Ignore Web Security At Your Peril

15/09/2015

The UK media has been full of stories relating to websites that have been hacked. You'd have to have been living on the moon to miss the recent furore over the theft of data from the Ashley Madison site, Ashley Madison Data Breachor the less contentious Mumsnet, Mumsnet Data Breach.

This is barely the tip of the iceberg though; here is a quick guide from Bloomberg on some of the Worst Corporate Hack Attacks.

The stone cold truth is that you don't have to be one of these glamorous big name web institutions to be at risk of your website being attacked, as any website is at risk. These days hackers are increasingly using software to find vulnerable sites and either trawl for interesting, valuable data or upload their own code for other purposes.

So what are the risks of not securing my website?

The risks fall into three categories, where the first has an immediate impact. For example, your website could be:

  • taken down if your hosting company detects hacking code
  • defaced with images or webpages that you have no control over
  • overwritten and be lost, or worse still, sensitive information could be stolen or revealed to third parties

It doesn't stop there though, even if you re-upload your site (from your back-up, you have one of those right?) there may still be a longer-term impact. In the best-case scenario, there is the embarrassment, but this could lead to reputational damage for you and your clients. This could easily result in lost revenue and, in the worst cases, fines or legal action.

In a government report issued earlier this year, 60% of small businesses surveyed said they had suffered a data breach in the past year. According to the report, even though the number of breaches had dropped slightly, the average cost of the worst attack was between £65,000 and £115,000, much higher than in 2013, when the cost was between £35,000 and £65,000. 59% of those surveyed said they expected to see more cyber security incidents next year.

You are certainly not immune as a small business, as illustrated by The Information Commissioner's Office fine of £7,500 to hotel booking site Worldview Limited after hackers accessed the card details of over 3,800 customers due to a vulnerability that had existed in their website since 2010. See the story here: Small Business Fine

But surely only large websites get hacked?

Unfortunately this is not so, and in our experience all websites can and will get hacked - from the corporate to the simple personal webpage. These days one automated hacking script can try to hack tens of thousands of websites a day. If any weaknesses are found, they are acted on. These scripts do not differentiate between the size or type of site, they are just acting as programmed.

Examples - 1

  • A simple brochure website, consisting of 10 static html pages
  • Currently sees 40 hacking attempts per day, mostly trying to add advertising content to the site. That's 14,600 attempts per year
  • If any single attempt were to be successful, hidden advertising would be placed on the site, making it likely that the site would be blacklisted and therefore hidden from search engines

Examples - 2

  • A database-driven web application, available to the general public
  • Various different attempts have been seen, including attempts to: log into the server that runs the website (on average 20 per day), add advertising content to the site (around four attempts per day) and one recent very clever attack that aimed to overwrite every single piece of information in the database with an advert for a pornographic site
  • If any of these were successful, the site and client would be significantly impacted

Recommendations

By this point, we hope that you have understood that you must take the threat of website hacking very seriously indeed.

We have put together our key recommendations to help you keep on top of this constantly evolving threat:

  • Don't see security as a one-off issue to consider at the time the site is built - it's an on-going programme of work, monitoring, reviewing, upgrading and staying abreast of current threats. Remember that the hackers are working to improve their code and find weaknesses around the clock. A site that was safe yesterday may be vulnerable tomorrow.
  • If you don't have the expertise in-house, speak to an external security provider who does: just as the hacking industry is evolving, so is the security industry. There are a variety of new and innovative products that can deal with this range of evolving threats. Speak to a consultant with expertise in this area or contact your web hosting company.

Whatever you do though, don't put it off; if you think your website security needs improving, make that call today. If you take one key message from this blog post it's that security is fundamental to any website, and you ignore this at your peril.

By Daren Callow, Director, Verasseti

}

Verasseti Ltd. is a limited company registered in England and Wales. Registered number: 04536454. Registered office: Dawes Road Hub, 20 Dawes Road, London, SW6 7EN. Data Protection Act 1998 registration number: Z2794760. VAT registration number: 799649535. ISO/IEC 27001:2013 certificate number: IS 573874. Office hours Monday to Friday, 9AM to 6PM, excluding bank holidays.