[Raleigh NC] I’d like to talk about the security of your website, how this pertains to your choice of a web design provider and host, and why, as a North Carolina business owner, you should care. It may surprise you to hear me say that the security of your website is not about your website, plugins, firewalls, or any of that stuff. Rather, the security of your website is primarily about risk management, which is to say, making a deliberate and informed decision about the level of legal and financial risk you are willing to assume as a business owner. If you ignore security, you could not only find yourself put out of business by a casual hacker with nothing better to do, but also potentially landing in prison and facing financial penalties for failing to take due care. This isn’t just a concern for banks or companies on Wall Street. It’s a considerable concern for the local shop serving their customers day in and day out, as I’ll explain.
- Over 50,000 WordPress websites were hacked in July 2014 through just a single vulnerability (Source: PC World)
- Over 800,000 banking credentials were stolen using hacked WordPress sites in October 2014 (Source: Data Breach Today)
- Almost 2 out of every 3 companies that experience a data breach are forced out of business within 6 months (Source: Symantec/NCSA)
- Let me repeat that: two out of every three businesses that have a data breach will go out of business.
Despite what you friends or family may have told you in the past, they are, in fact, out to get you — and most of them really don’t care about the affect it has on you or anyone else. In fact, sometimes that’s quite their point. Motives are so varied that it’s hard to generalize, but they may include financial gain, hactivism, politics, political or industrial espionage, elimination of a competitor, or maybe even just general meanness. And what only takes them 5 minutes could cost you your entire business.
Choosing who to listen to can be a challenge of its own. There are certainly plenty of web designers and Internet experts out there. There are also a lot of people who capitalize on fear, unfortunately, so it can be difficult to know who to listen to. So, today, I have nothing to sell you. I just want to explain why you need to take this subject seriously, and share some thoughts about what you can do about it. Security has always been part of how I approach solution design, because no implementation is complete without appropriate security controls – without them, you’re just begging for trouble. On the best day, you do everything right and only succeed in reducing the chances of getting hacked. Without at least some effort put on security, though, it’s like leaving all your money laying on the sidewalk next to a busy highway. It’s only a matter of time until someone takes it. What you need to know is that unless you have made specific provisions for the security of your website, you’re probably receiving a lot less protection than you think, and the potential impact of getting hacked is likely worse than you’d imagine.
If you’ve never thought much about the security of your website or discussed it with whoever maintains it for you, you need to be worried. The real problem isn’t just getting hacked and the lost revenue you experience until it’s fixed. If you have a good maintenance contract, your provider will be able to restore a backup for you. The bigger problem is that you can get blacklisted by all the major search providers and email servers, turning your once-great website into a thing of yesteryear, and just restoring your website won’t get you off the blacklist. Then there’s the whole public relations aspect, and loss of customer faith in you. Once those news stories are out there, you may have to spend a lot more on damage control and restore credibility. Getting hacked can destroy your business, as you find that not only can no one find your website in searches, but your emails start getting rejected when you try to send someone an email. This can be unrecoverable. And depending on the exact situation and what happened, you could find yourself guilty of criminal charges, face financial damages, and wind up in prison – all for something that a little basic security might have prevented. It may not be fair, but it unfortunately happens. Hopefully it’s now clear why I said earlier that website security is about legal and financial risk.
Key Things to Know
- No security is ever guaranteed or absolute. There’s no such thing as an impenetrable website or information system. Neither myself nor anyone else can truly guarantee that you will never get hacked. A determined hacker will eventually find a way in – period. There is no getting around this. That’s just how it is. All we can do is make it harder, improve your odds, and increase your chances of recovering from it gracefully.
- Whether you know it or not, you have associated legal and financial risk. The only question is whether you understand that risk and have made informed decisions about it. Ideally, you would spend as much money as needed to create a nearly-impenetrable security barrier. I’m sure we all would if we had the money. The reality is that most people can’t afford ultimate security, so security becomes an exercise in deciding what level of legal and financial risk you are willing to assume.
- Security is built in layers. Your job is to first and foremost stay off the radar of hackers looking for easy prey, so you don’t show up like a juicy target just begging to be hacked. Second, in the event that someone of ill-intent stumbles across you while looking for easy pickings, you want it to appear that you’re more trouble than you’re worth. In other words, ideally an evil-doer seeking random targets would look at your web site’s security and pass you by in favor of easier prey. These first two aspects provide some level of security all on their own, but unfortunately they don’t actually stop anyone from breaking in. That’s why you also need defensive measures to help keep them out if they try to break in. No security is ever bullet-proof, but there are things that can make it harder.
- Many hosting providers provide some minor level of security, but it’s important to understand that this security is sometimes more about protecting them – not you. I need to explain what I mean by that. Hosting providers will usually operate firewall and intrusion prevention systems – but some are more active about this than others. What some of them will do is disable your website completely if they see suspicious activity. However what usually happens is they just take your site down and don’t tell you, because their main goal is to keep their servers from getting blacklisted. In other words, they may well take your website down in order to protect themselves. (It’s probably better than your website being used to carry out additional attacks, though.) Unfortunately they don’t usually tell about this – you find out later the hard way that your website is offline, and have to figure out how to restore it back to operation and figure out if you’ve been blacklisted. Conversely, there are some hosting providers who are very proactive on security and really go the extra mile for their customers – they are not all created equal, as my story below will illustrate.
