In this modern age, your website is the hub of your digital presence. It’s the first stop for potential clients who are considering doing business with you, and is often the first stop for existing clients who need to check out your latest offerings or get in touch with you as well. Which is why having your website come under attack is a disaster by any definition of the word. It can have a huge impact on your reputation, your relationships with your clients, and it may even cost a fortune to get it back up and running again.
But is there any way to avoid attack? With cyberattackers using ever more sophisticated methods to infiltrate systems, are there steps that you can take to protect yourself, your website and your reputation?
The answer, of course, is yes. And here are 4 steps that you can take to secure your website and reduce the risk of it becoming compromised.
Are You Really at Risk Of A Website Cyberattack?
When I talk to clients and prospects about cyberattacks, one of the first things they often say is, “But we’re so small. Who would want to attack us?”
The truth is, there are plenty of reasons that small businesses are being targeted. One of the biggest being that SMEs often cannot afford (or think that they can’t afford) the kind of security measures that large conglomerates or big businesses put in place. This makes them easier targets for attack, since a cyberattacker can often gain access to systems without even being noticed.
Another reason that cyberattackers often target small businesses is that these companies are unprepared for an attack. It’s not only easier to infiltrate their systems and bypass security that SMEs put in place, but there is also the chance for a bigger payday, particularly when it comes to ransomware attacks. Because small businesses do not think of themselves as ideal targets, they often don’t invest in cloud solutions, or prioritise backing up their data. This means that if a cyberattacker compromises your website or data, and holds it ransom, small businesses often have no choice but to pay the exorbitant fees in order to get their site and data back. And even then, there’s no guarantee that the attackers will provide it once a ransom has been paid.
Attacking small businesses may net the attackers a smaller sum than they might receive when attacking a bigger company, but when you consider that bigger businesses invest in advanced security solutions and recognise the threats that cyberattackers pose, while SMEs often underestimate the risk that they face, it’s clear to see why attackers choose to target small and medium enterprises.
What Does A Website Attack Look Like?
Because attackers use so many different techniques for infiltrating systems, it can be difficult to pinpoint exactly what form a website attack may take.
In some cases, attackers may redirect your website to a clearly fraudulent alternative. For example, if you try to navigate to your accounting firm’s website, and find yourself on an Amazon loyalty page asking you to fill in your name, email address, contact number and Amazon password, it won’t take you long to realise that your site has fallen victim to an attack.
More dangerous than these obvious redirects are the attackers who make clones of your website, inviting your clients to sign in as they usually would, but intercepting the details that they enter. Instead of their usernames and passwords allowing them to log in as usual, it may throw an error that the system in briefly offline. In the meantime, those login credentials will have been passed directly to the attackers, giving them potential access to other systems, particularly if your clients are using the same passwords for multiple sites.
Then there are the most dangerous attacks of all – those where attackers infiltrate your website, but don’t take any action. Yet. They wait in the background, slowly gaining access to more and more data, systems and networks, until they are able to orchestrate a more comprehensive attack, taking not just your website, but all of your systems offline.
What Steps Can You Take To Protect Your Website?
Because attacks can take so many different forms, and cyberattackers are constantly evolving to bypass new security techniques, it is impossible to entirely safeguard your website and your business against attack. But there are steps that you can take to reduce the risk and make it more difficult for an attacker to infiltrate your website and systems.
1. Keep Your Plugins Up To Date
Plugins are exceptionally useful tools that allow you to customise your site while adding handy functionality for your website visitors. But they need to be regularly maintained and updated. In the same way that you need to regularly update and patch your software, outdated plugins can introduce vulnerabilities to your site which attackers can take advantage of, allowing them access to your information, and allowing them to manipulate your site’s content.
By keeping plugins updated, you are reducing the number of entry points that an attacker could exploit.
2. Limit Access To Only Those Who Need It
The more people have access to your website’s backend, the more credentials there are that could become compromised.
Let’s say, for example, that with the aim of transparency, you have provided all of your employees with access to the backend of your website. Your CEO, CFO, Head of Marketing, Head of Sales, Accounts team and more all have access to your website so that they can provide their input where necessary. Stranger things have happened!
But when your CFO is targeted by a whale phishing attack, and their email address becomes compromised, suddenly their login credentials are exposed as well. Which means that the attacker not only has access to the email address, but to your website too.
By ensuring that the right people have the access that they need to your website (and to your data in general), you can reduce the risk of a single compromised email address providing access to your entire business.
3. Remove Inactive Plugins And Users
Part of maintaining your website should also be removing unnecessary plugins and users. As I already mentioned, each plugin that you use needs to be updated on a regular basis, or you run the risk of outdated software becoming a vulnerability that an attacker can take advantage of. But there is little point in maintaining and updating plugins and software that you are no longer using. Even updated plugins add a certain amount of risk, since often vulnerabilities take time to address and patch.
In the same way, having ex-employees listed as website users or administrators also poses a certain amount of risk to your business. Even if you have changed the passwords for these users, simply having them listed as users is an unnecessary risk, since with the right access, a password is easy to reset.
4. Enable MFA Wherever Possible
Personally, I cannot recommend multi-factor authentication (MFA) enough. I’ve said it before and I’ll say it time and time again – I will give you my password if I have MFA enabled. It adds such an easy, but effective layer of security. And most website providers, including WordPress and HubSpot, have the option to add multi-factor authentication to your login credentials.
This means that even if an attacker does compromise an email address or gain access to your website username and password, they still won’t be able to login unless they also have access to your cellphone or, in some cases, biometrics like fingerprints or facial recognition.
One Bonus Step That Will See You Reducing The Impact Of A Website Attack
While the steps above can help you to avoid falling victim to an attack, they are not guarantees of your website’s security. As I mentioned before, cyberattacks are becoming ever more sophisticated, and even following the recommended procedures won’t always ensure that your website won’t fall under attack. The best that you can do is reduce the risk to your business by following best practices for security, and by take one extra step to protect your website’s data, even if it does become compromised.
Put A Disaster Recovery Plan In Place
A Disaster Recovery Plan (or DRP) details the steps that should be taken when an attack, data leak, or even natural disaster occurs. It involves planning for the worst possible scenario, so that if it does become a reality, your team members know exactly how to react. There is nothing worse than discovering that you have been attacking, and having no concept of what to do about it.
Disaster Recovery Plans often include performing cloud backups on a regular basis, ensuring that even if your data does become compromised, it can easily be restored. Your DRP may even include having storing a backup of your website on an alternate cloud server, which can be switched to immediately if your site becomes compromised.
How Can Solid Systems Help?
Over the past twenty one years in business, we have seen websites being compromised over and over again, and we have vast experiences in helping businesses to both prepare for attacks through detailed technology and disaster recovery planning, and helping them to bounce back from attacks by leveraging advanced threat protection platforms and cyber security techniques.
If you are looking for IT consultants or a Managed IT Services provider with vast experience in protecting businesses in South Africa and around the globe from cyberattacks, along with ensuring that your technologies are meeting your existing and future goals, get in touch with Solid Systems today.