About Website Security
TL;DR (takeaways for the impatient)
- Hackers may be taking over your website as you read this (read more)
- Website security is important for potential legal liability, possible business interruption and loss of customer trust (read more)
- Website breaches are not limited to big companies - small businesses are more vulnerable and are often targeted by hacker/thieves (read more)
- Website security issues are not limited to eCommerce sites or subscription sites-they cover several different kinds of web operations (read more)
- Your site should be monitored every day for security risks and threats (read more)
- Disclaimer: we are not a cyber security firm and our reviews and recommendations are only general in nature; if you have concerns, you should consult such a firm and take steps within the time/cost ability of your firm(read more).
Background: Website Security
Website Hacking Is Real
Your small business website can be subjected to several different kinds of attack, any one of which can cost you time, money and business reputation. These include:
- Data breaches - loss of customer and proprietary data, either through theft or malicious damage to databases on your web server
- Malware breaches - loss of web content through malicious replacement or deletion
- Malware breaches (2) - damage to visitors and reputation when your website is used to infect visitors' computers with malware
- Redirect breaches - loss of visitor access through malicious link replacements, sending visitors to competitors, pornographic sites, etc.
- Denial of service breaches - loss of income, damage to reputation when your website is unavailable to visitors
- Ransom breaches - loss of income, cost of bribe when website is compromised and made unavailable unless/until you pay the hacker
- Mail breaches - loss of reputation, potential loss of Internet access through malicious use of your web server's email service
- 'Spoofed' service - loss of income, damage to reputation when someone spoofs your website, using all your content on a domain name close to yours
Besides the attacks directly on your website and web server, you and your employees can be subjected to 'phishing' attacks designed to obtain access to your business systems, including your websites. Cyber security is a large and growing issue for small businesses worldwide. How these various breaches are exploited can be extremely technical. How breaches occur and their prevention is beyond the scope of website optimization and our services. There are guides you can follow to begin securing your website and business, and security firms that can assist you in the process (read more).
Three Ways Security and Data Breaches Can Hurt Your Business
Data Breaches
When your website is compromised through a security breach, you can lose data, or have existing data changed-think of everything on a retail site selling for $0.01 each. When customer data, especially credit card and other personal information, is stolen, the cost ranges from notification expenses (required by most States, including Texas), to paying for credit monitoring for affected customers, to loss of reputation as word spreads about the breach. Consumers are showing themselves willing to sue for related expenses, including instituting class action suits, with even greater costs. Banks have also sued the breached business for the cost of replacing compromised credit cards. Tom Griffith, Partner and Vice President of Don Ramatici Insurance Co., estimated an industry wide average of $200 per record compromised for recouping losses after a breach1.
Loss of Service
Your website can become unavailable in a number of different ways, starting with being de-listed from search engine results by Google or Bing. If either of these search engines becomes aware of malware that has been inserted into your website, they can and will remove your site from their search results until you have corrected the problem, notified them, and they have verified that the problem has been resolved. Of course, during this period, your site will not generate any leads or sales for your business. Worse, prospects who show up while your site is de-listed, or worse, whose computers are infected by malware on your site, may never return.
Your site can also be unavailable due to the actions of others, including any entity that decides to overload your web server with enormous amounts of fake traffic. This is called a denial-of-service attack and has rendered any number of extremely large websites temporarily unusable. Again, not being available to search engine 'bots or visitors can have lasting effects on your website's success. Although it is not a recognized security breach, you can also lose website availability when your web server is overwhelmed by legitimate traffic, or if your hosting provider allows it to be offline. Availability and security issues should be part of your criteria in choosing a hosting provider.
Your site may also become vulnerable through software used to create and maintain it. Small business owners who have sites created with older versions of content management systems, WordPress, etc., may find that security vulnerabilities have been found and fixed in later releases. A regular check on the vendor's website will usually announce such fixes and how to install the new release and re-create your website to plug any vulnerabilities.
