Over one billion websites exist today. With an excess of websites to choose from, we hear many people ask, why did my site get hacked? How did it get hacked? What damage has been done? While there are various reasons and ways a cybercriminal could have hacked your site, there is a very good chance (80% to be exact) they were after your web applications. Web applications account for 80% of website vulnerabilities, making them a very attractive target to cybercriminals.
Tag: website protection
There are over 1 million new strains of malware created every day. One identified infection can get your website blacklisted by Google, who currently blacklists over 10,000 websites each day. Mind you, the malware need not even be on your site.
SMEs (Small to medium-sized enterprises) are unfortunately one of the largest targets of cyber attacks. On average, over 30,000 SME websites are targeted each day, and to make matters worse, nearly 60% of their IT professionals think they aren’t at any real risk of being attacked.
Don’t allow your business to suffer expensive cyber attack damages (which average around $50K per attack) — instead, be proactive in your web security efforts to prevent security threats, protecting you and your customer’s private data. Here are 5 tips to help you protect your website from malware and other cyber threats:
1. Updates and Patches
Is your website running off of a Content Management System (CMS) such as WordPress? A CMS can be an easy and cost-effective way to manage your business’ website, but they’re also large targets for cyber attacks.
Why? Many CMS platforms and plugins are often easy targets for hackers and allow backdoor access to your server and data (a recent example of this vulnerability was the SoakSoak attack that occurred last month). Make sure your system, plugins and themes are always up to date, strengthening your web security. Many CMS solutions will even automatically update files for you, if you choose.
2. Website Scanning
Many web viruses and other malware go unnoticed until it’s too late, due to their elusive nature. They can often be implemented with a simple one-line script, injected into the code of your website – made to look like normal code.
Website security scanning software can scan your website for existing malware and other harmful code that doesn’t belong, and notify you immediately of any threats. Our SMART (Secure Malware Alert & Removal Tool) software takes it a step further by automatically removing anything harmful – similar to what a virus removal software does for your PC.
3. Web Application Firewalls
Removing existing website threats is one issue, but keeping them from coming back is another. With over 1 million new malware strains created each week, your business’s website can potentially to be infected by a new virus every day.
Web Application Firewalls (WAF) can help prevent attackers from even visiting your site. How do they work? Let’s take our TrueShield WAF, for instance – it evaluates traffic based on where it’s coming from, how it’s behaving, and what information it’s requesting. Based on these and other criteria, the firewall will allow “legitimate” traffic (e.g. customers and search engines) access while blocking “malicious” traffic (e.g. spam bots and hackers).
Used in conjunction with a website scanning solution, a WAF can help provide around-the-clock, hands-free security for your business’s website.
4. PCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS), or PCI for short, is a security standard that businesses must adhere to if they accept major credit cards. This compliance helps ensure that your business and customers are protected from cyber attacks and fraud by providing a documented, baseline security posture for your site. Failure to comply with PCI standards can result in direct financial damages, lawsuits, government fines and ultimately ruin brand reputation in the event of a data breach.
Fortunately, it’s not difficult to become PCI compliant. There are many solutions that walk you through the steps to help create your own customized PCI policy. Our SiteLock® PCI Compliance program takes it even a step further by scanning your site and network, and you can also add on our PCI-certified TrueShield firewall.
5. Strengthen Passwords
Even in 2015 the world is still using weak passwords. A strong password is one that contains over 8 characters, no dictionary words, has a mixture of uppercase and lowercase letters, and includes digits and/or special characters. Unfortunately, many of those boxes aren’t checked – allowing brute-force hacking techniques (repeated attempts to login to your website) to become effective.
It’s extremely important that you create a strong password for your website’s back end, since it can often times be an easy way into your private data. You should also advise your customers who have online accounts to do the same, to help protect them from future attacks. After all, it only takes seconds for a computer to crack a poorly created password.
Identity theft is the fastest growing crime in the history of America, and businesses are not immune. There were more than 16 million victims of identity theft in the U.S. just last year, which works out to more than one new victim every three seconds. To put that in perspective, that means there were more victims of identity theft last year than there were reported murders, attempted murders, burglaries, attempted burglaries, arsons, vehicle thefts, purse snatchings, pick pocketings, shoplifting, and check fraud combined. With so many crimes and criminals in circulation, don’t make the mistake of assuming that it will never come creeping into your business. Identity theft in a business can take a number of different forms:
- You personally can fall victim, especially if you run a small business, mix business and personal finances, or keep personal information on business computers.
