Cyber Security Awareness Month provides a great opportunity to remind ourselves of the importance of protecting our digital assets, including our websites. As customers have come to expect the ability to perform just about any task online, companies are responding by adding more features and functionality to their websites and applications. Great for convenience, but also creates more opportunities for bad actors.
In 2022, Whitworth University, a private university in my hometown of Spokane, WA, was hit by a ransomware attack. The attack affected students, staff, faculty, and alumni, disrupting mission-critical systems for weeks, creating all sorts of headaches in the lead up to the start of the school year. While the scope of the attack and publicity generated doesn’t stack up to the recent attacks that MGM Resorts suffered, it serves as a good reminder that no organization is immune to cyberattacks.
Even if your website is just for marketing, it still can be a valuable target for attackers. A compromised website can be used to steal data, spread malware, or disrupt operations. Depending on your business, you might face a variety of different risks if your website is compromised:
- Data breaches: Compromised websites can be used to steal sensitive data, such as customer information, financial data, and employee records. This data can then be used for identity theft, fraud, or other malicious purposes.
- Malware distribution: If an attacker gains access to a compromised website, distribution of malware, such as viruses, Trojan horses, and ransomware becomes far simpler. This malware can infect visitors’ computers and devices, causing damage and disruption.
- Denial-of-service (DoS) attacks: Attackers can use compromised websites to launch DoS attacks against other websites or systems. These attacks can overwhelm the target system with traffic, making it unavailable to legitimate users.
- Phishing attacks: Compromised websites can be used to launch phishing attacks. Phishing attacks are attempts to trick users into revealing sensitive information, such as login credentials or credit card numbers.
- Reputational harm: If customers and partners learn that your company’s website has been hacked, they may lose their trust in you, potentially leading to loss of sales or desire to continue working with your team.
- Legal: Like many other states and countries, Washington requires companies to notify people whose information may have been taken in a security breach within 30 days of the breach being discovered. And if more than 500 Washington residents need to be notified, the Washington Attorney General’s Office needs to be looped in.
By setting an appropriate security stance for your organization based on your risks and acceptable tolerances, you are helping ensure that your website isn’t an easy target, just waiting to be compromised. There are a number of things that can be taken to help shore up the security of your website, some of which are below:
- Keep your server’s operating system, software, and website tooling up to date: Software developers regularly release security updates to patch vulnerabilities in their products. Establish a regular cadence for applying updates and make sure that you’re not running systems that have hit their end of life for security patches.
- Tune your website tooling to be as secure as possible. Even if you’re keeping your website framework and plugins/themes updated, there are additional configurations that can be tweaked to make the site even more secure. One of the easiest ways to do this is by configuring your site’s security headers to prevent misuse.
- Use strong passwords and multi-factor authentication: Strong passwords and multi-factor authentication (MFA) can help to prevent unauthorized access to your website’s backend administration system.
- Use a web application firewall (WAF): A WAF can help to protect your website from common attacks, such as SQL injection and cross-site scripting. It can also be used to block malicious traffic and throttle attacks coming from countries that you’re not expecting traffic from.
- Regularly scan your website for vulnerabilities: There are a number of tools and services that can be used to scan your website for vulnerabilities. It is important to run these scans regularly and to fix any vulnerabilities that are found.
- Monitor your website traffic for suspicious activity: There are a number of tools and services that can be used to monitor your website traffic for suspicious activity. If you see anything unusual, investigate immediately.
- Establish a routine schedule to back up your website, preferably to somewhere other than on the same server. In the event that your website is compromised, having a backup will allow you to quickly restore it.
Hopefully you’re already doing all these things, but if not, hopefully these ideas can at least prompt some internal discussions about how your company might be impacted by an insecure website or server. Do you suspect that your website could use a review, but not sure where to start? Give us a shout, we’d love to hear from you.
