Website attack, so who’s responsible?

Whether it’s an attack on a small business website or a major security breach of a country’s healthcare system like the HSE’s attack last year, we are seeing a massive increase in security problems both locally and globally. When something like this happens, we look for someone to blame and someone to fix it. It’s obvious that it’s the criminal that intentionally caused this, but going after them to resolve it isn’t an option. So who does gets the blame? Who do we go after? Usually, it’s the hosting company or the website developer or both. They should make sure my website is 100% secure at all times, right? Wrong.

Surely I am not responsible as the website owner, am I?

You might not want to hear this but yes YOU are responsible for your website security, not solely your hosting company or your developer. Responsibility falls on the website owner to protect their customers’ data/information and ultimately protect their own business.

The role of the Hosting Data Centre (e.g. LetHost, BlueHost, Blacknight etc.) is important but no hosting service is able to provide 100 percent website security. The most they can do is to implement as many preventative measures as possible, offering for example SSL certificates, regularly updating their server hardware and software, monitoring and having recovery measures in place in the event of a cyber-attack.

Equally, your developer might have created the website and updated your software at the time of the build to the best of their ability, but has any maintenance or security updates been done since? Many businesses employ a developer to build their site but once complete, feel they don’t need their services any longer or they don’t go ahead with suggested updates from the developer.

Read on for an explanation of what a website owner needs to do to protect their business and reduce their risk.

Website Security Explained

Imagine finding out there has been a number of break-ins in your neighbourhood. Imagine being surprised when it happens to your home – despite your lack of security cameras. Similarly, businesses often wait until it’s too late or there is an issue to become “proactive” about a security problem or underlying threat.

The truth is, those burglaries didn’t seem real, until they literally hit home. You cannot fully protect your home from burglaries but there are some basic things you can do to reduce your risk significantly e.g. locking doors/windows, getting an alarm, keeping lights on etc.

The same applies to your website security. Here is what you as a website owner should do to reduce your risk.

1. Use Strong Passwords & Change them regularly

  • Use a combination of letters, numbers and symbols
  • Ensure that all passwords are at least 12 characters long (longer=better)
  • Never include personal information in your passwords
  • Avoid using passwords that have a record of being stolen
  • Don’t recycle your passwords
  • Using Two Factor Authentication (2FA) will provide another layer of protection by ensuring the user logging in is actually meant to do so.

2. Take care of who has access to your website

  • Mind your website credentials.
    When creating and developing a website, external services or companies can be used to perform certain tasks. When finishing working with an individual or company, remember to change passwords or remove their access.
    Similarly, if employees leave or no longer require access, remember to delete or disable their accounts.

3. Encrypted connection – SSL

  • Make sure you have an SSL cert on your website (i.e. Secure Sockets Layer).
    An SSL certificate simply lets your users know that your website is secure, using an encrypted link and a secure connection between your server and their web browser to protect all data that passes between the two. If you don’t have one, contact your website provider.
    (Apart from security concerns, not having an SSL cert causes a security warning to be displayed on your site, which looks very unprofessional!)

4. Regular Updates/Maintenance

  • Caring for your website is vitally important e.g. if you have a WordPress site for example, you need to ensure that the elements are updated (i.e. core, plug-ins and themes).
    Security updates are essential; these need to be done on a regular basis. Chances are your website provider or developer has already offered these services to you, do not refuse them.

5. Website Monitoring and Firewall

  • Consider using website monitoring and firewall software such as Securi to
    – Scan websites to detect malware and potential vulnerabilities
    – Get malware removed quickly by experienced security analysts
    – Implement a powerful cloud-based firewall to stop hacks and attacks

6. Talk to Employees

  • Make sure you communicate with your employees and highlight the importance of security both internally and externally.
    Although it is all around us, it is worth highlighting and educating employees in the risks around spam (emails, text messages), weak passwords, unprotected devices, etc. Have a clear process to get anything suspicious checked before damage is done.

7. Talk to your Website Provider

  • Your website provider will be glad to talk to you about your security concerns.
    They will give general advice and also give a number of options to help you reduce your risk.

The Implications of a Security Breach

Brand Reputation
It can take years to build a brand and literally minutes to lose it. A hacked website is notorious for destroying trust, which ultimately jeopardizes your brand reputation.

Financial Loss
Another vital implication of a website hack is economic impact. If business is lost due to a website compromise, there is always some sort of financial loss. Even a brochure site can drive business to a physical location, and if that website is not available for the customer, then you will lose money.

Emotional Distress
The cost of a website compromise goes far beyond money. Some factors of a compromise can never truly be appreciated until they are experienced. These include the emotional toll of not knowing what just happened; the hours spent arguing with hosting providers, developers, and security professionals; the fear of missing something during remediation; the fear of being online at all, or of using technology as a whole. All this is exasperated by one simple thought: “Why didn’t I take precautions?”.

As surreal as these may sound, they are all very real costs of a security hack. The money can be the easiest part to account for. It is the non-monetary impact that catches everyone off guard.

Blocklists
In the context of websites, blocklisting refers to the process of search engines removing a website from their index. Webmasters pay close attention to this because when blocklisted, a site loses nearly 95% of its organic traffic, which can quickly impact sales and revenue.
Most often, the website owner is not even aware that they have been hacked. However, it is in the search engine’s best interest not to show infected results, as they do not want to lose users if these results can harm their computers, or even steal their personal information. For the same reason, many antivirus programs also blocklist dangerous websites.

Blocklisting is a big problem because it can take days for authorities to review and remove security warnings from a blocklisted site

Sample: Chrome

ePresence | Our Experience with Security Issues

When deciding on hosting plans and security options, some clients automatically want to choose the basic/cheapest option. When security is highlighted, they are just not interested. They don’t see the need to periodically update the software or plugins on their site. It’s not something they can really see. Back to the burglary analogy above, the burglary is just not real to them until it comes to their door; but when it does come – all hell breaks loose!

Over the years at ePresence, it has become more of a problem with the increase in attacks. We have learned to be straight and forthcoming with our clients to highlight both their responsibilities and ours. It is challenging but we feel education is key. Once a client knows their security options and responsibilities, it is their decision and we accept that. We find it useful to send a reminder in the form of a Security Letter which we send to clients yearly.

We value security at all times and take a proactive approach always – not just at the start of a project but consistently via updates, maintenance and education.

If you want to talk about your website security and take steps to reduce your security risks, feel free to contact us at ePresence Digital Marketing. We can discuss your concerns and give options as to how best protect your website and give you more peace of mind.