After analysing over 6 million small business websites, security vendor SiteLock has warned: “There’s no such thing as ‘too small to be hacked’ anymore.” It’s a stark warning that many companies large and small are failing to heed.
In its Q4/2017 report (registration required), SiteLock saw a decrease in the number of recorded attacks. This does not mean the threat has gone away. Neill Feather, president of SiteLock commented: “Hackers are constantly trying new avenues and even leveraging older tactics that continue to be successful. As our research shows, cybercriminals are now able to successfully breach a site with fewer, more targeted attacks.
“Now more than ever, businesses need to evaluate their current security posture and ensure they have both the right technology and a response plan in place should a hack occur.”
Why are small businesses under attack?
Small businesses have long been accused of being the weak link in the supply chain. After all, why spend days attacking a large and secure business when attacking a small insecure supplier gets access to the real target.
Small businesses are also attractive for other reasons. They often have limited backups and are therefore likely to pay ransoms. The lack of cyber security means that they can be exploited to infect visitors with malware. They can also be co-opted into botnets and used for cryptomining.
SiteLock says that in Q4/2017 websites experience an average of 44 attacks per day. While this was down 25% from the previous quarter it is still a substantial number of attacks. Without effective cyber security defences, it is likely that some of those attacks will be successful. It’s also important to restate that this is not about attacks via email or on users. These are attacks on websites that are often not spotted or recorded by many sites.
The fallout from an attack can have serious impact on a business. Setting aside the impact of a data breach along with the costs and fines that brings, there are other costs. These can include completely rebuilding a site which means being offline for a period. If customers cannot get to a website they go elsewhere often not to return. If they cannot get to a site and discover that it has been hacked there is little chance they will return. The loss of reputation, future revenues from customer added to the lost time is significant
What does SiteLock recommend for small businesses?
SiteLock says that basic precautions and cyber security hygiene are a key part of the solution to the issue. Among the steps to take are:
Make sure your CMS is fully patched: New sites appear every minute. Those using popular CMS like WordPress are under attack within 30 minutes of being created. It is important that site owners and webmasters make sure they update as soon as new versions are available. If an ISP is slow to update then it may mean moving to another ISP. Patching the CMS is not enough. 46% of WordPress sites that were up to date with the core patches were infected with malware. 19% of up to date Joomla! sites were also infected. Drupal sites were the least likely to be properly patched with only 18% of infected sites having all the core updates.
Update all plugins and themes to patch vulnerabilities: This is good advice but what happens if a plugin or theme is not being regularly updated? The obvious solution is to replace them. If the issue is the theme this can be expensive, but less so than a breach. Hackers also focus on creating infected plugins, a risk to the incautious.
Use a web scanner: SiteLock warns against relying on browsers and search engines to identify malware on a website. They often fail to identify infections which can lead to a site being blacklisted. This stops users visiting a site. This is one of the solutions that SiteLock offers.
What does this mean?
The rate of attacks against small business websites might have dropped in Q4/2017 but it is too early to see this as a trend. SiteLock rates sites 1-3 based on their risk factor. The higher the number the more likely a site is to be infected. Sites ranked 3 are 26.7% more likely to be infected than sites ranked 1.
Risk factors can be changed based on how a site is designed and the software used. The CMS is a specific factor along with how often it is patched. On top of that are the plugins and themes used, many of which are not updated regularly. Site owners need to have a process to keep on top of patching or risk the consequences.
Small businesses often rely on third parties to design and build their websites. This means establishing a regular update process so that the business can see what has been done on the site and how safe it is.
Business owners who do not keep on top of their website are likely to suffer serious consequences. This might be something as simple as being defaced. At the other end of the scale it could be as serious as being blacklisted or being forced offline.