- Hackers, insiders, and others can steal employee and customer information and use that in turn to steal their identities.
- Your business could even be a victim of business identity theft, the growing problem of thieves creating fake versions of real businesses to commit massive fraud.
And business identity theft is such a big problem, the National Association of Secretaries of State created a task force to tackle it. It’s very easy for thieves to obtain publicly available records on your business, create fake documentation, open bank accounts, open lines of credit and obtain loans. They can also take out property leases and use those physical locations to accept orders for merchandise they order using the victim business’s identity. And often by the time a business owner ever finds out about it, the thieves are long gone and they are left to face some very awkward questions. In one case, a victim company found that an imposter company had opened an office in the very same building so they could use an almost identical address to fool banks and vendors. Here are some steps you can take to minimize the risks and spot an imposter:
- Check your state business filings every few months to make sure there aren’t any unauthorized changes – like new officers or a new legal address.
- Check your business credit report. You can do it with any of the three main credit bureaus – Experian, Equifax, and Transunion- and also with Dun and Bradstreet.
- Do regular internet searches for your company name and domain. Thieves will often register identical companies in other states, or register a similarly-spelled domain that may look like yours.
- Search for your own name and those of any other officers or executives, because thieves may be using those names to promote the cloned company.
- Protect your Employer Identification Number, or EIN, to minimize the risk thieves will get access to it.
- If your state allows it, sign up for alerts for any changes to your business filings.
Business identity theft is a growing problem and difficult to spot and stop. Constant vigilance is your business bet – like every other part of your business and website security program.
Confused about how to protect your website? It’s actually not that hard (hint: there are great companies that will do it all for you for less than a buck a day). But perhaps the easiest way to get your head around website security is to think of it like a PC. Except this is the most important PC you could ever have, because much if not most of your business probably relies on it.
Think about all the things you need to do to protect your PC, and how easy it is. For example:
- You protect it from malware by making sure you have good quality antivirus software. You constantly update that software so it can detect the latest threats, and you regularly scan your computer in case anything slipped past.
- You use a firewall, so that you can deny access to hackers and malware that constantly stalk the internet looking for vulnerable computers like yours.
- You practice computer hygiene. You’re careful about what websites you visit and what you download, so that you don’t inadvertently infect your computer.
- You make sure your PC is constantly patched. Most malware infections result from unpatched vulnerabilities, from Windows to Flash, so you want to patch those vulnerabilities before a hacker can exploit them.
- If other people have access to your PC, you let them know what the rules are, so that they don’t do something that breaches your good security habits.
- If there’s sensitive information on your PC, you take a variety of precautions to protect it. You use strong passwords that are hard to guess, you change those passwords frequently, and you guard them well. And you encrypt any sensitive information on that PC so that if hackers make it past your first lines of defense, your crown jewels are still safe.
- And you take a bunch of precautions, from backing up your data to regular maintenance, to make sure that your PC is always available to you.
The principles of protecting your website are not much different. Granted, putting them into practice can be a little more challenging, which is why you have companies like SiteLock to do it automatically and comprehensively.
But back to those principles. If you’re serious about protecting your website, think about it like you would any PC or laptop:
- Protect it from malware that can infect your website, steal data, and spread to your customers.
- Protect sensitive data, especially customer and credit card data, with layers of security that should include encryption.
- Use strong passwords, especially for web access and FTP, that are changed often and protected well.
- Teach all employees about your website security rules so that whenever they have access to your site, they use it responsibly.
- And regularly review and update your security so that it can match the latest threats, meets any regulatory requirements (like PCI), and does not end up being blacklisted by search engines.
Protecting your website can be challenging. But that doesn’t mean it has to be hard. A little common sense and some basic security tools, and your little baby should continue to hum along very nicely for as long as you need it.
Well, I’m not really sure where to begin. Not only was it the first time I’ve received a letter asking me for security for Christmas, but also the very first letter I’ve ever received from a website. And trust me, I’ve been doing this for quite a while, long before that internet thingy I started for Al Gore.
I am very sorry to hear how worried you are about security, and especially hackers and malware. Not really for yourself, but for your owner. I know that most business owners are so busy building their dream, they sometimes forget that there are some very bad people out there who can too easily steal it all.
