In late January, the FBI released a statement warning U.S. business to remain vigilant. They revealed that the same pro-Iranian hackers trying to deface government websites had also made threats against private-sector partners. Even if your business isn’t connected to government or even remotely international, website cybersecurity should be at the top of things that keep you up at night. Here’s why: 60 percent of small and medium-sized businesses that are hacked go out of business within six months of the attack.
The best approach to your website cybersecurity depends on so many factors that we’re not about to dole out general advice. If you want to understand where your risks and vulnerabilities lie, call us for an assessment and a tailored plan to protect your website assets. Instead, the remainder of the blog will focus on making you aware of the risk all businesses face and what a risk-reducing strategy needs to include.
Is my website secure?
The latest data available today reflects the activities in 2018 when WordPress accounted for 90 percent of all hacked CMS sites. Experts at WordPress determined that only 56 percent of the sites they investigated were running an up-to-date CMS at the time they were called in to remediate a hack. These hacks were the result of someone taking advantage of vulnerabilities in plugins and themes, misconfiguration issues, and a lack of maintenance by webmasters, who often forget to update their CMS, themes, and plugins.
It’s important to note that backdoors were found on two-thirds of all hacked sites. A website backdoor is a way for hackers to get into your website after initial infection. Backdoors allow remote control of a compromise website by bypassing the usual authentication methods—so placing a backdoor on your website allows hackers to retain control of the website and reinfect the site again and again—even after you have updated your site, even after you’re changed passwords, and done other posthack cleanups. If you don’t know if you’re compromised, you might never know if a backdoor exists, or is still there.
While 90 percent of all hacked sites in 2018 were WordPress, the other 10 percent of hacked sites were CMSs like PrestaShop, OpenCart, Joomla, and Magento. And those sites, when found to be hacked, were almost always running on an out-of-date version.
Right about now, you’re thinking that you haven’t been hacked and you have firewalls, VPNs, up-to-date antivirus software, malware detection, and trustworthy employees. You must be doing it right. Right?
Researchers have found that a lack of awareness about your own cyber risks leads to complacency towards being proactive in managing the risk—particularly among small and mid-sized businesses.
Research conducted by the National Cyber Security Alliance found that:
- Almost 50 percent of small businesses have experienced a cyber-attack
- More than 70 percent of attacks target small businesses (more about why coming up)
- More than 98 million bots are scanning web sites, searching for vulnerabilities, around the clock
How can we address our website cybersecurity needs? Do we need a response plan?
It’s critical to have the right defenses in place to address viruses and malware, but these threats only account for 5 percent of your business’ risk. Just as important is having a plan that details HOW your employees will respond IF they detect an attack.
The majority of damage done in cyber attacks is due to the inability of the company being attacked to respond. And often that is because they have not planned it out and practiced. This is where your business is vulnerable to irrecoverable damage.
Your plan needs to include a fully redundant system for accessing applications and data as well as backups. If your ecommerce system, web site, email, or customer data was suddenly gone, how long would it take you to get back up and running?
Cyberhygiene and cybersecurity training is important for every employee who uses email or connects to a computer in your business. The single greatest cyber risk there is social engineering, which is basically using people to voluntarily—but unknowingly—allow an attack to occur. Every employee should know how to recognize a cyber threat—and occasionally be tested with a phishing email or zip file link. These tests can help you identify issues and learn what will make you stronger.
We’re small potatoes—who would want to hack us?
Although large breaches make the headlines, the most frequent threat is actually to small and medium sized businesses. If you happen to be an especially innovative small company, or a market leader, your risk goes up more technology use increases your attack “surface.”
The hacker might not know anything about your business at all though. They are interested in targeting any e-commerce websites with valuable customer data, like credit card and user information. That information has a resale value and can lead to a potential windfall if each of your customers is compromised.