Launching a website is great, protecting and securing it is even better! With the global rise of digitisation, the explosion in cyberattacks is becoming a major concern for all organisations, especially given that 88% reported having been the victim such attacks in 20211. The target organisation and/or its stakeholders often face serious consequences in the wake of these incidents: website shutdown, data leak, identity theft, forced delays to projects, loss of revenues, etc., in addition to the snowball effect on their activity in general, which can rapidly suffer as a result. Thankfully, simple (yet essential) measures exist to guard against attacks, starting with protecting your website and the data it contains. We take a look at 4 practices to put in place to ensure its security!
Lock and control access to your backoffice
Also known as the “administrator interface”, the backoffice is the area of your website you use for its design, management and administration; it is entirely invisible to Internet users. Its access is therefore limited and protected by a username and password that should be unique and complex: no names or dates of birth, and at least 12 characters including upper case, lower case, digits and special characters. Don’t hesitate to use a password generator to set one, and remember to update it every 3 to 6 months and never to give it out to anyone! You can even activate two-factor authentication (2FA) for increased security; an option used by more and more services nowadays.
Another related point, remember to control the access rights of any employees also working on the backoffice proportionately and relevantly. In other words, do not give them access to more than necessary. These things may seem like common sense, but their proper application is fundamental.
Use adequate security protocols and certificates
Very strongly recommended, use of the HTTPS protocol is one of the good practices to put in place to secure your website and the information contained on it. ‘Hyper Text Transfer Protocol Secure’ in full, this security protocol is designed to establish a link between your website and your Internet users only, and to encrypt the data (images, texts, clicks, transactions, etc.) you exchange with them thanks to an SSL (‘Secure Socket Layer’) certificate, making them undecodable. In other words, this creates a protection tunnel between your Web server and your visitors’ browser. When configured, a lock symbol is displayed in the top left of your website’s address bar and acts as a guarantee of security and trustworthiness.
In order to use this protocol and encrypt the data you send and receive, your website needs to provide an SSL (also known as TLS for ‘Transport Layer Security’) certificate containing the cryptographic signature of a Certificate Authority, which guarantees the identity of your server. Once this certificate has been obtained, it should be deployed on all your web pages. Keep in mind that search engines protect their users from sites they consider suspicious or malicious. Obtaining the HTTPS protocol is also one of the ranking factors used by Google; a real ‘must’ when it comes to improving your online visibility.
If you have an e-store and/or e-ticket office, using a 3D-Secure protocol is highly recommended to secure your customers’ transactions and prevent fraud. Proposed by Visa and Mastercard, this service is designed to verify that the identity of the person making the payment corresponds to the holder of the card used for the purchase. Doing so helps secure the payments made on your website and reassure your website users.
Ensure regular website back-ups and maintenance
Like with any digital tool, updating your website is a priority. This allows for the integration of new functions and the ‘clean-out’ of obsolete functions, ensures your website is always up to date in terms of data protection and security, and applies corrections needed for its proper functioning. Little by little, you’ll reap the benefits of a secure, optimised website capable of handling potential ramp-ups more assuredly.
At the same time, remember to regularly back up your website to make sure that you don’t permanently lose your data (personal, customer data, content, etc.) in the event of an incident (typically a crash). This will also save you time (and therefore money) if you want to migrate your website to another web host.
There are several means of maintaining your website. If you went through an agency to create your website, they should be able to propose a specific solution based on the content management system (CMS) used. If you created the site yourself, your web host should be able to propose back-up functions.
Protect your establishment’s domain name
As the Internet address of your museum, its domain name is also its digital identity. It is therefore important that it is also protected!
For starters, we recommend registering different alternative spellings to protect against the risks of cybersquatting, and redirecting them to your main address. For example, the Musée du Cristal de Paris (Crystal Museum in Paris) could, in addition to its initial domain name “cristal-paris.museum”, register “cristalparis.museum”, “pariscristal.museum”, “paris-cristal.museum”, and why not equivalents in different languages. It can also be a good idea to opt for several TLDs as an additional precautionary measure.
Lastly, remember to automatically renew the registration (and therefore the payment) of your domain name to avoid it being registered by someone else when its expiry date has passed.
And last but not least, regularly raise awareness among your staff of the stakes involved in cybersecurity – it’s vital!
1 – 2022 Global DNS Threat Report