I have to admit, I wasn’t really sure where to start. If you’d asked me for a Kindle or an “i” something-or- other, or even just a toy or a scarf, that would be easy. But I feel a little like most business owners do, not really knowing how to protect you and even where to start.
But when I had some downtime on my sleigh (don’t worry – it has cruise control, so it was perfectly safe), I did some research and I hope you’ll be happy with what I came up with.
So here goes:
You said you wanted someone to watch over you. Well, while I’d love to be able to do that, you understand I have my own full-time job, even in the off-season. So I sent your owner a very nice letter advising her that the best thing she could do for herself (and for you) was to sign up for SiteLock so that you aren’t so vulnerable to all those hackers and malware removal is automatic.
I love giving gifts like that. They’re not extravagant so there’s no need to feel guilty. They’re very simple to use, so your owner doesn’t have to spend her holidays poring over an instruction manual or looking for batteries. And once you switch it on, SiteLock will guard you and your business around the clock, from the most advanced threats and determined hackers.
So what was next? Oh yes, better passwords. I hear that. It’s a nightmare for my toy business. Who knew so many employees, elves especially, are so careless with important passwords? Like FTP. I mean, why have a lock on the front door of your business if you insist on leaving the keys in it?
But I’ve got you covered. I sent every employee a password manager (don’t worry, some of the best are free). Now they can create and protect the most complex of passwords, and store them all in one safe place. So not being able to remember all those big and clumsy passwords is no excuse. And some of these programs will even remind you when it’s time to update your passwords, so forgetting is not an issue either.
Let me see, what else did you ask for? Sorry, my memory isn’t what it used to be. Oh yes, you wanted to get rid of all that outdated content and code on your website because you think it’s slowing you down. Tell me about. Every year about this time, when the rush dies down, we promise to tidy up the place so that we can run more efficiently as we prepare for next year.
And every year that resolution goes out the door as quick as Christmas itself. Not to worry. I created a special note just for your webmaster. In exchange for his list, I gave him a list, too. It’s pretty simple. I told him to go through every page of the site and remove any outdated content and images, and clean up or remove outdated code — we all know how dangerous that can be.
I also told him to get a patching and updating regimen in place so that all critical patches are installed as soon as they’re available, and outdated software and plugins don’t leave you vulnerable.
I think that’s it. Hope I’m not missing anything. When I think about it, I wish every website would send me a letter like this. I can easily find their owners and lean on them a little. I mean, if this is the season of goodwill and joy, why shouldn’t it start with your website, the face of your business?
Thanksgiving is over and everyone’s prepping for Christmas. Now might be the only time in the near future that you can pause, catch your breath, and maybe give thanks for your good fortune. Which makes now the perfect time to think about what it might be like to lose all you’ve worked for, and how that loss could impact you, your family, and your employees.
No one likes talking or even thinking about bad things around this time of year. It goes against the holiday spirit! But you may not have any choice. Bad things can happen to your business at any moment, and may even be happening as you’re reading this. Every day, millions of small business websites are being prodded and probed by automated hacker tools looking for unsecured websites they can hijack. It’s almost like a thief walking along a row of cars and nearly invisibly checking each door handle to see which ones are unlocked. Except hackers have an additional layer of secrecy. They don’t have to leave their homes to check websites, and they can see many of them – all at once.
For those of you who had website security on your list of New Year’s Resolutions for 2013, and haven’t been able to check it off yet – there’s still time! Every January we, as business and website owners, create to do-lists for what we want to accomplish in the coming year. It all looks great on paper, but then reality sets in. We have businesses and websites to run. Families to care for and spend time with. And fine – maybe a fantasy football team to manage. Bottom line – we’re all really, really busy. And suddenly it’s the middle of November, and there are still a few outstanding items we’d love to cross off our lists.
Website security is one of those things that we know needs to be addressed (the horror stories of hacked websites are everywhere), but it tends to get put off for many reasons. Some of us underestimate the importance of securing our website, some are afraid it will be expensive, and some think it will be too hard to manage without an IT person on staff. The truth is, website security is not only more critical than most people realize but it is also much easier than most expect.
