Data security: Why hackers target small business websites
UPDATE — JULY 24, 2018: Today Google began rolling out Chrome 68. Now, Google’s browser will display a “Not Secure” warning next to the website in the address bar if the site is not secured with HTTPS.
If you have a small business website, data security might be the last thing you think about. After all, don’t hackers just target the big end of town?
Hackers target small businesses simply because their data security is not as advanced.
Here’s the bad news. Hackers actively target small business websites simply because they are soft targets. Many small business owners don’t take basic data security measures to protect their sites.
Why do hackers hack?
The first question most site owners have is, “I only have a small site. Why would hackers be interested in me?”
Hackers break into websites for several reasons:
Vigilantes or foreign governments seek to spread their messages, raise awareness or harness many hacked websites together into botnets to launch DDoS attacks on major players.
Theft of money
Small business owners are less likely to have site backups and are more likely to pay if their data is encrypted and held for ransom. According to the Australian Government, ransomware is the fastest-growing malware threat.
Theft of personal information
Personal information such as names, addresses, dates of birth, and health or financial data can be used for fraud, identity theft or blackmail. Many small business owners collect personal information through their web forms or emails hosted through their web server. eCommerce websites collect banking details, which makes them an obvious target.
To leak information
Confidential information might be stolen in order to expose people, governments or corporations that the hacker disagrees with.
Some hackers hijack computers to use in mining cryptocurrency for their own gain.
Hobby or LULZ
Some hackers just like the challenge and do it for fun.
In many cases, the appeal of small business websites is that they’re not standalone, but are often linked to email, CRM (customer relationship management) and finance systems.
Websites are often seen as unlocked portals into the rest of a business.
Hackers use websites to gain entry into a company’s infrastructure or as a back door into larger partner companies or government agencies.
Industries most at risk
While no website is safe, certain industries attract more attention than others. According to the first quarterly report of data breaches released by the Australian OAIC, the most-hacked industries in Australia include:
- Health service providers
- Legal, accounting & management services
- Finance (including Superannuation)
Most of the incidents that have made the news were high-profile cases such as Svitzer, where half of their employee data was leaked; Family Planning NSW, where details of 8,000 clients were stolen; and the Commonwealth Bank incident, in which 20 million customer financial statements were lost.
However, the OAIC report found that 73 percent of data losses involved the personal information of fewer than 100 people.
What do you need to do?
Enhancing your website data security means you need protection on two different fronts: Website exchanges and the website itself.
1. Website exchanges
One of the most critical things any business must do is protect their website visitors. This is particularly true if you want prospects and clients to enter their personal details on web contact forms, create password-protected accounts or purchase items from you online. Enter: SSL, also known as Secure Sockets Layer.
With an SSL certificate, all data sent to or from your website is scrambled by 2048-bit encryption so hackers cannot decipher the data.
A customer can easily see if you have an SSL installed by looking at your website URL in their browser. If they see a green lock or the HTTPS prefix (as opposed to HTTP), they know your site is safe and secure.
No green lock? If their browser bar reads, “Not secure” when they’re on your website, they know you don’t have an SSL installed.
In the past, not having a green lock was not a barrier to doing business, but more and more savvy shoppers will not enter any personal data on a website without the magic green lock. An SSL certificate is one of the key ways you can build the trustworthiness of your website.
Google raises the stakes
To add to the pressure, Google Chrome and other browsers have begun rolling out warnings whenever visitors are asked to enter personal details on a site that does not have an SSL installed.
From July 2018, Google Chrome 68 will mark all HTTP sites (even those that don’t take online payments) as Not Secure.
From October 2018, if you don’t have an SSL installed, and a client tries to enter personal details on your site, Chrome 70 will change the Not Secure warning to red.
The bottom line is, if you don’t have an SSL installed on your website, you are losing customers. As people see the “Not Secure” warnings, they will simply move on to websites that are secure.
Which SSL should you get?
To accommodate the varied security needs of different websites, there are several types of SSL Security certificates to choose from:
- Domain Validation (DV) SSL: Ideal for blogs and personal websites, this SSL verifies your ownership of the domain name.
- Organization Validation (OV) SSL: Good for informational websites such as those owned by schools or nonprofit organizations, this certificate verifies domain ownership and the existence of the organization.
- Extended Validation (EV) SSL: Because this SSL entails the most rigorous vetting process of the three, they’re perfect for eCommerce, banking and medical sites. Shoppers who see the green address, business name and country code in the browser bar that’s triggered by this certificate instantly know they’re safe.
Have more than one website or subdomains you want to protect with a single SSL certificate? Select your category above, then combine it with one of these:
- Multiple Domains SSL: For companies that manage multiple domains and websites.
- Wildcard SSL: Best for sites that use subdomains, like shop.website.com or blog.website.com (not available as an Extended Validation (EV) SSL).
All GoDaddy SSL certificates come with both a GoDaddy Security Seal and McAfee SECURE trustmark to display on your website. These visual trust indicators often reassure site visitors.
2. The website itself
Data security for your small business website requires more than protecting visitors to your site. Here are a few additional steps you can take to decrease the likelihood of becoming a victim:
- Keep your versions of WordPress, themes and plugins updated with the latest security patches.
- Maintain a regular schedule of site backups and know how to restore your website from a backup.
- Consider adding a cloud-based firewall to stop hackers before they ever get to your site.
- Add security plugins or an automated malware scanner to your site.
- Ensure you use secure passwords that are regularly changed.
- Never use admin, manager, test or the name of your website as your username.
- Delete old users on your site (especially non-active administrative users).
- Delete themes or plugins you no longer use.
In addition, you should establish a plan including who to contact and what to do in the event your site is hacked. Record these details as part of your checklist of what to do once you launch your website.
Data security: Not just for the big players
Data security needs to be firmly on the to-do list of every small business owner, as hackers can target even the smallest website.
Also, the big search engines are moving to make the internet a safer place by requiring websites to install SSL encryption. If you don’t have it, then your customers will simply move to competitors who do.
Like all things in business, keeping on top of your data security can feel overwhelming. If in doubt, talk with your web hosting company or IT provider for advice on what is best for your needs.
Image by: Tevin James on Unsplash