Website Security and Hacking

A small business in the UK is successfully hacked every 19 seconds with an estimated 65,000 attempted cyber-attacks every day.

We often only hear of the corporate hacks. In 2017 Yahoo had 3 billion accounts compromised, Marriot International, ‘lost’ 500 million user accounts due to hacking and Equifax got hacked to the tune of 209,000 payment card numbers complete with names, dates of birth and social security numbers. Reassured? Well, don’t be. Half of all global cyber-attacks are targeted at small businesses and already in 2019 the losses tip the $2 trillion.

Yahoo, Marriot and Equifax can bounce back after a cyber-attack, but can you and your small business? When it happens to a small business owner it can have devasting consequences and it is on the rise. As a small business owner, you are an attractive target for a number of reasons that I’ll explain further down.

There are over 1.94 billion websites online in 2019 so this makes for a great ‘playground’ for hackers of all types.  When hacked, the ‘keys’ to your website or ecommerce site will often go on sale to fellow hackers for a mere S1 on the dark web. Bank accounts and other sensitive data fetch a very modest $3 to $24 per account.

Attempts to hack your site most often run into the hundreds per day. The top five countries where these hacking attempts come from are China, USA, Turkey, Russia and Taiwan.

The majority of hacking is automated and very few small sites are the victim of a targeted attack. Hackers look for known vulnerabilities and often write and share scripts to test out these weaknesses on hundreds of thousands of websites, but why do hackers hack? Some of the most common reasons are:

Stealing information –  taking information stored on the server such as customer information or website files.

Abusing server resources – hackers can use the  processing power of your web server and use it send out thousands of emails. It is often easier for hackers to use your website rather than build and host one themselves.

Pure hooliganism – the pleasure of defacing or taking a site offline.

Monetary gain – by passing some link authority to an external page. If done to enough sites this temporarily boosts the destination page on Google and the other search engines. Hackers may also install pages used for affiliate marketing whereby they can gain a commission on sales.

Hacktivism – this is simply when a hacker/s don’t agree with what you are selling/promoting.

The first step to making sure you are not a victim of hacking is to tighten up your passwords on your website CMS as it’s the most common form of entry for hackers. Use a password generator such as Norton (https://my.norton.com/extspa/passwordmanager?path=pwd-gen). This particular tool enables you to use a slider for the number of characters and allows the inclusion and variation of letters, mixed case, punctuation and numbers, e.g. nas*8pupr$p3xek2$i2R. Use 20 characters, like this example and you will already be ahead of the game.

Hard to believe but a lot of business owners don’t take this seriously. Here are some of the most common passwords used:

No.1 password used: 123456 with 23.2 million breaches

Most popular name used for a password is: ashley (432,276 breaches)

Most popular premier league name used for a password is: liverpool (280,723 breaches)

Most popular musicians used for a password is: blink182 (285,706 breaches)

How can you protect your website?

The first thing is to get a security audit and make sure you have all (if possible) of the following in place:

Backups – automate an offsite backup so you have a clean copy of your website

SSL certificate – this won’t stop hacking but does encrypt the data in transit on your site

Strong passwords – aim for a variation of letters, mixed case, punctuation and numbers as outlined above

A web app firewall – you can use this to filter out entire countries and lock down your website

Update plugins and themes as often as is possible if you are using a WordPress site (Word Press websites account for 30% of all global websites)

Use the principle of least privilege if more than one user has access to your site

Have a ‘backup and restore’ plan so you know where everything is in case of an emergency

Want to discuss your website security or require a security audit to be carried out? Contact mark.field@dminformatics.co.uk or call 01752 295875