A couple of weeks ago, the Sucuri team was at HostingCon. We rubbed elbows with the people who bring your websites to the world and spoke at length with them about the importance of website security. However, the most interesting conversation we had over the whole week was with a small business owner on vacation with his family.
After a long day of conversations with the rest of the tech world, we needed to get a bite to eat and we decided to wait at the bar while the restaurant got our table ready. While there, we started talking to a man sitting next to us. As it turns out, he owns an auto body business in the Philadelphia area. Eventually, our new friend asked us what we were doing in Miami so we told him that we helped to run a firm focused on website security and, from our perspective, that’s when the conversation got really interesting.
“That’s For Big Websites, Right?”
Our new friend knew about the data breaches at the big retailers like Target and then went on to tell us, “But I’m not worried, because I have a really simple website and just ask people to fill out a form so we can contact them later.”
Tony and I were floored when he told us that… but should we have been? When you live every day in the security space, it can be easy to forget that the rest of the world doesn’t live there with you.
We’ll always use this blog to break security news and to educate the community about the latest malware removal techniques we’re pioneering, but the more we learned about our new friend’s business, the more apparent it became that we have an obligation to translate the language of website security so that website owners everywhere understand its importance. In that spirit, here’s our first primer in a once-in-a-while series for the everyday blogger, website enthusiast and small business owner on why security is important for their site.
What Would a Hacker Want With My Website?
Practically every employee at Sucuri has their own small website, and we also monitor and protect our sites because we know that they’re prime targets for hackers. Most website owners aren’t also security experts.
A big company, like Target, is a high-value target because a hacker network could make a large amount of money by bypassing their security. However, this is a high-risk strategy. Target is big enough that they have security analysts who work to keep that from happening. Alternatively, a hacker could automate an attack against 1,000 small websites with website operators and owners who know very little about security and while those 1,000 websites may not have much traffic on a per-website basis, they have lots of traffic when aggregated together. Once a network of websites is in place, the hacker can relatively easily begin to monetize his work.
Going back to our auto body shop friend, it isn’t hard to imagine a time when a hacker quickly phishes his form page to redirect information away from the site and harm potential customers, and the scary thing is that the website owner wouldn’t even know about it until someone alerted them to the problem. If that ever happens, and his site is blacklisted, it will be amazing how quickly website security becomes the most important thing in his life.
I Don’t Take Credit Cards. Why Am I At Risk?
It is true that the moment your website begins taking credit card payments, you might as well raise your hand and tell attackers, “My website is now a target.” However, the real truth is that every website, big and small, is always a target.
The crux of the problem is that attackers can make money in many different ways. They may be redirecting your traffic to auto loan or porn sites or they may poison your search engine results with pharmaceutical listings. They can add phishing pages to your site in an attempt to get your visitors to give them personally identifiable information, including credit card details. In all of these situations, they’re taking advantage of the work you’ve put in to drive traffic. If you’re not protecting yourself from attack then there are two factors: one economic and the other psychological. You need to be aware of these because in many ways a website attack is much more devastating for a small business or website than for a large one.
First, you need to be sure that your site can sustain a loss in traffic or a loss in credit card transactions for a month or two months or six months, while the malware is in effect. When you don’t have a lot of traffic to lose in the first place and your website is hacked, it could take a very long time for those people who were scared away to come back. So, while Neiman Marcus can certainly sustain a data breach, you may be at a greater risk, relatively.
The second reason it’s more devastating is psychological. Unlike a big corporation, a lot of small business owners and bloggers feel a personal connection with their customers and readers. When you get hacked, you put them at risk and it feels terrible because you feel personally responsible for whatever pain or hassle you cause to these customers and readers.
How Can You Protect Yourself?
The best way to protect your website is by layering different levels of protection that can be broken down into four logical steps.
- Awareness of the problem.
- Understand the symptoms of attacks.
- Take steps to fix the root problem (malware) of attacks.
- Protect your website with a firewall.
It’s by design that each step above flows into the next. As you move down the rabbit hole of security, what becomes clear is that attacks are always evolving and that it would be a full-time job to keep up with it (in fact, it’s our full time job). As you can see, the first step is awareness. Be aware that there are people out there who would take advantage of your website. Second, learn a little bit about the symptoms of attack. Have customers recently complained that they’ve been redirected off of your site when clicking links? Are readers complaining that they’ve seen a strange form when clicking a link? If so, then take steps to root out problems, such as running your site through our SiteCheck security scan. Better yet, just remove all doubt and protect your website by shielding it with our Website Firewall. Is that a shameless plug? Sure it is, but we plug CloudProxy because we believe in the safety it provides for you and for those who visit your website (not to mention that it also protects your investment in your website – both emotionally and monetarily). In addition, every website we protect is one more website towards our goal of making the web a safer place, and that’s something we can all be in favor of.
Thanks for this article.
Many of my clients are small businesses and not-for-profits and it’s often difficult to convince them that their website can be a target for hackers!
>Tony and I were floored when he told us that. But should we have been?
Yes and no. Yes because from the perspective of us in the know, it is unbelievable that they would operate without any security. Yet from their perspective, they do not fully understand the issue and that has always and will always be the issue.
I bet he has security at his office and home even though he may not be a millionaire in a mansion and not considered to be a high value target.
You could put a sticker on your van that says “no money or tools stored in this van” but they may steal the van and use it in an armed robbery or other criminal act.
The problem for us (you, me and everyone else in this industry who actually cares about their customers) is that we want to inform customers without scaring them. If you scare them, they will not complete on the purchase and you will lose a customer. They may well think you are lying and using scare tactics to try and get them to buy from you.
Other developers that I have had first hand experience with will simply roll the site back to a backup or a static copy when the site is infected. They do nothing to address the method used to infect. Why? There is no profit in it. All the customer wants is a clean site, so that is what they do using the simplest and cheapest method. I was shocked to see them do that to say the least.
The biggest problem that I see on a daily basis is how these developers work. What they do is design the site and then put it on the cheapest host that they can find. Usually one of those dollar a month plans. Then they hand the keys over to the customer who has no experience in it and leave them in full control.
We saw this issue so many times and we even ran in to issues ourselves with hosts changing settings, not informing us and we get hit with issues. One host switched from PHPsu to PHP and guess what? One of their customers was infected and was able to access our personal website.
We develop websites in-house and then host them on our server which we have full control over. This way we can guarantee the security level and make changes when we want to.
The issue in my opinion is the customer. They always focus on the bottom line, the price. It is like always buying the cheapest airfare you can find then complaining about the service. You get what you pay for and the company needs to cut costs to make a buck.
Do you think the auto shop guy you met would be able to understand the 4 steps you detail in the “How can you protect yourself” section? I doubt it. If he could, he would have done so already. The problem here is that people do not understand it, so they ignore it.
I am sure you have had someone come to you with your computer and ask you why it is slow only for you to find lots of issues with the computer. It is not that this person is not clever it is that whole fear of technology aspect.
Again, this is why I created my business to use a model that is non-standard within the area that I work. We tell our customers “You manage your business, we manage your website. This is because you are awesome at your business and we are awesome at managing your website. You do what you do best and we do what we do best and we both benefit”.