Here are 3 easy ways to enhance your website security (and improve your online business) before December 31st:
1. Ensure safe holiday shopping for your customers. This is the busiest time of year for most eCommerce sites, so maximize your sales opportunity by displaying a trust seal. Most website scanning services provide a trust seal to publish on your homepage and show your visitors that your website has been scanned and is free of malware and viruses. Trust seals boost customer confidence in your online business, and have been proven to increase conversions by 10% or more. Not only will you be making more money, but you’ll also be alerted of any malicious files that could be on your website. So that you can remove them (some services like SiteLock can even do this automatically) before they can cause your site to be taken down at the worst possible time. It costs a lot less than you think, too. And is worth its weight in security gold.
2. Purge and update your plug-ins. This is one of the easiest things you can do to protect your website, and also one of the most important. You know how every once in a while, it feels necessary to peruse your Facebook friend list and do some purging? Maybe you realize that you don’t want to share your personal information with Jason from your kindergarten class or Vicki from 6 jobs ago? This is the same way you should approach any third-party software or plug-ins on your website. Using outdated versions is the single most common way for a hacker to gain entry to your website, and all your information, and often that of your customers. So make a list of all the plug-ins and third-party software on your site, peruse it, and purge (uninstall) anything you no longer use. For the ones you do use and want to keep, make sure you have the latest versions and updates installed. I don’t have a Facebook analogy for this part; you’ll just have to take my word for it.
3. Educate your employees about phishing emails. If you are someone who is extremely cautious about opening emails from unknown or large company senders, it may be hard to believe anyone still opens spam emails or (gasp!) downloads the enclosed attachments. But the reality is that not everyone is aware. And even those who are careful are often so busy and inundated with emails that a few might slip through the cracks. Plus, hackers are getting scary good at impersonating legitimate business emails – PayPal, FedEx, Apple, to name just a few – and luring victims to click on links in order to update account information, track a package, download an important update, etc. All you need is one employee to click on one of these fraudulent download links, and you could be handing over your entire business to a criminal. Financial data for you and your customers – stolen, and your reputation – ruined, in a matter of seconds. As many of you head into your busy season, a 10-minute company meeting or brief communication on the warning signs to look out for when opening email could go a long way to protecting your business.
See? It’s not too late, you guys. These 3 steps are cheap or free, quick, and easy. But they could save you from being one of the 30,000 small business websites that are hacked each day. And most of all, you can finally cross that New Year’s Resolution off your list.
What is this TrueShield you speak of?
TrueShield is SiteLock’s web application firewall. It operates like your very own team of secret service agents, standing guard at every possible entry point on your website, 24/7. The TrueShield web application firewall inspects every visitor who tries to enter your site, denying access to the bad guys and bad bots, and welcoming the rest. You may imagine this would cause a traffic jam and slow down flow to your website – but it is actually just the opposite. The TrueShield WAF includes TrueSpeed, a content delivery network (CDN) which moves your website into the fast lane, loading your pages faster and improving your visitors’ experience – even boosting your SEO. It’s pretty remarkable stuff.
Who can use TrueShield?
Anyone who has a website. The TrueShield web application firewall is cloud-based, which means that it doesn’t require a complicated installation – in fact setup takes just a few minutes. It also means that TrueShield is affordable for even the smallest businesses and budgets. A typical small to mid-sized business does not have the in-house technical staff, nor the time, to deal with the complexities of protecting their site from every potential attacker. A web application firewall, like TrueShield, is the easiest way for a small business to get enterprise-grade protection without needing enterprise-level resources.
Many years ago, a bar owner shared with me the tale of how he was losing so much money in one of his bars he had to hire a loss prevention specialist to pose as a customer and watch his staff for any signs of financial impropriety.
The undercover customer spent nearly a month visiting the bar (what a job!) and reported back that he found nothing was amiss. He said he watched all the cash registers for four weeks and didn’t see one suspicious transaction at any one of the four registers.
Website Security Podcast: SiteLock Interviewed on Blog Talk Radio
In a recent interview with Barry Moltz on Blog Talk Radio, Neill Feather, President of SiteLock, responds to the growing concern, particularly for small businesses, of website risks and how adding website security can protect online businesses and their reputation.
The fact is that small businesses are increasingly a prime target for cyber crime. Case in point – Neill references a recent study by Verizon that states that 95% of online businesses that are attacked by hackers have fewer than 100 employees. And the number of attacks continues to grow each day.