) where parts of the server resources are allocated to each website or Dedicated Hosting where you have your own server dedicated to your website only.
Securing this asset
- Keep a record of who is hosting your website and their contact details.
- Keep your contact and payment details up to date with your hosting company.
- Ask your hosting company if they provide cPanel and/or FTP access and if so, keep a note of your login details in a secure place.
- Consider the best (not just the cheapest) hosting for your website. If your website is getting good traffic and/or is key to your business success (or failure) then consider moving from shared hosting to a VPS or Dedicated Server.
Website (CMS) Access
The ability to easily make changes to your website through a user-friendly interface without having to rely on a developer to code changes, is one of the great benefits of WordPress and other Content Management Systems (CMS).
To make changes, you do need to be able to login to the ‘backend’ of your website usually through some kind of Admin access. Most people with a CMS know how to login to their sites to make changes, even if they only use the login occasionally.
The two security risks I often encounter relating to CMS Access are:
- Weak (easy to guess) passwords
- Unknown or many users with Administrator access meaning they can make changes to and delete the content on your site.
You know you need to have a secure password, not only for your website login but for absolutely everything. And, your passwords should not all be the same for every site you login to! You wouldn’t believe the number of times a customer gives me their password to access one part of their business and then they tell me it’s the same for everything, even PayPal!
Just don’t do it.
Yes remembering different, complex passwords for the millions of places we login to is a pain in the butt – not only for you but also for anyone trying to work out your password to steal from you! Just use one of the many password tools. I use LastPass on every device. Other good ones are 1Password for Windows, Dashlane and RoboForm. They take a while to get used to and you do feel a bit like you are handing over control but better to hand over control to a company whose business it is to securely manage passwords than to a spammer or hacker right? If you don’t want to use a password manager, then make sure you change passwords regularly and don’t save passwords to your browser.
The next problem I see a lot is where there are multiple users with high-level login access e.g. Admin. These are often past developers, freelancers or staff who you’ve given access to at some stage but who probably no longer need that level of access or any access at all. If a user as high-level access to your website, they can make changes, delete content, link out to spammy or worse sites or accidentally or intentionally add/remove code from your site.
Securing this asset
- Review your passwords and make sure they are strong – 10-12 characters, combination of upper and lower case, numbers and symbols.
- Consider using a password manager to manage your passwords.
- Review the users with access to your website and the access levels they have and remove / revoke access to anyone who doesn’t need it. NOTE: Before you remove an Admin user from your account, be sure to assign any posts or pages created by them to another user (preferably yourself), otherwise this content may be lost.
There are two things to review here.
The first is, who is hosting your emails? Often this is the same company that is hosting your website or your domain registrar but not always. More and more, businesses are moving email hosting to Hosted Email services such as Google GSuite or Office 365. I’m not talking about the free services such as gmail and hotmail which you might use for personal reasons, I’m talking about the paid business solutions. These services are much more robust (0% downtime) than private email hosting, have super strong spam filters, usually a large amount of storage and they easily integrate with things like calendars.
If you don’t remember who is hosting your emails, you can use a tool like mxtoolbox to look up for email hosting records.
The second is, who has an email account associated with your business. This is usually past employees. If you can’t access your email hosting to remove email addresses, then you’ll need to ask your email hosting provider to remove them for you.
Securing this asset
- Keep a record of your email hosting provider.
- Consider moving to a Hosted Email Service.
- Review email address associated with your business and remove unused emails
Advertising, Analytics & Social Media Accounts
If you’ve used an agency to work on Google Adwords, chances are you’ve given them access to your Google Adwords account. This is fine as long as you’re still working with them and want them to have access to information about the performance of your Adwords Account.
The same applies to Facebook Ads Manager and your Facebook Page. Even if you aren’t currently advertising, if someone has Ads Manager access, they could do things like show competitor ads to fans of your page and if they also have access to your CRM or customer database, they could upload this list to Facebook and create a Custom Audience for your competitors to target! Hopefully you’re not working with anyone this unscrupulous!
As more analytics data becomes available on social media sites like Facebook, Instagram and Twitter, people with access to your accounts will be able to analyse your visitors, posts, engagement, what’s working and what’s not and potentially use that information themselves or worse share with your competitors. This is the same with Google Analytics. This is a super powerful business tool if it’s set up right and provides you (and anyone you’ve given access) lots of valuable information about the performance of your business.
Think about what business information you want which people to have access to and how they might be able to use it for purposes other than helping you grow your business.
Securing this asset
- Review who has access to your Google Ads & Google Analytics accounts and remove access if you are no longer working with them.
- Review Facebook Ads Manager and Facebook page roles and remove anyone you no longer need to have access.
- Review all Social Media accounts and remove access to anyone you no longer need to have access
CRM and/or Customer Database
I’m sure you’ve heard the saying “the money is in the list”. Whether you agree with that statement or not, you should protect your customer database like your money – don’t leave it laying around for others to steal.
Your customer’s contact details are not only valuable to you, they have been shared with you with an implicit understanding that you will maintain security of the data.
Most CRMs provide owners with the ability to export data into a .csv file which can then be imported into other systems such as accounting software, email marketing systems or even uploaded to Facebook to create a custom audience.
Securing this asset
- Review all users with access to your CRM, Email Marketing software and/or Customer Database and remove anyone who you no longer want to have access.
- Periodically export your database and save it to a local computer and/or cloud storage.
How did you rate? How secure are your key online business assets?
I’m not advocating that you don’t give anyone access, what I am saying, is that you should be mindful of who has access to what and what they are doing with the data. Of course you may need to give staff members, advisors, consultants or agencies access to information or to your systems if they are working with you but just remember to remove access when you cease working with them.