A version of this article first appeared at the GoDaddy blog.
If you run a small business website, data security is often the last thing you think about. After all, don’t hackers just target the big end of town?
Here’s the bad news. Hackers actively target small business websites simply because they are soft targets, as many website owners don’t take basic data security measure to protect their sites.
Why do hackers hack?
The first question my site owners had when I called them was, “I only have a small site. Why would hackers be interested in me?”
This is where you have to park your ego. Hackers generally aren’t interested in you. They want your systems or your clients. You are just the tool they are using to get to them.
Part of the appeal is that most small business websites are not stand alone, but are linked to email systems, CRMs and finance systems.
Websites are often unlocked portals into the rest of a business. Hackers use websites to find weak spots into a company’s infrastructure or as a backdoor entry into larger partner companies or government agencies. They target small businesses simply because their data security is not as advanced.
Just as there are different types of crimes in life, there are different types of hacking.
In real life, when you think of crime, you think of things like graffiti at the lower end, through to murder at the higher end. Online that equates to defacement and bringing your website down.
Hackers hack websites for several reasons:
Hackers hack websites for several reasons:
Political motives – Vigilante or foreign governments seek to spread their message, raise awareness or harness many hacked websites together into botnets to create DDOS attacks on major players. Your business is conscripted into cyberwarfare.
Theft of money – Small business owners are less likely to have site backups and are more likely to pay ransoms if their data is encrypted.
Theft of personal information – Personal information such as names, addresses, dates of birth, health or financial data can be used for fraud, identity theft or blackmail. Many small business owners collect personal information through their web forms or emails hosted through their web server.
Hobby or LULZ – Some hackers just like the challenge and do it for fun.
To leak information – Confidential information can be targeted as a way to expose people, governments or corporations that the hacker or activist disagrees with.
The Mossack Fonseca hack, where the Panamanian law firm at the centre of the Panama Papers Breach (11.5 million documents on the private financial dealings of the rich and famous) happened because of an un-updated Revolution Slider plugin.
Cryptocurrency mining – Some hackers hijack computers to mine cryptocurrency.
Redirect to their sites – Some malware redirects visitors to porn or pharmaceutical sites to try and get sales, or to redirect to other sites that install malware/viruses on computers.
Industries most at risk
While no website is safe, certain industries attract more attention than others.
The 2018 Global Threat Intelligence Report (GTIR) from NTT Security reported that during 2017 there was:
- A 350 percent increase in ransomware.
- A 46 percent drop in attack volume for finance in APAC.
- A global increase of 25 percent in attacks against technology companies.
- Business and professional services appearing as a new entry to the ‘top five most attacked’ list.
- The finance sector returning to be the most attacked sector globally.
Within the Asia Pacific Area (which includes Australia) the top 5 most attacked sectors were:
- Education (26% of attacks)
- Finance (18% of attacks)
- Technology (16% of attacks)
- Retail (15% of attacks)
- Government (13% of attacks)
The top industries that reported breaches to the OAIC from Feb 22nd-March 2018 were:
- Health Service Providers
- Legal, Accounting & Management Services
- Finance (Incl. Superannuation)
73% of data reported involved the personal information of less than 100 people, placing it firmly at the feet of small business owners.
Most of the cases that made the news were high profile cases such as Svitzer where half of their employee’s data was leaked, Family Planning NSW where details of 8000 clients were leaked and the Commonwealth Bank where 20 million customer financial statements were lost.
What do you need to do?
Enhancing your website data security means you need to protect two different things:
- Your clients and visitors to your website
- Your website and your business
Protecting Clients & Visitors to Your Site
Without clients, your business will fail. One of the most important things you can do is to protect visitors and clients on your website, particularly if you ask them to enter their details on contact forms or through purchasing items on your website.
The number one priority is to have an SSL Certificate installed on your website. An SSL Certificate (or Secure Socket Certificate) means that all visitor’s personal data sent to or from your site is scrambled by 2048 encryption. This stops man in the middle attacks, eavesdropping and data tampering.
You can tell if you have an SSL encryption installed by looking at your website URL in your browser. If you see a green padlock and the word “Secure” or the green padlock and the name of your business, then your site has SSL security installed.
No padlock? Does your browser say, “Not secure?” Or “I”? Then you don’t have an SSL Installed.
In the past, not having a green padlock was not a barrier to doing business, but more and more savvy shoppers will not enter any personal data on a website without a magic green padlock being in place. An SSL Security Certificate is one of the key ways you can build the trustworthiness of your website.
To add to the pressure, Google Chrome and other Browsers have been rolling out warnings in browsers when a site does not have an SSL installed, and visitors are asked to enter personal details.
From October 2018, if you don’t have an SSL installed, and a client tries to enter personal details on your site, Chrome 70 will change the Not Secure warning to red.
The bottom line is if you don’t have an SSL installed on your website, you are losing customers as people will see the large “not secure” warnings and simply move on to websites that are secure.
Which SSL Should You Get?
There are five main types of SSL Security Certificates.
Domain Validation (DV) SSLs – These are the most common SSLs and verify the domain name of the website. These are ideal for general information sites common to most small businesses.
Organisation Validation (OV) SSLs – These are the next level SSLs and demonstrate a higher level of vetting of an organisation’s physical and legal presence. These take 3-5 days to process. OV SSLs deliver a higher level of trust and are ideal for sites offering e-commerce options.
Extended Validation (EV) SSLs – Offer the highest level of SSL security as they require extensive vetting of an organisation’s business details. These take up to a month to process. These are commonly used by government organisations, corporations or businesses with larger e-commerce stores.
Multiple Domain (SAL) SSLs – Subject Alternative Name SSLs (also known as Multi-domain or Unified Communication Certificate (UCC) SSLs) are for businesses with a number of domain names, and who want to simplify their server configurations. (e.g. https://yourdomain1.com.au, https://yourdomain2.com.au)
Wildcard SSLs – Wildcard SSLs let you protect any number of subdomains with a single SSL certificate. (e.g. https://training.yourdomain.com.au, https://memberships.yourdomain.com.au)
Protecting Your Website & Your Business
Data security for your small business website is more complex than protecting visitors to your site. Here are a few steps you can take to increase your security.
- Keep your website versions of WordPress, themes and plugins updated with the latest security patches.
- Maintain regular backups and know how to restore your site from a backup.
- Consider adding a cloud-based firewall to stop hackers before they get to your site.
- Add on-site security through security plugins or having automated website security scans run on your site.
- Ensure you have secure passwords that are regularly changed.
- Never have admin, manager, test or the name of your website as your username.
- Delete old users on your site (especially non-active admin users).
- Delete themes or plugins you no longer use.
- Know who to contact and what to do if your site has been hacked. You should record these details as part of your checklist of what to do once you launch your website.
- Don’t accept social media requests from people you don’t know – it could be hackers trying to social engineer their way into your site.
Data security: Not just for the big players
Data security needs to be firmly on the to-do list of every small business owner, as hackers can target even the smallest website.
Also, the big internet providers are moving to make the internet a safer place through the requirement of websites to install SSL encryption. If you don’t have it installed, then your customers will simply move to your competitors who do.
Like all things in business, keeping on top of your data security can feel overwhelming. If in doubt, talk with your web hosting company and IT provider for advice on what is best for your needs.