What comes to mind when you think about security protection for your business website? Judging from the rising statistics for website security breaches, the answer is probably “Nothing.”

Many business owners assume that their business is too small to be of interest to hackers. They don’t conceive the extent of damage that a breach could cause.

Not to cause alarm, but the cyber environment today is such that if you’re in business and have a website, security protection is a necessity for survival.

The Numbers

For cyber security professionals, 2014 is referred to as “The Year of the Breach,” because of the major jump in cyberattacks on business websites—including those belonging to eBay, Home Depot, Sony Pictures and JP Morgan Chase—as well as the total number of data records compromised.

2015 didn’t get a nickname despite it being an even worse year for security failures, with high-profile breaches at the U.S. Office of Personnel Management, Anthem, Ashley Madison, Premera Blue Cross, Experian and the U.S. Internal Revenue Service.

While hacking by external parties is the source of the vast majority of these incidents, it’s not the only cause. Statistics show substantial numbers of incidents due to, among other things, insider disclosures and losses from servers or portable data devices.

An analysis by the Privacy Rights Clearinghouse (PRC) shows that security breaches in general more than doubled in recent years. But while hacking incidents have skyrocketed from 48,805,382 in 2013 to 121,199,741 in 2015, other sources of breaches have dramatically dropped. Insider disclosures, for instance, went from 3,308,885 in 2013 to only 100 in 2015.

According to IBM’s “Cost of Data Breach” study, most breaches involve 10,000 or fewer records. In terms of money, each compromised record was worth an average $154, according to IBM, though for certain industries, the value per record is significantly higher. Healthcare records, for instance, are worth $363 each.

A security breach can cost you in other ways as well, including:

  • Loss of reputation
  • Loss of traffic
  • Loss of customers
  • Loss of standing on Google

It’s easy to see then that even a breach which compromises only a couple hundred records can be quite costly to a small business.

Three Levels of Security

Whether your business is large or small, if you’re online, there are three distinct areas where website security protection can and should be applied:

  • Network: This level applies to your server. This is your gateway to the web and is the point in your system that is most vulnerable to attacks.
  • System: This level refers to your operating system (Microsoft, Apple, etc.) It’s responsible for the correct functioning of applications on your site.
  • Applications: This level is what allows customers to interact, receive service, etc.

Though the network level is considered the most vulnerable point for an outside attack, some sources report that seven of 10 website breaches occur at the application level.

How to Prevent an External Breach

In order to prevent external threats, your site needs something that will monitor and analyze incoming traffic and also alert you to weakness in your system.

That “something” is a web application firewall (WAF). A WAF will not only identify traffic patterns that indicate known cyber threats, but the better ones are designed to also detect patterns indicative of new types of threats.

A WAF will identify areas of your site that are vulnerable to attacks so that you can take further measures to secure those areas. It’s like 24/7 site security that prevents you from becoming a statistic in the kinds of reports we’ve cited.

How to Prevent an Internal Breach

Though internally-caused breaches have declined dramatically, they are still an issue. Granted, not all such breaches are malicious in nature, but may be due to carelessness.

A WAF is still very important in terms in protecting against internal breaches, but there are furthers actions an organization can take:

  • Limit access: Passwords and logins for areas of critical information should be limited to a few trusted employees who are fully trained on the importance of confidentiality.
  • Frequently change passwords: Institute a policy where employees are required to change their passwords and logins every couple of months.
  • Secure areas with locks: Limit the number keys to restricted areas such as server rooms and prohibit their duplication. Ensure that employees leaving the company surrender such keys. Change the locks to secure areas annually.

Final Thought

Writing for Forbes.com, entrepreneur Mike Templeman—whose business’ site was hacked, incurring great losses and requiring full replacement—astutely likened website security protection to a spare tire: “You’ll never understand how bad you need (it) until it’s too late.”

Never assume you’re too small to be a target to someone. Take steps now to secure your website and your business.