6 Simple Ways to Protect your HR Microsite

By Philip Joyner

Protecting your HR microsite from malicious attacks doesn’t require a Masters in cybersecurity. Just stick to these six key strategies and you’ll be able to sleep better knowing your website is secure.

It’s Not Just the Big Boys

“No locale, no industry or organization is bulletproof when it comes to the compromise of data.”

– Verizon’s Data Breach Investigations Report

We read about the high-profile hacks and think it won’t happen to us. Sure Sony and Linkedin got hacked, but According to Keeper Security’s “The State of SMB Cybersecurity” report, a staggering 50 percent of small and midsized organizations reported suffering at least one cyberattack in the last 12 months. Costing on average a whopping $879,582 when it involved the theft of assets or $955,429 to restore their business after an attack.

“…the threat of a cyber attack has no longer become a case of if it will happen but when it will happen.”

– Bluelogic Cyber Security report

If that weren’t enough motivation, check out our article on the ways hackers can use your site for evil, even if it’s not housing valuable user data. Then sit back with some easy reading about the 3 main ways hackers try to attack your site.

With That Ominous Warning, What’s HR to do?

Well, short of completely removing your microsite from the interwebs, there’s no way to be 100% protected. But after years of building air-tight HR microsites, we know a thing or two about severely reducing the odds of an attack as well as properly preparing yourself if one should occur. 

We believe that site security is everyone’s job, not just your “web guy” so while this is not an exhaustive list, these 6 strategies will get you well on your way to covering the most important aspects of keeping your site secure. Once in place, these tactics lay a great foundation on which to build more robust safeguards that require a bit more technical knowledge.

The 6 Security Strategies to Ensure a Good Night’s Sleep*

(*Unless you have insomnia in which case we would suggest Wuthering Heights.)

1. Install a Firewall

This is hands-down the easiest thing you can do to secure your microsite. If you don’t have a firewall installed on your site, read the rest of this section, then stop what you are doing, and go install one before reading further. Go ahead we’ll wait.

A firewall prevents attacks by keeping a close watch over all the activity happening on your site and sniffing out anything that looks suspicious. As employees click around, fill out forms, and such on the site, this interaction gets scrutinized like an over-eager TSA agent. It performs tasks like:

  • tracking your files to make sure they haven’t been tampered with, 
  • preventing ongoing brute-force attacks against your forms, 
  • blocking IP addresses that abuse  forms,
  • preventing attempts against known attacks, and more.

2. Pick Strong, Waried Passwords

A strong password is your next line of defense against a hacker. Even with a firewall preventing ongoing attempts against your site’s login form, if your password

is “password123” it’s only a matter of time before an unwanted user is legitimately logged into your site and wreaking havoc through the CMS. According to Verizon’s Data Breach Investigations Report,

“63% of confirmed data breaches involved leveraging weak/default/ stolen passwords.”

So this is low-hanging fruit when it comes to protecting your microsite from becoming prey when attacked. Passwords should, at a minimum, be 12 characters in length and include a combination of numbers, letters (upper and lower), and special characters (like #$%@&). We strongly recommend a randomly generated password of at least 20 characters. And there’s a reason we titled this section Passwords, not singular. Again referring to Keeper Security’s “The State of SMB Cybersecurity” report,

“…60 percent of employees use the exact same password for everything they access.”

So create a unique password for managing your microsite, yes, make it different from your Linkedin login. Also, if there’s more than 1 person with the keys to the site, give each their own strong password.

3. Create a Unique Username

Please don’t use “admin”, “administrator” or “webmaster” as usernames. You might already know that a secure password is a no-brainer but few people realize that their username is just as important.

While “admin” is no longer the default administrator password on most content management systems, old habits die hard and we still see it pop up from time to time. While monitoring attempts on our clients’ sites “admin”, “administrator”, “webmaster” and variations on the domain name are all prime candidates for brute-force attempts. So avoid those like the plague. But you’re not done yet. Immediately after selecting that killer username, go to your profile screen in the CMS and change your “Display name publicly as” to any name other than your username.

4. Keep Your CMS and all Plugins Updated

We predominantly use the WordPress CMS, so this is just for fellow WordPress users. Both WordPress and its plugins are completely free. Meaning anyone can download them, read through the code, and experiment with different ways to attack them.

That said, the WordPress user base is massive, WordPress itself has a sandbox of millions of sites running on wordpress.com, so as soon as vulnerabilities are discovered within WordPress, they are patched by the WordPress team and an update is released. By default, WordPress applies incremental updates to your site automatically (ex: version 4.7.1 to 4.7.2). But larger milestone upgrades (ex: version 4.7 – 4.8) can contain more significant changes to the guts of WordPress so these are not automatically applied. You’ll need to check occasionally so your version stays up to date.

5. Be Picky With Plugins

Part of any popular CMS’ draw is its vast plugin library allowing new functionality to be added to your microsite without a lot of fuss. Logins using Twitter handles, adding social sharing buttons, and special forms are just a plugin away. While this is extremely convenient, all plugins are not created equally. Other than understanding the technical aspects of posting a plugin to the repository, there are no requirements for plugin developers to maintain quality, updates, or support. There aren’t any hard and fast rules here but you want to make sure that the people using the plugin are satisfied and that the plugin gets frequent updates. So when deciding on a plugin, think of these 3 factors to determine if a plugin is worth installing:

  •  the number of active installs,
  •  the overall user rating and
  • when it was last updated

6. Backup Regularly

Back up your backups with backups. And do it regularly. Why? Call it the nuclear option. Even if you’ve got a strong password, a username that’s so unique only your mom understands its significance, and a CMS where all the plugins are up to date, there’s still a small but real chance of something going wrong elsewhere in the fortress that is your site.

If that happens, and some malicious party infects your walled garden, often the best option is just to press reset. Rather than trying to hunt down each comma and semicolon of the invading code, blowing the whole thing up and starting over from a fresh, untainted, copy of your site might be your best bet.

So, to Recap…

  1. Install a firewall
  2. Pick strong passwords
  3. Create a unique username
  4. Keep the CMS and plugins updated
  5. Be picky with plugins
  6. Constantly backup

Being concerned about Cybersecurity isn’t just for government agencies or IT departments anymore. As long as you’re in charge of a microsite for your organization it concerns you. So, even if you’re not personally clicking buttons or typing in code, familiarizing yourself with these easy-to-implement security measures will make you a valuable ally in the fight against malicious hackers.