The Commonwealth Bank (CBA) has admitted it lost the statements of almost 20 million accounts containing customers’ names, addresses, account numbers and transaction details. But what beggars belief is that they didn’t advise their customers. Their admission of the cyber attack only came after the news was broken by BuzzFeed.
This massive loss of customer data has led to legal action, financial loss and perhaps more concerning for the CBA, damage to its reputation in the marketplace. The incident highlights the potential for security breaches in the cyber environment.
But digital security is all too often ignored by many small businesses. They mistakenly think that hackers are simply attacking the big corporates.
Even more concerning is their finding that 60 percent of small companies go out of business within six months of a cyber attack.
So cyber security is an issue for businesses of all sizes. Every business should be taking precautions to avoid security breaches and prevent data loss.
Fix your hacked website in 5 steps
Think you may have been hacked? Don’t panic. Here’s what to do.
Contact your web hosting provider ASAP.
Change your passwords immediately.
Contact GoDaddy’s support team.
Scan all your devices.
Inform affected customers.
Before we list the steps you should take, let’s describe the common symptoms of a cyber attack.
Signs you may be in trouble
There are some common signs to alert you to an attack on your website, some more straightforward than others:
- Your website host takes you offline because you’ve been hacked.
- Your web browser alerts you to malware.
- Your anti-virus software alerts you to suspicious content.
- Google has notified you via Google Search Console.
- Random code or weird advertisements start showing on your site.
If you believe you may have been hacked or attacked, your first step should be to investigate using this free scanning tool powered by Sucuri, a GoDaddy company. It will tell you if your site is infected with malware or has been blacklisted.
Malware refers to things like viruses, worms, Trojan horses, ransomware and spyware that can steal your customer data. Your website can be blacklisted by Google if it scans your site and finds anything dangerous (like malware).
What to do if you’ve been hacked
If this scan reveals bad news or you still believe that you’ve been attacked despite passing, there are some important steps to follow.
1. Contact your web hosting provider ASAP
They should be able to identify where the attack originated. Not sure who hosts your website? Enter your web address into Hosting Checker to find out. Then contact your web host via the Help or Support page of their website.
2. Change your passwords immediately
Make sure all new passwords are what security experts call complex, or strong. Strong passwords include:
- Both upper and lowercase letters
3. Contact GoDaddy’s support team
Or just sign up for Express Website Security to have the malware removed and your site returned to health. Their team can begin cleanup within as little as 30 minutes. They’ll also ensure that you’re not on any blacklists.
4. Scan all your devices
Malware often spreads from one connected device to another. This is why you should have anti-virus software such as McAfee, Norton or Kaspersky installed on all of your devices, including tablets and smartphones. They will keep your devices safe from incoming threats and help alert you to any dangers. You can purchase a license online; most will provide protection for up to five devices.
5. Inform affected customers
If you’ve identified that your customer data has been compromised, contact them immediately. Let them know that a security breach has occurred, when it happened and what information has been compromised. Encourage your customers to change their passwords.
How to prevent future cyber attacks
Once the danger has passed, it’s crucial to put processes in place to ensure a cyber attack doesn’t happen again. To paraphrase an old saying, an ounce of data loss prevention is better than a pound of cure.
According to Adam Kujawa, Head of Intelligence for Malwarebytes, “… by following some basic tips and maintaining good habits while online, you will evade infection from over 95 percent of the attacks targeting you.”
Your initial objective should be to protect yourself from malware. Invest in a malware scanner such as GoDaddy’s that scans for malware every day and removes anything it finds. Once set up, Website Security works behind the scenes with no input from you.
Then take the following precautionary steps.
Keep everything updated
When you receive notification of an update being available for your computer or mobile device, get it done. It’s likely to be a security patch to protect you from a cyber attack. Make sure you also keep your website up-to-date. For example, if it’s built on the WordPress platform, regularly update the WordPress core, as well as any plugins you have installed, to maintain optimal protection.
Clean house regularly
If you have programs on your computer or plugins/extensions installed on your website that you don’t need, then get rid of them. They may be leaving you open to attack.
Read your emails with caution
If you don’t know the sender, DON’T go clicking links or opening attachments.
Keep an eye out for the green lock
If you’re about to fill in an online form with any personal data that you’d prefer to keep private, look for a green lock in the browser bar. If the lock is there, the website URL will start with HTTPS. The lock and the HTTPS prefix mean that the data passing between your browser and the website server is encrypted and secure. If you don’t see these security indicators, hackers can grab your data.
Install anti-malware and anti-virus software on all devices
As noted earlier, you should already have anti-virus software installed on your computer and any internet-connected devices — this includes your tablets and smartphones. We live in an increasingly connected world and just one vulnerable device can open your life up to cyber attack and a loss of your private data.
Log out of websites when you’re done
When you are accessing your online bank portal, you will likely ensure you log out correctly before you continue browsing the web. But for other online accounts, users show less caution and this leaves their personal details vulnerable. So be mindful to logout of all of your online accounts when you are done. Can auto logouts be built into GoDaddy websites like they are for Commbank etc? If so we could include this here.
Start using a password manager
Phys.org states that “The average person is registered to 90 online accounts requiring passwords, and the number keeps growing.”
Many people create weak passwords that are too short, or are connected to publicly accessible data like their birthdays. Then they simply repeat them.
Hackers use computers to run through thousands of possible combinations of that information (a brute-force attack). Once they have access to one of your accounts, you can bet their computers won’t take long to work out the rest.
As mentioned earlier, the best solution is a password manager, where you only need to remember one password that is long enough and not connected to any of your personal data.
Implement two-factor authentication
This is when you log in with your username and password and then get a confirmation code sent to your mobile phone or email to verify your identity. While it might be easy enough for hackers to steal your login details, being able to also access your SMS or email is another security step — one hackers can’t hack.
Protect your Wi-Fi network
If you have a Wi-Fi network in your business, it should also be protected. The above precautions should be taken for each device connecting to it.
The bottom line
Cyber attacks (particularly those leading to customer data loss) can lead to legal action and potentially significant financial loss, often resulting in the closure of a business. So, the stakes are high.
Be prudent about your cyber security. Data loss prevention is crucial.
Develop a plan outlining how you’re monitoring potential security breaches and the procedures to follow if a breach is identified. Those procedures must include contacting your customers.
You should also have a plan outlining your prevention procedures. Audit this plan regularly to ensure it is up-to-date.
Implementing the steps that we’ve outlined (such as two-factor authentication, malware scanning, anti-virus software and stronger passwords) will mean you’re better placed than most businesses to thwart any cyber attacks. But it’s important that the prevention steps are adhered to by everyone and every device with access to your network.