What Small Businesses Are Saying

In the first quarter of this year, SiteLock undertook a broad study of more than 10 million websites and surveyed 250 website owners.  Most of the website owners surveyed classified their businesses as being small businesses (ie with less than 50 employees), just the sort of operations that we see on the web and around us every day. The report provides us with an interesting insight into the trends, vulnerabilities, and risk factors that cause small business websites to be the target of cyber attacks.

The study found that small businesses continue to be the target of choice for cyber criminals. In fact, almost half of all website owners surveyed reported that their website was the victim of a security incident in 2017.

Why is this the case?

Cyber criminals no longer need to target high profile websites for the greatest return. In fact, by using low-cost, automated attacks, it is more profitable to cast a wide attack net and compromise ‘average’ websites in large numbers.

In addition, whilst one of the biggest security concerns of those surveyed was the risk of a ‘defacement’ of their site, this indicates a lack of awareness that the quieter and stealthier malware attacks are just as, if not more, damaging. Only a fifth of respondents cited data theft as their biggest concern.

However, the reality is that only 18 per cent of compromised website incidents involved defacement, but 60 per cent involved infection with shell scripts in order to access data, or download or upload files. This indicates that cybercriminals are continuously aiming to create and maintain access to infected websites, often in an attempt to distribute malware.

Almost a quarter of the businesses experienced damage to their reputation as a result of a security incident in 2017.

Don’t Ignore Your Website

The SiteLock responses serve as a reminder that a website security attack can happen at any time to any business, in particular to those businesses with websites which are not regularly checked.

Almost 30 million of the websites worldwide use one of the three biggest Content Management System platforms: WordPress, Joomla!, and Drupal. These platforms make building a small business website more accessible than ever before by being free, easy to use, and open source with large communities. However, not all website owners are aware that their CMS-run website is a living entity that requires regular updates to remain secure. When surveyed, 59% of small business owners reported that they were responsible for the upkeep of their website, but only 42% of website owners updated their applications monthly or more frequently.

SiteLock examined 1.9 million websites using CMS to determine how likely they were to be compromised, as well as the factors that put them at increased risk. On average, it was found that CMS websites are approximately twice as likely to be compromised as sites that do not use a CMS. While out-of-date applications are a likely reason for the increased risk, it was not the only risk factor. Often websites can be running the latest core updates, but still be compromised. In likelihood, the use of plugins (to increase functionality, add features, or customise a CMS site) will be increasing the chance of compromise. The more plugins are added to CMS,  the more likely the sites are to be infected with malicious content.

To protect website visitors and search engine users, search engines will blacklist sites that are found to be infected with malware. In the first quarter of 2018, 17% of infected sites were blacklisted by search engines. The consequences of ending up on a search engine blacklist can be particularly detrimental to small businesses, including removal from search listings and a damaged brand reputation.

What Every Website Needs (No Matter How Small)

Remember that your website is the online ‘face’ of your business, and needs regular attention to remain pretty, and secure.

  • If a website is using open source CMS, ensure you update the core – as well as all plugins and themes, removing any unnecessary ones.
  • Use two-factor authentication whenever possible. Adding another layer of security to your passwords can help keep cybercriminals out.
  • Implement a web application firewall (WAF) to filter out malicious and bot traffic.
  • Undertake an external vulnerability scan or penetration testing to assess the security of your website.

Talk to phew! today about how we can help test and protect your small business website.