Website hacking is in the news every week lately. At any given second, multiple cyber attacks are launched from other countries targeting companies in the United States and other parts of the world. A cyber attack visualization tool is available for free here so that you can get an idea of the frequency of attempts. In this post I’d like to address why website hacks may be increasing, what hackers are targeting, and what businesses can do about protecting themselves from website hacking.
In March, Google posted the State of Website Security in 2016 report showing that there indeed has been a 32% increase in the number of hacked sites comparing 2016 data to 2015. The post went on to say that Google does not expect this trend to slow down. Hackers continually change their tactics looking for any way to exploit sites, and that coupled with outdated web sites that have known vulnerabilities is leading to a bigger problem on the web.
Google takes website hacking very seriously
Google is very concerned about information theft and leaks because it impacts everyone searching the web. Additionally if a business website is compromised, that business can receive a penalties, which will significantly reduce search engine rankings because Google doesn’t want people to visit a site that is hacked. In fact, if a site is hacked, Google will quickly find it with it’s safe browsing bots, and Google will not show Adwords to the site, and will put up a notice in the search results that the site has been hacked or Malware has been detected to deter web searchers from clicking on the URL.
Why are website hacking instances increasing?
A recent New York Times article suggests that hacking is a convenient and cost effective method for smaller companies to “confront larger rivals” in business. Hackers not only do it for profit (as when companies are held hostage for a ransom), to gain sensitive personal or financial data that they can sell or use, but also hacking is becoming increasingly political (as with the recent hacking involving elections in the United States and Europe). Hackers are becoming much more sophisticated and this can present additional headaches for webmasters. Google has put together a page to help webmasters avoid hacking by identifying the most common ways websites get hacked.
Top Ways Websites Get Hacked
Google identified the top ways websites are typically hacked. They are:
• Compromised Passwords: Once a hacker has your website password, he or she has access to all the information on your site, even sensitive data. Tips for password protection include regularly changing passwords, creating a strong password using combinations of upper and lower case letters, numbers and symbols, never reusing passwords, using different passwords for different logins, using a two step or factor authentication (2FA) that uses a text message code in addition to a password to make it extremely difficult for hackers to get past passwords.
• Missing Security Updates: Webmasters should always run security updates on website software, plugins, servers, databases, content management systems or other website add-ons.
- Insecure Themes & Plugins: Only use secure themes and plugins and if a theme or plugin, make sure to delete all the files instead of disabling it the theme or plugin. This way if hackers have added malware to a theme or plugin, you will remove it from your site.
- Social Engineering: An example of social engineering hacking is Phishing where you need to be on the lookout for email posing as a legitimate organization that requests security information. A good rule of thumb is to never provide passwords, credit card numbers, banking information, or other sensitive information via email or chat. Always call and talk to the actual recipient before providing any such information.
- Security Policy Holes: Webmasters should have strong policies governing who can access website data, and never give out passwords to people who do not absolutely need them. One user with a poor password can put an entire site at risk. All websites should be secure using HTTPS site structure, and webmasters should not allow file uploads from unauthenticated. Webmasters should routinely test access controls and user privileges and check web logs for suspicious activities.
- Data Leaks: Mistakes can happen and sensitive information publicly leaks. Webmasters can avoid data leaks by periodically checking error-handling messages working through examples of security policies.
- If your website is hacked, Google provides help
Every webmaster should use the Google Search Console http://www.google.com/webmasters to periodically check the health of the website. You will have to verify that you own the site before seeing site statistics in the Google Search Console. If malware is detected on your website there will be a message in the dashboard of the Search Console. If Google found malware, there are certain steps you will have to take to remove the “website hacked” message on search results. You can find these instructions here and they include quarantining the site and anything connected to the site and removing the malware, as well as shoring up any vulnerabilities so the site is not hacked again the same way. Once the site is fixed and secure, you can request a review and Google will review it within 24 hours. If the site is clean, Google will let you know you can restart your ads again. Sometimes the adwords software detects spam and turns off the ads without a message being displayed in the Search Console, in which case you can request a review by Google.
After a site has been hacked, Google has data that indicates that 84% of webmasters who request a review have successfully cleaned up their sites and the Google penalty is removed. A big tack away from this is to make sure to verify your site in Google Search Console and check the messages periodically.
No one can prevent hackers
No one expects their website to be hacked. Of course it is important to put as many processes and procedures in place to prevent hacking as possible, and avoid the headache of having to recover your website. According to Security Magazine http://www.securitymagazine.com/articles/82899-97-percent-of-attacks-were-avoidable 97% of hacks are avoidable, but there could potentially be a very cleaver hacker that potentially discovers a unique vulnerability in your defenses. If your website is hacked the best advice is to act quickly and with total transparency. This will reduce the cost of website hacking, and perhaps curtail customers from leaving your business.
The Cost of Website Hacking
Last year, Heartland Computer Repair estimated the average cost of a hacked website to a small business is around $2500. However this estimate perhaps only takes into account he “hard costs” of hacking, ie getting your site back up, repaired, and the vulnerability that was responsible for the hack patched. It may even include investment in prevention of hacking going forward, such as changing the hosting or adding in firewalls, automatic security upgrades, and 2 step password protection.
There are other, non-direct costs of a website being hacked. First there is down time and actual revenue loss, and the longer the hack remains in Google’s penalty status, the more revenue the site looses. In a competitive space, even a few hours of Ads not running or the Google search penalty appearing can cost retail businesses tens of thousands of dollars.
if personal data is breached there may also be the cost of the error if individuals demand reparation. Depending on the data, this can also results in a huge cost. Surely the error and omission insurance on a hacked business will increase.
If the site is held by “ransom-ware” then there is the cost of either paying the ransom demand or rebuilding the website (with subsequent data loss) as well.
If your site is hacked, you will likely lose customers because they’ve lost confidence in your security. It’s difficult to measure this cost as well, but it’s clear that having total transparency about the situation and the effort spent in fixing the vulnerability will help to restore customer confidence.
Repairing a hack takes systems administrators, marketers, customer support, programmers and owners away from their normal business tasks, causing stress and usually resulting in new procedures that take a while for staff to learn. This is another cost that is difficult to measure.
Even when you follow all Google’s steps it can take a while for Google to actually take down the malware message, resulting in additional loss of traffic and revenue.
It’s impossible to put a number on the cost of website hacking. What is clear is that it is very important to put all the security measures you can in place to avoid website hacking. Otherwise the cost to your business could be excessive.