Simplifying the language of website security
A couple of weeks ago, the Sucuri team was at HostingCon. We rubbed elbows with the people who bring your websites to the world and spoke at length with them about the importance of website security. However, the most interesting conversation we had over the whole week was with a small business owner on vacation with his family.
After a long day of conversations with the rest of the tech world, we needed to get a bite to eat and we decided to wait at the bar while the restaurant got our table ready. While there, we started talking to a man sitting next to us. As it turns out, he owns an auto body business in the Philadelphia area. Eventually, our new friend asked us what we were doing in Miami so we told him that we helped to run a firm focused on website security and, from our perspective, that’s when the conversation got really interesting.
That’s for big websites, right?
Our new friend knew about the data breaches at the big retailers like Target and then went on to tell us, “But I’m not worried, because I have a really simple website and just ask people to fill out a form so we can contact them later.”
Tony and I were floored when he told us that. But should we have been? When you live every day in the security space, it can be easy to forget that the rest of the world doesn’t live there with you.
We’ll always use this blog to break security news and to educate the community about the latest malware removal techniques we’re pioneering, but the more we learned about our new friend’s business, the more apparent it became that we also have an obligation to translate the language of website security so that website owner’s everywhere understand its importance. In that spirit, here’s our first primer in a once-in-a-while series for the everyday blogger, website enthusiast and small business owner on why security is important for their site.
What would a hacker want with my website?
Almost every employee at Sucuri has their own, much smaller, website, and each of us also monitors and protects our site because we know that they’re prime targets for hackers and the reason for that is that most website owners aren’t also security experts.
A big company, like Target, is a high-value target because a hacker network could make a large amount of money by bypassing their security. However, this is a high-risk strategy. Target is big enough that they have security analysts who work to keep that from happening. Alternatively, a hacker could automate an attack against 1,000 small websites with website operators and owners who know very little about security and while those 1,000 websites may not have much traffic on a per-website basis, they have lots of traffic when aggregated together. Once a network of websites is in place, the hacker can relatively easily begin to monetize his work.
Going back to our auto body shop friend, it isn’t hard to imagine a time when a hacker quickly phishes his form page to redirect information away from the site and harm potential customers, and the scary thing is that the website owner wouldn’t even know about it until someone alerted them to the problem. If that ever happens, and his site is blacklisted, it will be amazing how quickly website security becomes the most important thing in his life.
But I don’t take credit cards. Why am I at risk?
It is true that the moment your website begins taking credit card payments, you might as well raise your hand and tell attackers, “My website is now a target.” However, the real truth is that every website, big and small, is always a target.
The crux of the problem is that attackers can make money in many different ways. They may be redirecting your traffic to auto loan or porn sites
or they may poison your search engine results with pharmaceutical listings. They can add phishing pages to your site in an attempt to get your customers or visitors to give them personally identifiable information or credit card information and in all of these situations, they’re taking advantage of the work you’ve put in to drive traffic. If you’re not protecting yourself from attack then there are two factors, one economic and the other psychological, that you need to be aware of, because in many ways a website attack is much more devastating for a small business or website than for a large one.
First, you need to be sure that your site can sustain a loss in traffic or a loss in credit card transactions for a month or two months or six months, while the malware is in effect. When you don’t have a lot of traffic to lose in the first place and your website is hacked, it could take a very long time for those people who were scared away to come back. So, while Neiman Marcus can certainly sustain a data breach, you may be at a greater risk, relatively.
The second reason it’s more devastating is psychological. Unlike a big corporation, a lot of small business owners and bloggers feel a personal connection with their customers and readers. When you get hacked, you put them at risk and it feels terrible because you feel personally responsible for whatever pain or hassle you cause to these customers and readers.
How can you protect yourself?
The best way to protect your website is by layering different levels of protection that can be broken down into four logical steps.
- Awareness of the problem
- Understand the symptoms of attacks
- Take steps to fix the root problem (malware) of attacks
- Protect your website with a firewall
It’s by design that each step above flows into the next. As you move down the rabbit hole of security, what becomes clear is that attacks are always evolving and that it would be a full-time job to keep up with it (in fact, it’s our full time job). As you can see, the first step is awareness. Be aware that there are people out there who would take advantage of your website. Second, learn a little bit about the symptoms of attack. Have customers recently complained that they’ve been redirected off of your site when clicking links? Have readers complained that they’ve seen a strange form when clicking a link? If so, then take steps to root out problems, such as running your site through our SiteCheck security scan. Better yet, just remove all doubt and protect your website by shielding it with our CloudProxy Firewall. Is that a shameless plug? Sure it is, but we plug CloudProxy because we believe in the safety it provides for you and for those who visit your website (not to mention that it also protects your investment–emotional and monetary– in your site). In addition, every website we protect is one more website towards our goal of making the web a safer place and that’s something we can all be in favor of.