Having your website hacked is more than just annoying. If your website is defaced or down it could well be losing you business. In a world where many companies now rely on their websites and blogs to generate leads and motivate sales the integrity and availability of web content is absolutely key.
So how can we prevent our sites being hacked?
We are lucky enough to work for a clued up client in the information security industry. Dave James, MD of information risk management advisors Ascentor answers the important questions.
Q: Why would someone hack our website?
A: “Many reasons: to hide illegal (terrorist/criminal) activity; to obtain data of value that can be sold; to disrupt a competitor; or sometimes just because they can!”
Q: Who hacks a website?
A: “Nation states; cyber criminals (organised crime); hacktivists; other criminal groups and the ubiquitous ‘script kiddy’ starting out on his hacking career. In the main for smaller businesses it is most likely the cyber criminal trying to monetise the information they can access. Anything to do with payment or personal information is a high threat target and need to be protected. Yes the other stuff can happen but it’s less likely (not unlikely though) so you need to understand whether you are prepared to do something about protecting your information.”
Q: We are relatively small company. Will our website get hacked?
A: “Contrary to popular belief it’s not just the big boys that are a target for hackers. In a recent BBC news article Small Firms Are Easy Targets for Cyber Crime a hacker claims that small firms are ‘fair game’ because they often have limited defences in place and are so easy to attack.
More and more websites are getting hacked. I hear alarming stories almost every day. It’s a real wake up call: every business, whatever its size needs to recognise the value of its information and put controls in place to protect its websites from cyber attack.”
Q: How do we know if we’ve been hacked?
A: “Sometimes it’s obvious: your content will evidently be changed or defaced, which can be really embarrassing – changes to the wording, pricing information or stock quantities could be modified or deleted for example.
Other times it’s not so obvious that your site that has been attacked – links to illegal sites embedded in your graphics or links changed to direct you to malware sites instead of where you want them to go. In this scenario you may well be none the wiser until the law enforcement agencies come knocking on your door or someone complains that you caused them to have an information security breach and attempts to sue you for damage (where is that cyber security insurance policy?) Until this happens, you may have no idea that your site has been hacked, so monitoring is key.”
Q: What can we do to protect our site from hackers?
“First of all understand what information on your website you want to protect. 80% of cyber attacks could have been prevented by having basic security in place. Just doing the basics will help to protect you and your website from many of the cyber-threats you face today.
1. Have strong passwords. As a bare minimum, always have strong passwords including 8-10 characters, upper and lower case, special characters. Change them regularly (at least quarterly). Don’t reuse them on other sites.
Yes its annoying to have to remember them and can sometimes be counter productive if they are written on a sticky note under the keyboard or on the monitor but there are password software tools that can help (such as Password Plus, 1Password, RoboForm).
2. Build your site properly, following the guidelines. Choose a web developer that understands why it is important to take information security seriously. Make sure they follow the guidelines set by your chosen content management system. If your CMS is WordPress for example, follows the advice that WordPress gives to make your site less vulnerable. It’s freely available. (See – http://codex.wordpress.org/Hardening_WordPress. OSWAP – the open web application security project site has a host of great information for developers too – see: https://www.owasp.org.)
3. Keep up to date with the latest version of your chosen CMS. Like most modern software packages, WordPress et al. are updated regularly to address new security issues that may arise. Make sure you or your developer installs the latest version and keeps it up to date. A word of caution: updating can have unintended consequences, you presumable don’t want an RBS type problem so you should test the update to make sure it doesn’t impact on any business critical systems.
4. Select your hosting provider with care. Does your provider support the security recommendations of WordPress etc.? Do your due diligence before you select a supplier.
5. Arm your site with the right security plug ins – anti spam, firewalls, content monitors: all are important in the fight against cyber crime.
6. Monitor your site. Web-based services such as Securi will regularly check and inform you of Malware on your site, and clean it up when an attack occurs.
7. And finally, make sure you back up your site regularly. Keep a back up offsite. Vitally important if you want to recover your information if your site goes down or needs to be taken down to prevent that embarrassing defaced website impacting on your hard won reputation!”
Thanks Dave. That’s really useful information. As we have learned from working with Ascentor, website security is something every business owner, website developer and marketing professional needs to take very seriously. Following these guidelines will help to protect all the valuable content we increasingly rely on and make our sites less hackable.
How about you? Have you ever been hacked? Any tips to pass on to others?