Business hacks: How to protect your website against hackers
Protecting your back-office servers is one thing, but your website is probably hosted by a third party – so it’s understandable if its security is low on your list of priorities. But your site may be more vulnerable than you think – and an attack can have serious consequences.
What’s the risk of a hack?
Even if you don’t carry out business directly through your website, it promotes your services to potential customers. If a hacker takes it offline, that has a cost to your business. Or, if someone posts dangerous code on your site, it could infect visitors and harm your reputation.
Small businesses typically assume that their risk of being hacked is low because they’re inconspicuous. But there are reasons why a hacker might seek out a low-profile target. “Your humble web server can be a valuable proxy, enabling criminals to hide their location and identity,” said Adrian Sanabria, senior security analyst at 451 Research. In other words, if someone wants to carry out a major attack, “the authorities will be led to your door, rather than to the true source of the attack”.
Terry Greer-King, director of cyber security for Cisco, described another scenario: “If I’m a hacker and I’m going after a big target, such as a senior employee, I might turn to social engineering. That person might post on LinkedIn or a social site about something that they’re interested in – let’s say flower-arranging. So then I can hack the website of a florist and upload my malicious code, hoping that the person will go to that site.”
Even if you’re not the target, this type of activity is bad for business. “Very quickly, a website that is serving malware will be blacklisted by web-protection software,” warned Ian Trump, security lead at services provider LogicNow.
“Once you’re on a blacklist it’s hard to get off, and folks may not be able to reach your website, or receive email from you,” he noted. “Besides the damage to your reputation and difficult conversations with customers who have been infected, you’ll need expert help to remove the criminals’ hold on your server.”
Keeping the hackers out
How is it that intruders can easily get into web servers? “New vulnerabilities are always being found – mostly in the software used to host sites, but sometimes even in the operating system,” revealed Trump. “Content-management systems which organise your site, such as WordPress and Drupal, are vulnerable if they’re not patched and up to date. It’s trivial to download software that probes for vulnerabilities to exploit.”
And if you are compromised, you’re unlikely to realise it right away. “There is no visible difference you’re likely to see when you’re hacked,” explained Greer-King. “It’s not like an email coming with a dodgy attachment. Websites are attacked very surreptitiously.”
To identify problems quickly, therefore, you need to scan actively. “There are plenty of free or low-cost services you can use to scan your website for vulnerabilities or security issues,” suggested Sanabria. “Most smaller businesses can’t afford a full penetration test; the next best thing is to look for a secure partner to host and protect your website for you, rather than to run it yourself.”
But don’t assume that your web host will ensure that everything is patched and secure. “There are people in business who are a little naive about hosted services,” noted Greer-King. “They assume that it’s all secure, but they never actually ask. You need to take responsibility for the security of your own site – or find out exactly where the lines of demarcation are.”
“If a hacker posts dangerous code on your site, it could infect visitors and harm your reputation.”
Finally, don’t overlook the standard security advice for online services. “Be on guard for phishing attacks,” recommended Sanabria. “Look for some free phishing training, and use an email service that’s effective at blocking malicious emails.”
“Use robust passwords and user credentials,” added Trump. “Make it hard for cybercriminals to brute-force your credentials. Keep your website passwords different from the business-network passwords.”
Greer-King said the “Cyber Street” government initiative can help businesses ensure they’re covering the security basics. “There’s a very simple online test and evaluation task about what security measures you currently have in place, and how you approach things,” he said. “These sites aren’t a panacea – when you go through the process it doesn’t mean your business is secure. But at least you’re taking the basic steps, and you can show others that you’re taking security seriously.”