Network security
Kia pare i tō paetukutuku

Protect your website

We regularly get reports of websites that have been compromised due to skipping a few simple steps. As with many online security issues, taking some basic measures will keep your website a whole lot safer.

5 min read

View transcript

So you’ve got yourself a website and are charging full steam ahead into the online world of business. Nice! But don’t move onto your next job just yet, you’ll want to make sure you’re taking steps to keep your website safe and secure.

You might be wondering what could go wrong in this respect – well like any system or platform that’s connected to the internet, your website is vulnerable to a cyber attack.

Hackers could infiltrate the site with the aim of accessing customer information, or your domain name could get hijacked and someone posing as your business could start receiving money on your behalf.

Now there are steps you can take to prevent this from happening. This includes keeping on top of software updates and avoid clicking that ‘remind me later’ button. Get into the habit of either enabling auto-updates, or clicking ‘install now’, since some updates are there to fix weaknesses that could leave you under threat.

Two-factor authentication is another easy way to keep your website safe. This is when single factor authentication (e.g a username and password) is taken one step further. It’ means another factor eg a verification code or mobile phone notification is required upon logging into your site. This is a setting you can enable if your site is hosted by Wix or Squarespace, for example.

And just in case something does go wrong, keeping backups is also important.

Backing up your devices either to the cloud or to a hard drive, or both, gives you the peace of mind that your business operations won’t be impacted too drastically if hackers take a hold.

But, how will you even know if your website has been accessed by an unknown entity? Well, many website builders such as squarespace provide access logs and change logs. These live track who has accessed your site – when and from where and what changes were made at what time. It’s a good idea to check in on these from time to time to make sure you’re the only one logging into it and that there are no irregular activity.

And there we have it! We love a safety-first approach to business. You’re doing a great job. We’ll see you soon.

The risks

Like any system or platform that’s connected to the internet, your website is vulnerable to an online attack. For example, hackers could:

  • infiltrate your site to try and steal customer information, or
  • use your website to host or other attacks.

How to protect your business

  • Secure the data across your website

    Your customers trust you to keep their information, and the communication you have with them, safe. An easy way to give your website added security and privacy is to enable .

    HTTPS keeps the information transferred between you and your customers confidential by encrypting it. This makes it much harder for attackers to get the login details or credit card information customers submit on your site.

    Benefits of using HTTPS across your website

  • Update software and devices

    Updates add new features, but they also fix issues or vulnerabilities that allow attackers to get your information. Most software companies work hard to make sure security holes are fixed in each software update.

    As the business owner, it’s your responsibility to make sure your website’s software is updated and any security patches are applied. This includes things like plugins on your and your . Give yourself one less thing to think about by automating your updates.

    Keep up with your updates

  • Get PCI DSS compliant

    If you accept payments online, the Payment Card Industry Data Security Standard (PCI DSS) helps ensure transactions on your website are safe and secure, and that your customers' card data is protected from attackers.

    Most banks require PCI DSS compliance when accepting online payments, so talk to yours about what’s involved.

    ANZ(external link)

    ASB(external link)

    BNZ(external link)

    Kiwibank(external link)

    Westpac(external link)

    Accepting payments online

  • Renew your domain

    If your domain name expires, an attacker could claim it and set up their own scam website selling fake goods or serving using your business’ name.

    Ask your domain provider about auto-renewing your .

    Manage my domain name (external link)– Domain Name Commission

  • Use a strong and unique login password

    Logins are a point of for any website. Create a long, strong and unique login for your website – we recommend a of four or more words that aren't based on any personal information.

    How to create good passwords

  • Turn on two-factor authentication

    Any systems you can log into over the internet are susceptible to attack. We strongly recommend adding (2FA) to your website. That way, an attacker would need your 2FA code as well as your password to access your site.

    Protect your business with two-factor authentication

  • Back your website up regularly

    Having a recent backup means you can restore your data quickly and easily if it’s lost, leaked or stolen, for example if:

    • your web server gets hit with ransomware and stops responding
    • your website’s compromised by another sort of online attack
    • you accidentally delete a section.

    Backups are most useful if they’re recent and cover both the pages themselves and any data your website holds, like customer databases.

    Ensure you or your provider set backups to take place automatically. It’s preferable to make a couple of copies and store them in different, secure (but easily accessible) places. That way, if one backup is compromised, you have a spare.

    Backups for your business

  • Review your website regularly

    It seems pretty obvious, but one of the best ways to keep your website safe is to keep an eye on it. The more familiar you are with your website, the more likely you are to spot something that’s out of place, for example:

    • the appearance of unfamiliar or unusual content – it might mean someone else has access to your site and is using it to host bad content
    • an unexpected drop off in online sales – it could mean someone has gained access and modified your website to make payments go to their account.

  • Understand your privacy obligations

    It’s important to be aware of your obligations under the Privacy Act, particularly those about collecting, storing and disclosing customer information.

    You're required to include a privacy statement on your website outlining:

    • why you collect customer information
    • how you use customer information
    • how your customers can find out what information is held by your business.

    The Office of the Privacy Commissioner (OPC) has a handy Privacy Statement Generator so you can quickly create a privacy statement that's right for your business.

    Privacy statement generator (external link)– Office of the Privacy Commissioner

  • Create an incident response plan

    Having a step-by-step plan in place before a cyber security incident occurs will help you:

    • take control of the situation
    • navigate your way through
    • reduce the impact on your business, and
    • get back on your feet quickly.

    Your plan should include contact details for your IT and communications support people.

    Creating an incident response plan

Get help

If you experience – or think you may have experienced – a cyber security incident, report it to us at CERT NZ. We’ll:

  • help you identify the issue and let you know the steps you can take to mitigate it and prevent it happening again
  • use the information you provide to create advice and guidance for others who might experience the same issues
  • use the information you provide to create advice and guidance for others who might experience the same issues.

The more information reported to us, the better able we're to help everyone.

Get help now