Your website is a valuable business asset, but hack attacks are a fact of life. Darien Graham-Smith asks how concerned you should be - and, if you are a victim, how to handle the fallout
Protecting your back-office servers is one thing, but your website is probably hosted by a third party – so it’s understandable if its security is low on your list of priorities. But your site may be more vulnerable than you think – and an attack can have serious consequences.
What’s the risk?
Even if you don’t carry out business directly through your website, it promotes your services to potential customers. If a hacker takes it offline, that has a cost to your business. Or, if someone posts dangerous code on your site, it could infect visitors and harm your reputation.
Small businesses typically assume that their risk of being hacked is low because they’re inconspicuous. But there are reasons why a hacker might seek out a low-profile target. “Your humble web server can be a valuable proxy, enabling criminals to hide their location and identity,” said Adrian Sanabria, senior security analyst at 451 Research. In other words, if someone wants to carry out a major attack, “the authorities will be led to your door, rather than to the true source of the attack”.
Terry Greer-King, director of cyber security for Cisco, described another scenario: “If I’m a hacker and I’m going after a big target, such as a senior employee, I might turn to social engineering. That person might post on LinkedIn or a social site about something that they’re interested in – let’s say flower-arranging. So then I can hack the website of a florist and upload my malicious code, hoping that the person will go to that site.”
Even if you’re not the target, this type of activity is bad for business. “Very quickly, a website that is serving malware will be blacklisted by web-protection software,” warned Ian Trump, security lead at services provider LogicNow.
“Once you’re on a blacklist it’s hard to get off, and folks may not be able to reach your website, or receive email from you,” he noted. “Besides the damage to your reputation, and difficult conversations with customers who have been infected, you’ll need expert help to remove the criminals’ hold on your server.”
Keeping the bad guys out
How is it that intruders can easily get into web servers? “New vulnerabilities are always being found – mostly in the software used to host sites, but sometimes even in the operating system,” revealed Trump. “Content-management systems which organise your site, such as WordPress and Drupal, are vulnerable if they’re not patched and up to date. It’s trivial to download software that probes for vulnerabilities to exploit.”
And if you are compromised, you’re unlikely to realise it right away. “There is no visible difference you’re likely to see when you’re hacked,” explained Greer-King. “It’s not like an email coming with a dodgy attachment. Websites are attacked very surreptitiously.”
To identify problems quickly, therefore, you need to scan actively. “There are plenty of free or low-cost services you can use to scan your website for vulnerabilities or security issues,” suggested Sanabria. “Most smaller businesses can’t afford a full penetration test; the next best thing is to look for a secure partner to host and protect your website for you, rather than to run it yourself.”
But don’t assume that your web host will ensure that everything is patched and secure. “There are people in business who are a little naive about hosted services,” noted Greer-King. “They assume that it’s all secure, but they never actually ask. You need to take responsibility for the security of your own site – or find out exactly where the lines of demarcation are.”
Finally, don’t overlook the standard security advice for online services. “Be on guard for phishing attacks,” recommended Sanabria. “Look for some free phishing training, and use an email service that’s effective at blocking malicious emails.”
“Use robust passwords and user credentials,” added Trump. “Make it hard for cybercriminals to brute-force your credentials. Keep your website passwords different from the business-network passwords.”
Greer-King said the “Cyber Street” government initiative (cyberstreetwise.com) can help businesses ensure they’re covering the security basics. “There’s a very simple online test and evaluation task about what security measures you currently have in place, and how you approach things,” he said. “These sites aren’t a panacea – when you go through the process it doesn’t mean your business is secure. But at least you’re taking the basic steps, and you can show others that you’re taking security seriously.”
Responding to an attack
What should you do if you discover your site has been attacked? “The simplistic answer is to shut it down right away,” suggested Greer-King. “Make sure it’s cleaned up before you bring it back online, so you can’t infect anybody else. And put measures in place to make sure it doesn’t happen again. When you see a site that keeps coming back and then being taken offline again, that suggests they’re cleaning it, but not putting security measures in.”
“Assume that the website and server have both been compromised,” added Trump. “Changing your passwords is advisable: the criminals will have compromised the website and the OS.”
There may be legal processes to think about too. “If you’re required to be PCI [Payment Card Industry] compliant, you may need to hire a PCI-certified incident responder,” said Sanabria. “The PCI Security Standards Council has a list of certified responders on its website at pcisecuritystandards.org. And think about local law enforcement: it never hurts to start a relationship with these organisations before you have a breach. Sometimes they can share information about threats, helping you to avoid being compromised in the first place.”
Perhaps the trickiest question is what to say to your customers after a breach. Being hacked can shake confidence in your business, so it’s crucial to send the right message.
“Any security incident, especially if it will become public information, should be treated as an opportunity,” said Sanabria. “Respond quickly, transparently and in your customers’ best interest, and a compromise could actually earn you respect and a better reputation in the long run.”
Greer-King agreed: “I was talking to someone recently who’d been breached, and he said the company had actually benefited hugely from it. Customers appreciated their honesty. People were saying ‘we understand that you’d taken appropriate security measures, so how can we learn from what happened to you?’ When something happens, the initial instinct might be to try to sweep it under the carpet, but there’s a benefit in being public and open.”
You can expect a harder time if sensitive data has been breached. “If you didn’t encrypt your customers’ information you could be facing a substantial penalty, not to mention ill will with your customers,” warned Ian Trump. “In this case it will take a lot more than an apology to make things right. You’ll need a lawyer and a PR firm to help. A personal touch can also be advisable when a business has faced a crisis – such as a personal call from the CEO to major affected customers.”
Have a plan
When it comes to minimising the risk from a website attack, your best bet is not to wait for the worst, but to anticipate it. “When bad stuff happens, that’s a moment of crisis, and not necessarily a time when clear heads will be determining what to do,” said Greer-King. “So consider your response in advance. Try imagining that a breach has occurred and think about the impact – have credit-card details been stolen, or customer records? Is it just ‘noisy’? Then you can work out an appropriate process.
“Every company, no matter what size, ought to be thinking about this. It’s very common for small businesses to assume they won’t be a target, but they have more importance than they might think.”