By Neill Feather, Special for USDR
Today, we’re seeing cybercriminals target businesses at an alarming rate. This evolution has caused a shift in focus and hackers are now targeting easily accessible platforms – websites. System-level security, like antivirus and automatic updates, has evolved and is efficient at blocking threats, so end-user breaches are no longer the most effective attacks for the majority of hackers. Websites provide a unique challenge in that they’re inherently meant to be interacted with (in fact, organizations pay a lot of money to ensure this happens by way of marketing).
Think of a website as a new car. You’re proud of your car. It’s eye catching and sporty. Would you ever leave your car keys in the ignition of your new car with it’s windows open? This is much like spending time and money on developing a new website, but not having any security in place to protect it. The same can be said for existing sites. You’ve established your customer base and reputation, a data breach can effectively destroy everything you’ve worked to build.
Using the same car example, some companies roll their windows up, put the keys under the seat, but forget to lock the doors. The car is more protected than in the last example, but it’s still not secure. Take the recent Anthem breach for example. They had some security in place, but were lacking in certain areas. This is a good time to say that no solution is 100% infallible. With over one million new strains of malware created each week, it’s difficult to keep pace. However, we need to do what we can to stop what’s out there. In the healthcare industry alone, the department of Health and Human Services estimated about 30 million records (and counting) were compromised in 2014.
Bots from all over the world are constantly crawling the entire Internet looking for vulnerable websites. One out-of-date plugin and an entire site can be compromised. On the manual side, specialized vulnerability scanners point bad actors straight to a site’s weak points, and pre-packaged exploits and exploit frameworks are available to make exploitation almost point-and-click simple.
With this very real threat to our data, everyone needs to be educated on how they can protect their sites and more importantly, their visitors. Let’s start with these three main areas:
Employees are often your first line of defense after a web application firewall (we call our employees our “human firewall”). Train employees on how to protect their data, how to handle requests for information from outsiders, and what to do if something looks suspicious.
The best defense is a “shield’s up” approach. Identify the most common ways vulnerabilities arise, whether it’s through an unprotected website or a careless employee, and patch the holes where possible.
If you’re going to assume that you can’t block all malicious requests, you can still do many things to reduce the potential damage. User privilege management is one of the best defenses. If you strictly limit the access privileges of your users to just the things they absolutely need, you can prevent malware from jumping from the lowest level of access to the highest.
Websites need to have strong, multi-layered protection in place. For instance, passwords should not be the only means of authentication–two factor authentication can help add additional security on top of traditional password security.
For example, the SiteLock® website security tools find, fix and prevent potential threats, helping companies protect their data and reputations, and ensure a consistent user experience. The TrueShield Web Application Firewall secures websites from automated and human targeted attacks, prevents scrapers, blocks backdoor access and sorts out bot traffic. Couple that with 360-degree protection from malware while identifying vulnerabilities with daily malware detection scans, automatic malware removal and expert support and you have a great defense against most known methods of compromise.
Finally, it is important to have a plan of what to do if the day comes where you realize there is a breach. Who needs to be involved internally? What organizations will you involve externally and at what point? How and what will you communicate?
Companies who are proactive about website security and response plans are able to recover quickly from attacks and avoid any serious impact. Those who do not have the proper website security and response plans in place face financial impacts, which can average $180k per incident, and cause damage to their reputation that often lasts long after the attack subsides. In fact, a recent study discovered that a staggering 60% of small businesses suffering a data breach will be out of business in less than six months following an attack.
The unfortunate truth is that data compromises and cyber attacks are growing at an increasing rate. Companies who don’t take appropriate measures to protect their assets will likely find there are financial and possibly legal ramifications. Why not make investments up front that could provide long-term protection and security? Roll-up your windows, lock your doors, set that alarm and put your keys in your pocket.
Neill Feather – President of SiteLock
Neill Feather is the president of SiteLock, the leading provider of website security solutions for business. At SiteLock, Neill leads the company’s approach to 360-degree domain security by providing industry analysis and utilizing rapidly evolving data sets related to security and hacking trends. Neill has over 20 years of experience in the technology and systems industry, notably providing technology solutions and industry insights for Johnson & Johnson prior to joining SiteLock. Neill holds B.S. degrees in Statistics & Information Systems and International Business from the Pennsylvania State University, and an MBA from the University of Pennsylvania’s Wharton School of Business.
All opinions expressed on USDR are those of the author and not necessarily those of US Daily Review.