Between 55% to 70% of all cyber-attacks against businesses start with their website.
In a great article on Networkworld “The Web Application Landscape Is Getting Worse”, author Jon Oltsik mentioned that a recent ESG study reported that 57% of those IT Professionals surveyed felt that threats to websites by cyber-criminals were on the rise as compared to a mere 24 months ago and 18% of those respondents mentioned that they are warding off cyber-threats on a weekly basis.
Although the above statistics concern large organizations, it is a fact that cyber-criminals are increasingly targeting small-to-medium size businesses (SMBs) with much greater frequency. As outlined in my recent article, “Business Bank Accounts Under Siege By Cyber-Criminals”, smaller companies do not place as great of an emphasis on cyber-security as they should and are therefore easy pickings for thieves and hackers. SMBs are the proverbial “low hanging fruit” and fertile hunting grounds for hackers.
What are hackers looking for? Cyber-criminals are looking for data they can steal and profit from — credit card numbers, bank account information, social security and employer IDs, names, addresses and telephone numbers, client lists, corporate secrets, confidential medical information, logins and passwords, etc. Websites and the web applications driving those sites are prime targets and many SMBs are vulnerable since most small companies have never taken any steps to harden their sites. Most SMB sites are put up quickly and created by inexperienced programmers whose code leaves the resulting website vulnerable to cyber-thieves with expert hacking skills.
Here are some common attacks used by cyber-criminals:
- Directory Traversal Attacks – seek to exploit weak security validation of user supplied input with the goal of accessing sensitive files from the web server’s directory structure.
- Input attacks – exploit a website’s weak validation of user’s input to web forms. Overloading input forms with erroneous data can cause the system to reveal sensitive information.
- SQL Injection – involves entering SQL statements in an entry field causing the website to pass that command to the site’s server, manipulating its database to reveal sensitive data.
- Cross-site Scripting (XSS) – injects scripts into web pages and can be used by cyber-criminals to bypass access controls leaving the site open to attack and/or automatically downloading malware to unsuspecting visitors stealing their information or using their site to spread the virus.
The fact is that many SMBs may not even know they’ve been hacked! Cyber-criminals are experts in their field and know how to cover their tracks well.
But, you say, “My site is only an information site, nothing more than a web-brochure for my business. I don’t need to worry about website security”. WRONG! Do you know that even a basic contact form that is not properly coded can be an entry point for cyber-criminals?
Once a hack is successful and that fact becomes known to your customers and potential visitors (and it will), your business can suffer:
- Present clients will quickly lose confidence in your business. Surveys show that customers want their vendors to do all they can to protect their information and take a dim view of vendors and service providers that don’t take security seriously.
- When clients lose confidence in you, they’ll simply go to another company that they perceive has better security. Lost customers = lost profits!
- Your company’s reputation throughout the internet will degrade significantly, and will eventually spill into the offline world. Today, nothing is secret for very long. Social media has seen to that. One incident can sink your brand very quickly.
- Depending on what information was divulged, your company may face legal issues that can cost you plenty — not to mention the additional cost of fixing the problem.
To protect your site and your visitors, Web Application and Malware Detection Scans are crucial. The cost is minimal and well worth the price. Once a scan is completed, it is important that you act immediately and work with your web developer to close all vulnerabilities that were reported. Afterwards, quarterly scans for information sites will keep you posted on any new vulnerabilities that do appear. If your site is used for eCommerce, experiences heavy interaction with clients and visitors, or has web applications including web forms to gather information, then monthly scanning may be a better option.
Website hacking is a problem facing businesses of all sizes. Don’t think that just because you are a small business hackers are not aware of you. That’s the very mistake that cyber-criminals are hoping you’ll make. A simple internet search can reveal more information about you and your business than you realize. Hopeful obscurity is not a security tactic.
Protect your business by hardening your website against cyber-attack. Don’t make it easy for hackers and thieves to make a living.