(in no particular order)
1. My website is too small or obscure to be a target.
You don’t have to be a target- you just need to be online. Hackers use automated tools to scan for vulnerabilities far and wide and all kinds of websites get hacked simply because they can be. Don’t assume that just because your site is small or obscure that it won’t get hacked.
2. I use a Mac so I have nothing to worry about.
At one time Macs were considered safer than Windows machines but Macs are not immune to malware and other security vulnerabilities. iWorm, Mac Defender, Flashback, Heartbleed, and Shellshock all affect macs.
3. We have a firewall on our network so we’re safe.
Your firewall won’t stop your employees from clicking on phishing emails and downloading malware. Nor will it stop you from visiting compromised websites or using bit torrent to download dodgy cracked software.
4. I have virus protection software installed so I’m safe.
Virus protection only works on known threats but is useless against “zero day” vulnerabilities.
5. We don’t need to us https on our site because our users don’t submit any sensitive information.
Your users might not need to log in, but your admins likely do. Https (often referred to interchangeably as SSL because it uses SSL/TLS) not only encrypts data to and from your website, but also proves to users that they are indeed visiting your website and not a counterfeit or “spoofed” site laden with malware. Now that Google has stated they will be giving preference to sites that use https in their rankings formula, it is wise to use SSL across your whole site.
6. My hosting company must have backups of my website, right?
Many basic hosting plans do not come with automated backups. Even if they do, often someone has to set that up. So if your web developer didn’t set it up, don’t assume the hosting company has a backup.
7. I use a long, complex password that no one could ever guess, so I am safe.
Long, complicated passwords are your best bet against “brute force” attacks, but passwords can be pilfered from compromised systems. So, it’s a good idea to change your password often. However, even that can backfire on a machine with an unlatched Heartbleed vulnerability.
9. I use a VPN so I am safe.
This year an unnamed major company’s VPN was reported to have been compromised due to the Heartbleed vulnerability. Since we don’t know which company was affected, the only safe assumption is that your vpn could be compromised so act accordingly.
10. All our users’ passwords and information are encrypted on our servers, so we’re safe. First of all, passwords should never be encrypted when stored on servers, but rather they should be hashed. If they are encrypted, they can be decrypted, whereas hashing is a one-way operation. However, certain hashing algorithms such as MD5 have long been broken, so best to use a modern algorithm like SHA-2 with random salting and key stretching. Here’s a good explanation.