Small businesses understand the need for a company website – but few realize that their website needs to be protected. Business owners and managers who are savvy enough to seek help in securing their website will find shockingly little official guidance: the FCC's Cyber Security for Small Business website fails to mention website vulnerabilities as a threat.
Even worse, the Small Business Administration website ignores the issue entirely. However, this is not a theoretical problem, nor a potential threat—it is real and it is now. According to the 2014 Verizon Data Breach Investigations Report web applications were the top attack vector for successful data breaches. The report went so far as to dub web applications “the proverbial punching bag of the Internet.” This report followed on the heels of their 2013 study that reported 71% of all data breaches target small businesses (defined as companies of 100 or fewer employees).
This already critical problem is likely to get worse as more small businesses bring website management in-house. The National Small Business Association 2013 Technology Survey found that nearly two-thirds of small businesses maintain their own websites, up 15% from the 2010 report. Meanwhile the report indicates that for 64% of companies simply finding the time required to maintain the site is “a major challenge.”
What can SMBs do?
So within this context of low awareness and limited resources what is the best way for small businesses to approach website security? The answer is in changing the way you think about your company’s website.
Instead of considering it a static promotional tool, treat your website as if it were a PC - an extremely important and vulnerable PC, one that the entire world can poke and prod without you really knowing. What new actions does this new model of the small business website require small businesses to take?
Make website security a core function. Someone in your company needs to be accountable for monitoring and maintaining the security of your company’s website.
Enforce access controls. As with a sensitive PC, administrator access to the websites needs to be restricted and enforced with strong passwords.
Monitor, scan, and fix. Just as every PC connected to the Internet needs anti-virus and firewall software, your company website should be scanned for threats daily, or at least weekly. If vulnerable code or exploits are detected they should be fixed immediately.
If your website has been hacked it is possible that visitors and customers are getting infected by drive-by downloads. It is also likely that your website will be blacklisted by Google, potentially killing all search engine traffic to your site (Google adds an estimated 10,000 websites to their blacklist every day).
Update critical software. Again, as with PCs software, the applications on your website need to be updated from time to time as hackers discover and exploit bugs and security flaws. This is particularly true of Content Management Systems (CMS) like WordPress.
Between 70% and 80% of WordPress sites are running an outdated - and therefore likely vulnerable - version. Website plug-ins, which add useful tools such as discussion boards, photo galleries, and social media features, are also a popular target for hackers.
A new era
Small businesses have enjoyed a period of relative security in the online world, as hackers targeted larger enterprises. That time is over.
Using automated tools, hackers can now efficiently corrupt websites of any size, using them to serve malware to unsuspecting website visitors - or harnessing their processing power as part of a bot net. Small business owners without a security plan covering the four aspects above aren’t just theoretically at risk; there’s a very good chance they’ve already been attacked and simply haven’t realized it yet.
Small business website security doesn’t have to be an oxymoron, if those businesses take action now.
- Chris Weltzien is CEO of 6Scan