Is now the time to panic about your website getting hacked?
If you’ve been reading Irish news media over the past two weeks or so, you might easily be led to believe that the cyber-criminals are at the gates. And look, the attack on our national health service is hugely concerning. Cybercrime is on the rise and that will continue to be the case as our collective dependency on the internet increases.
The big problem here is that it’s entirely unclear to most business owners how seriously they should take threats to their cybersecurity. Sure, ransomware attacks like the one against the HSE can shut businesses out of digital workspaces until a fee is paid. But the kind of hacking that most businesses should be worried about is fundamentally different from the kind that tends to be reported in the media. Large organisations, whether in the public or private sector, have to worry about general vulnerabilities in their security along with specific attempts to get into their system.
However, if you run a business whose website is either built for e-commerce or simply functions as a brochure, it’s just not all that likely that a criminal organisation will seek to target your website specifically and less likely still that you’ll be subject to a ransomware attack that will do significant damage.
So, can you safely assume that you ignore the recent wave of cyber-crime, confident in the knowledge that your website is just not all that important compared to more attractive targets?
Well, not quite.
Here’s the thing: websites can see thousands of hacking attempts each year. Even though only a tiny proportion of them are successful, it can still be seriously worrying if your website ends up being compromised.
Luckily, with a timely reaction and adequate preparation it’s useful to know what the risks factors are for being hacked, what a hacking actually looks like and what you should do in the event of hacking.
What can I do to protect myself?
- Use strong passwords and, if you can handle it, two factor authentication for all your website logins;
- Use trusted software on your site and keep them up-to-date
- Backup your website regularly.
Here’s the essential thing you need to understand before you start doing anything complicated to shore up your cybersecurity.
These attempted-hacks aren’t usually coming from humans, but from botnets. These are automated tools deployed by hackers which target more-or-less every publicly available website looking to exploit obvious vulnerabilities. While it isn’t worth it for criminals to invest time or money into hacking your website specifically, it is worthwhile for them to design software which scans the web looking for sites who haven’t taken adequate care when it comes to doing the simple things right.
That means choosing passwords which are difficult to predict and opting for two-factor-authentication wherever it’s available. If you’ve logged into most online banking services recently, you already know what two-factor-authentication is: combining a password with some other means of verifying that you are who you say you are, like sending a text to your phone.
Taking these steps to protect your website is like having a lock on your front door: Of course it won’t stop a sufficiently determined character from knocking the whole thing down, but it might encourage the average, opportunistic burglar to look elsewhere. So if your password is “password”, it shouldn’t come as much of a surprise when you get outmaneuvered by a robot.
We also see many websites become compromised when updates aren’t installed for their content management system (CMS — think WordPress, Drupal etc). Hackers and the people who programme the software which keeps your website online are in a constant arms race: not updating your CMS is like trying to fight back against a machine-gun with a bow and arrow.
Most commonly of all, we find that people come to us with a hacked website because of an issue with a software add-on to their CMS — WordPress calls these add-ons plug-ins. Many such plugins are essential for adding additional functionality to your website and we use multiple plugins more or less every project. But their usage can introduce new risks when it comes to getting hacked. Make a habit for instance of checking whether all of your plug-ins are up-to-date every month or so.
Keep an eye out for scam plugins too; there are a lot of “free versions” of popular paid plugins out there that try to trick users into thinking they’re getting a good deal when really they’re opening the door to their websites getting hacked. If you’re not sure about a plugin, it might be time to contact your web designer who will know from experience which add-ons will work for you.
It’s important to be vigilant even with trusted plugins. It’s not unheard off for a developer who is tired of maintaining their software to cease providing vital security updates. Worse still, retiring developers have been known to sell popular plugins to criminal actors to make a quick buck, exploiting unsuspecting users in the process.
The final thing you need to think about is how often you need to backup your site. If your site is backed up, then restoring it to its pre-hacked state is easy — though you’ll need to examine whatever underlying issue facilitated the hack to make sure it doesn’t happen again.
The question, then, is how often should you back up? There’s no one universal answer to this, but a good rule of thumb is that every time you make a change to your website that you wouldn’t want to go through the trouble of doing again you should make a backup of your site. If you have an e-commerce site where twenty or-so products are added and removed every single day, then making backups a regular habit could save you a lot of time (and money) in the event of a hack. If your site is just there to get basic information about your business to customers, you probably only need to backup every month or so.
So, if you’re backing-up your site, keeping it locked-down with secure authentication and keeping your CMS and plug-ins up-to-date, then chances are you’ll be safe; the vast majority of the people who we work with who contact us about a hack at a later date were vulnerable because they didn’t keep up with these steps. Keeping your website hack-free requires a certain level of consistency and vigilance. Long gone are the days when websites could be stuck up on the internet; if you don’t keep an eye out, serious damage could be done to your business and its brand.
And if you don’t think you’re up to maintaining the security hygiene of your website, you should think carefully about purchasing a support package from your web developer, who should be able to handle everything for you. Chances are it’ll save you money in the long run.
What happens if I do get hacked?
The good news is that you probably won’t have to pay a 20 million euro ransom to get your website back. But if that’s the case, what do hackers even want with your website?
Basically, hackers are looking to hijack your website to either promote their own illicit products, redirect your customers to their own dodgy sites or use your site to spread malware. Often it’s a combination of all three.
Let’s break each of these down, explain how to recognise some of the more subtle variations and outline what you can do once you realise your site has been hacked.
One way that websites are attacked when their security has been undermined involves bots which pepper your site with links to illegal or grey-market products. Very often, these links are invisible so you mighn’t even be aware that they are on the site.
While most people can understand why a visible link might be attractive to an internet criminal trying to turn your customers into their prey, invisible links are a little more perplexing.
The explanation lies in the wonderful world of SEO (Search Engine Optimisation): it can be a very valuable asset for a spam site to have a link on your legitimate site. This can trick search engines into thinking that such spam sites are legitimate. Because links can be difficult to scout out on a site, business-owners don’t realise their website has been hacked until days or even weeks after it’s happened.
Worse still, some hacks are only apparent when the site is accessed through Google and won’t show up if you access your site via URL. This means that what’s happened may only become apparent after a customer complains; not a good look for any business conscious of its brand.
The same basic motivation, hijacking your traffic, is behind redirecting your site to theirs. Customers who aren’t paying attention to the URL might find their computers infected with malware. While this is by no means legal advice, in the past state agencies have had to pay significant damages after lawsuits revealed they had not taken adequate steps to protect their customers from malware.
So even the most seemingly innocuous attempts to compromise your website can have really damaging effects on your business: ripping up your credibility in the eyes of customers who don’t have the full picture, making your business look amateurish and even exposing your business to legal risk.
Ok, so what do I do when I get hacked?
If your site is backed-up, then a simple restore to a pre-hacked state should do the trick. Of course, you’ll also have to remove whatever underlying software made your site vulnerable in the first place.
If you haven’t backed-up, things are a little more complicated. Your CMS system should have plug-ins available to help you identify the corrupted files on your website — we like WordFence for WordPress — though in certain instances you might have to edit these manually. If this is all a bit daunting, contact a trusted website designer and developer and in most instances they’ll be more than happy to help out.