Coming from a network engineering and security background, I understand the need for securing information and data. As technologies become more available to small and medium sized businesses, the risks are increased. Understand the vulnerabilities and being able to take steps to minimize the risks is key to ensuring the ongoing success of any web business.
To determine the best practices for web security, it will be important to assess both the business model and the technologies used. The best of course of action will be determined based on this evaluation. The best practice for one business model will differ from another. The following will be key in determining the best course of action.
What is the business model:
The best practices for web security and maintenance for a web site taking money online VIA a shopping cart will be different from a plumber only collecting client information VIA a contact form. I conduct a complete risk analysis of your current security measures. This initial risk analysis will be used to determine the best course of action. The effort depending on data being sent over the web site will vary.
What technologies are being used.
Once the business model has been determined, the second thing that will play into the best practices for web security will be what technologies are used. A static site built with only HTML / CSS will not require the same level of effort to secure and maintain as a CMS such as WordPress, Joomla or a shopping cart.
Engines need maintenance:
If the web site is built on a CMS or shopping cart these platforms will require developer interaction to maintain it with the latest security and maintenance updates. The frequency and effort will be determined on a number of factors. Even two sites operating on the same platform might require a different maintenance and security plan.
What is SSL:
SSL stands for Secure Socket Layer and this is a certificate provided by the host to verify the information that is sent from the end user to the server is secure. The way to tell if a site has SSL implemented on it is to change HTTPS:// from HTTP://. I recommend that all sites, even those not conducting monetary transactions online obtain and implement SSL on their site. Even Google is giving a slight reward for sites that maintain this level of security.
Other security considerations:
Depending on the industry type there may be other considerations that are involved when planning for best security practices. A good example would be when collecting medical information VIA a web form. The laws and rules that govern these types of transactions may be specific to the industry and geographic location of the user and company. The laws that cover the transfer of patient medical information in the U.S are covered under the HIPAA laws that were passed in 1996.