- Most web design contracts that I’ve seen don’t address this subject at all.
The Alarming Truth
Now it’s time for a true story. In recently working with a Raleigh-area client, I set about making some improvements to their .htaccess file – industry standard security measures widely regarded as a proper standard of care – but the hosting provider felt it was too much load on their servers, so they disabled all of the security measures – all of them – without even asking! They just turned it all off, leaving the client much more vulnerable to attack. I run these exact same protections on other providers without a problem, but apparently this particular provider felt that industry-standard security was too much work for their server.
A data breach can cost you your business, jail time, and financial penalties, so I hope you’ll agree that it’s worth taking seriously. Since my primary focus on this article has to do with web design and hosting, here are a few takeaways for you:
- Realize that ‘they’ are actively looking for targets just like you at this very moment, with tens of thousands of websites getting hacked every single month.
- Talk to an attorney that deals with these issues and take legal measures to protect yourself. Read the fine print on any existing contracts.
- Discuss options for cyber insurance with your insurance carrier – something many businesses are not even aware is available.
- Discuss protective measures with your information technology providers. If you’re in the same boat as most people, you’re probably going to find that nobody is promising to protect your data unless you explicitly contracted with a provider to do just that. That’s not any sort of trickery or deception; it’s just that they typically have not built the additional associated cost into the rate you’re paying for basic services. Often, additional services are available to you.
- Monitoring and security are not the same thing. Monitoring is helpful, but quite often the services offered by hosting providers don’t tell you that you have a problem until your website is already hacked. It’s good to know so that you can respond and hopefully contain the situation before too much damage is done, but preventing it would be a lot more helpful – wouldn’t you agree?
- Don’t store customer information, confidential or business proprietary information, Personally Identifiable Information (PII), or Payment Card Information (PCI) in your website or online databases without proper security controls.
- Have a plan to both provide for information security, and for how you will react in the event of a breach – and store a copy of this plan offline somewhere.
- Implement strong information security throughout your business as a whole in order to protect all information assets. It only takes one weak link.
- Once you understand the cost of any additional legal measures, insurance, and information technology infrastructure improvements to reduce your exposure level, you can make informed choices about the level of risk you are willing to assume for your business.
WordPress Security Tips
I serve B2B and B2C companies throughout North Carolina, so I have a good view into the reality of what’s happening. With WordPress being a very common choice among small businesses due to its power and flexibility, many companies hire someone to implement a WordPress website for them without ever discussing security. Simple HTML sites are a lot less vulnerable, but lack flexibility. When it comes to any sort of CMS such as WordPress, you need to make sure that security is addressed. What I’ll say is that most of the existing websites I’ve worked on for customers had little or no security – not even basic best practices – so I know from what I’ve seen with my own eyes that most web designers are not addressing security, and most customers don’t realize they should ask.
Here are just a few very basic tips for a small business owner to use a guideline in talking to your web designer:
- What is the hosting provider’s track record on actual support when you need it
- Use .htaccess to lock things down
- Harden WordPress itself
- Use non-standard usernames, with complex unique passwords
- Have a process to keep all software and plugins updated
- Delete, not just disable, any un-used plugins
- Use only mainstream, well-known plugins from vendors that provide prompt corrective action
- Ideally your relationship with your web designer will be one of partnership. Find out what they can do to reduce your risk profile, discourage hackers, and help you recover in the event it happens.
- As a business owner, accept that you ‘own’ information security – service providers may carry out your wishes, but at the end of the day it’s always going to still be your responsibility in the eyes of the law, so consider that in your selection of a web design provider.
Those are just the very basics; there’s a whole lot more you can do, which I hinted at throughout this article. For the sake of my clients, my lips have to remain sealed about any sort of details.
Thanks for reading; I hope you have a great 2016! Be safe.
P.S. In the time it took you to read this, 7 more websites just got hacked. What are you going to do to keep from being one of them?
About the Author
As a web designer in Raleigh, Brian provides information technology solutions and consulting services to customers, including website design and hosting. He has over 20 years of experience in providing for the security of IT systems of both governmental agencies and private sector firms, with formal training and over 7 years as an industry-certified hacking expert.
DISCLAIMER: Subject to terms as posted at http://dunntek.com and shall be considered as part of the DunnTek website for the purposes of such terms. If no such terms are posted or available, or if you do not agree with them in their entirety, then you should delete any and all copies of this document immediately. No warranty or guarantee of any kind is made or implied. Information may not be current or accurate. Author not responsible for any action that you may or may not take. This is a high level document intended to introduce some issues and ideas at a very high level only. While some actionable ideas are presented, they are listed only for purpose of facilitating a conversation between you and a properly qualified information security professional, not to suggest that you take any particular action or that any particular action will be appropriate or sufficient for your information security needs. Nothing herein constitutes professional advice. This document does not serve as a guide to achieving any particular level of security or achieving any level of regulatory compliance. In other words, there’s a whole lot more to security than I can tell you in a short document like this, so get professional help.