Do you know how vulnerable your website is?
Cybercrime is on the rise, there’s no doubt. According to Google’s own blog for webmasters1, in 2016 the number of hacked websites increased by 32%. Is your organisation adequately protected? Read on to find out what the key issues are and how to reduce the risk of becoming a victim…
Check the back door
In our ever-more connected world, the threat of digital attacks is growing. The UK Government’s Cyber Security Breaches Survey 20162 estimated the average cost to a large business of an incident is £36,500. The biggest hit a company took was £3 million last year.
It also reported 25% of businesses experience some sort of breach at least once per month.
We all know the dangers of computer viruses and hackers. Unfortunately, in the last few years, we’ve also seen terms like ransomware creep into common usage as attacks have become more widespread and automated. Only 51% of companies have taken recommended actions to identify cyber risk – so are you doing the basics?
No web security expert will ever guarantee 100% security, but does your website leave the door ajar for cybercriminals?
Make sure you’re up-to-date
Here’s a thought… WordPress powers nearly 75 million websites – it’s the most popular CMS by a long way, with 25% of the world’s websites using the platform.
But 7.6% of those sites are running on WordPress 3.x rather than the latest generation, 4.x. Added to that, 1% are running on 2.x!
What does this mean? Well, if you aren’t using the latest version, you’re not only failing to benefit from the improved security, you’re also leaving your site open to hackers and malware programmes, which have become much more advanced since the days your older platform was last considered cutting edge.
Umbraco users enjoy a lower risk of security breach as it’s a smaller target, but the popularity of the platform, which currently powers over 400,000 sites, is growing. Extra vigilance and regular updating are the most basic ways to maintain website security.
Attack v Defence
Of course, one of the major threats to website security is a dedicated attack, either by an individual hacker, a group or a malicious software created specifically to target networks or servers where your website and customer data is stored.
Ed Yau, Head of Development at Prodo, classifies two main types of threat: “Technology-based threats are those that exploit particular vulnerabilities in server operating systems or web servers,” he says.
“Human-based threats are often an exploitation of our own social engineering – for example, calling up a busy IT team claiming to be a new temp and getting access to the network when they shouldn’t, or calling up your bank claiming to be you based on stolen personal details.
“Ransomware has a foot in both camps. By targeting system weaknesses hackers can lock down your data. They then target humans to demand a payment, usually in Bitcoin, to release the data or it will be erased. Unfortunately the evidence shows that ransomware incidents always end with the data being destroyed or stolen, regardless of payment.
“To be secure you need to guard against both tech-based threats and human threats, as even with a perfectly patched system and top-end security hardware appliances in place, if you have insufficient access control you only need one rogue employee to compromise your data.
“SMEs are particularly vulnerable to both forms of threat, as many won’t have a dedicated security expert to help them put in place the appropriate safeguards and processes.”
Learning the lessons
“For SMEs, it’s as much about education as technological solutions,” says Paul Billington, Managing Director at Prodo.
“There isn’t particularly a cost-of-tech barrier for SMEs. The tricky decision is at what point does a medium-sized company set aside the budget to tackle establishing its own IT function?
“SMEs also need to consider data security, including appropriate website hosting arrangements. Simple measures such as using strong passwords rather than easily guessable ones and changing them frequently can go a long way towards providing protection for content management systems.
“Above all else, make sure you put processes and structures in place in the business that support online security.”
What do you really need to do?
The first thing to do is give your assets a health-check. Google alerts webmasters to hacking activity, but last year 61% never received a notification as they had failed to verify their site in its Search Console.
According to PriceWaterhouseCooper’s Global State of Information Security Survey3, getting the basics right can fend off most simple attacks on your digital assets, allowing you to preserve resources for larger-scale attacks.
So making sure your CMS is up to date and verifying your site in Google’s Search Console are good first steps.
Other basic precautions include antivirus software, malware scanning software, and giving staff basic security training.
One key thing you can do, particularly to tackle ransomware, is to back up all your data, including website data, or invest in a data recovery solution to automate the process.
According to data protection specialists Datto4, in 2016, 97% of ransomware attacks where data was backed up failed to have a major impact on the business affected.
It also reported that 91% of ransomware attacks were against small businesses.
There’s a lot you can do, and plenty of people willing to charge you a premium for it, right up to insisting your staff are screened by MI5! But you don’t need to go to extreme measures to make life more difficult for hackers and protect your website and data online.
“SMEs appear to be soft targets,” says Yau. “There is also a perceived vulnerability in Professional Services, Health and Construction, which are sectors commonly targeted.
“Most attacks are opportunist. By assessing the likely risk and taking sensible precautions you can choose the right tools and get your defence level right.”