Being A Small Business Does Not Protect You From Hackers/Theives
Symantec's 2016 Internet Security Threat Report2 stated that vulnerabilities were found in three-quarters of websites. The report further stated that the percentage of attacks focused on small businesses has grown from 18% to 43% in the last five years. The UK government reported that 74% of small and medium business responding to its 2015 Annual Security Breaches Survey reported a data breach3. Two reasons seem to be behind the growth of hacking of small to mediume businesses: (1) SMEs are historically less likely to have the security of a large enterprise and (2) SMEs that contract with larger organizations may provide a path to a larger target for hacker/theives. /p>
Security Involves More Than Ecommerce
Just because you don't sell products or services on your website does not protect you from security concerns. If you receive data from customers and prospects via forms on your website, both your form processing and database processing need to be written to prevent known methods of hacking/thievery. How emails are sent from your website (confirming sales, subscriptions, webinar signups, etc., etc.) must be secured, to prevent malicious use of your server's mail service. Successful breaching of your mail security can result in email sent out either misrepresenting you or increasing your mail usage to whatever cap your hosting provider has set, perhaps increasing your costs or having your website shut down.
If you do sell via your website, you will need to take extra steps to ensure that your shopping cart and credit card handling are extremely secure. Be sure that you are following the credit card processing guidelines of the Payment Card Industry Data Security Standard. Your merchant bank or credit card processor has probably already sent you this information and asked you to complete one or more questionnaires.
Monitor Your Site Constantly
There are a variety of website security tools and services available to small business owners to ensure that your website vulnerability is minimized. A number of these should be available from your hosting provider. Many small business owners choose low price offers, without checking for physical and digital security offered by the hosting company. Review your contract with your hosting provider, and look for vulnerability and malware 'scans' or checks. These are often add-on services, but in many cases are under $5.00 per month, a low cost for peace of mind. In addition, your website should be monitored daily to verify that your website is available and unchanged, except for authorized updates. (See The Watchdog on our Services page).
Disclaimer: We Are Not a Cybersecurity Firm
We offer these tips on website security issues to our customers so they are aware of them. These details are not the entire picture, and the law on cybercrime and the responsibilities of website owners are constantly changing. While not every small business can implement the full range of security audit and monitoring, every business owner should have a security plan and update it annually, based on current thinking. You can begin with a variety of cybersecurity guides to help you create your plan:
- Federal Communications Commission "Cyber Security Planning Guide"
- University of Southern Maine "Small Business Cyber Security Guide"
- National Institute of Standards and Technology, "Small Business Information Security: The Fundamentals"
- Small Business Administration's Cybersecurity section
References:
1North Bay Business Journal, "As data breaches grow, so does cyber liability insurance" (9/28/15), http://www.northbaybusinessjournal.com/industrynews/technology/4498773-181/as-data-breaches-grow-so
2Symantec 2016 Internet Security Report, https://www.symantec.com/security-center/threat-report
3UK Government, "Government urges business to take action as cost of cyber security breaches double" (6/2/15), https://www.gov.uk/government/news/government-urges-business-to-take-action-as-cost-of-cyber-security-breaches-doubles
The Guardian, "Huge rise in hack attacks as cyber-criminals target small businesses" (2/8/16), http://www.theguardian.com/small-business-network/2016/feb/08/huge-rise-hack-attacks-cyber-criminals-target-small-businesses
InfoSecurity Magazine, "Fighting Account Takeovers with Cloud Intelligence" http://www.infosecurity-magazine.com/blogs/fighting-account-takeovers-cloud/
SearchEngineLand, "Hacked Content On the Rise: Take SEO Precautions To Protect Your Site" (2/5/16), http://searchengineland.com/hacked-content-rise-take-seo-precautions-protect-site-240855
Sucuri Website Malware Checker, https://sitecheck.sucuri.net/