Last year was a big year for hacks, leaks, and data breaches. Because attacks on high-profile targets like Facebook, Orbitz, and T-Mobile dominated the headlines, you might believe your personal blog or small business website is of no interest to hackers.
Don’t forget what happened when the ransomware WannaCry swept the globe, indiscriminately hijacking data from individuals, small business owners, and global enterprises alike.
Cybercrime and data fraud both made the WEF’s top 10 most likely risks in terms of occurrence for 2018. Data fraud was the 6th most potent risk in terms of impact.
With hackers methods becoming increasingly varied and sophisticated, the stats are only going to get worse. The fact of the matter is that you can no longer just rely on security software to keep you safe. The technology simply can’t keep up.
It’s up to each one of us to take up responsibility by learning what threats to look out for and what common-sense steps we need to take to mitigate them.
So, where do you even begin? What are the most likely threats? What are the possible consequences of falling victim to a virtual attack? What can you do to lower your risk?
By looking at past and future trends, I’ve identified some important lessons and what you can learn from them to safeguard your online presence.
The Consequences of Hacking
Imagine one day, you switch on your laptop and a message pops up saying ‘Oops, your files have been encrypted!’ As you read on, you realize with horror that you’ve just fallen victim to a ransomware attack. Your files have been encrypted so that you can’t access them. To make things worse, they are being deleted one-by-one until you pay the ransom.
What information is in your files? Product or shipping orders? Employee payslips? Personal photos, videos, or documents that you can never get back? How much are you willing to pay to get them back?
No, this isn’t the plot of the next blockbuster hacker film from Hollywood. This was the harsh reality for many people when the WannaCry pandemic swept the globe. There are many other ways that you can pay when falling victim to hacking or malware, but this was one of the most visceral examples.
As a victim, not only did you have to pay to get your files back. You also had to suffer indirect losses because of the interruption to your day-to-day operations. Not to mention any personal loss of items with sentimental value, like emails or personal photos.
Another common type of attack is a DDoS (Denial of Service).
You might go to sleep at night, safe in the knowledge that the next morning, your online business will be operating as usual. But next time you next check in, you see that your site has crashed and has been down ever since, possible even quarantined by your hosting provider.
On top of losing any business you might have had in that time, downtime also affects your search engine rankings, and you’ll need to hire professionals to clean up and relaunch your site.
There are many ways it could happen, but the bottom line is that if your customers’ data gets stolen and hackers make purchases on their behalf, you may need to refund them. You might also be required by law to notify your customers of attacks and pay out damages. Not to mention any legal battles you might need to face.
And then, there’s your reputation to think about. Sure, a data breach on your website probably won’t make the evening news like Facebook, but as a small or medium business, you probably rely on a smaller, loyal customer base. Your customers will have other options to turn to, and they probably won’t come back if their trust is betrayed.
If you’re a digital marketer, you know that trust is more valuable than gold. You don’t want to give your followers or customers any reason to second guess it.
It Might Be You That’s Being Hacked, not Your Website
Imagine this: A new customer reaches out to you with a complaint about a product they ordered from your store. Let’s say it broke during shipping. They contact you via email and have all the necessary information, the order number, the exact model, and the date and time of the transaction.
Always putting your customers first, you happily send them a replacement or a refund. In line with your customer satisfaction policies, you call them to make sure everything is all right. But when they answer the phone, they have no idea what you’re talking about and deny ever having made any complaint.
This is called social engineering, and it’s just a much a part of the cybercriminal’s arsenal as hacking. It’s a popular method because it doesn’t require any technical skill – just enough patience and vigilance to get access to a random person’s email account, where they can find out everything the victim has been up to.
Social engineering is all about finding leverage. Your attempt to provide great customer service gave hackers a soft spot to exploit.
Now, imagine if a hacker gets access to one of your staff member’s email accounts, or even to yours. What kind of trouble can they cause? Could they fire an employee? Mess up your orders? Exploit your customers?
Human error is the hardest kind of vulnerability to protect against, because no matter how hard you try, there will always be someone, somewhere, who isn’t as well-informed as you. It’s always a good idea to explain the importance of good online practices to your employees.
Having multiple forms of verification that you can follow up on will also go a long way. For example, you might try to implement some kind of two-factor authentication or make it policy to verify customers using multiple channels.
Phishing isn’t Funny
The reverse situation is when a criminal steals the identity of you or your business and uses it to exploit your customers’ trust. Phishing is nothing new, but it will probably stay with us for the conceivable future because it’s so easy, it doesn’t cost anything, it can be attempted on anyone, and it preys on people’s inherent trust and naivety.
Just because you might be too smart to fall for a phishing email, doesn’t mean everyone else is. And although it might not seem likely to directly affect your business in any way, there are plenty of indirect ways it could hurt you.
For instance, a customer could be phished in order to get their login credentials for your website – which is a possible entryway to an attack.
In this case, a hacker might draft an email using your logo, header images, and the name of one of your employees (easy enough to get with a bit of snooping). In a very sneaky move, the email can even say something like “due to a recent security concern, we need all customers to update their passwords.”
If the usual email you use to reach customers is something like email@example.com, they could use a similar email address like firstname.lastname@example.org or even email@example.com. An unsuspecting customer would have little reason to doubt its authenticity.
Once the victim follows a link to reset their password, they’ll give the hackers their old password. With their email and password, the hackers should easily be able to gain access to their account on your website.
One real-life case that shows how your small business could act as the unwitting victim in this way was when Target got hacked in November 2013. Hackers purportedly used the credentials of a small HVAC subcontractor to log into the Target portal, from where they launched their attack which allowed them to get card details of Target customers.
This story shows to the ingenuity and lengths hackers are willing to go to.
Even if there is little you can do to proactively prevent phishing attempts like this, it will undoubtedly stain a customer’s trust in you.
Email phishing is the most common form. Before you laugh, you should know that it has become a much more subtle art than impersonating charitable Nigerian princes or miracle-worker doctors.
Email phishers can almost perfectly replicate the emails from businesses complete with logos, branding, the use of similar language, and even almost identical email addresses or domains.
There are a few things you can do on behalf of your business to protect your website and your customers. Be sure to warn your customers as soon as you become aware of any phishing attempts using your brand, and to make them aware of what communications you will, or will not send via email.
To avoid becoming a victim of phishing yourself, you’d be surprised at how good some email spam filters, like SpamAssassin, are at identifying emails from less-than-reputable sources.
Mobile Devices Are on the Front Line
With more and more people doing more and more of their browsing, shopping, and communication on mobile, it’s no wonder there has been an increase in cybercrime and malware attacks specifically targeting mobile devices.
One thing working in favor of these opportunists is the fast-paced way we interact with our phones. How often do you instinctively open an SMS or email when the notification pops up? How many apps have you got installed on your phone? Do you ever download files from the web or emails without scanning them? Do you even have an antivirus installed on your mobile device?
Any of these could leave you open to a malware infection or some kind of cyber attack. If you’re thinking it’s not so bad, because it’s just your phone — don’t be so sure. Today, our devices are interconnected, and there are many ways a virus can spread to where you store your sensitive information.
You might not think the threat is as great when it comes to mobile devices. However, Kaspersky has identified millions of malicious package installations in 2018 alone. Mobile devices also account for just under half of website page visits, and the number is still growing.
Caller ID spoofing is another elegant and effective way for cybercriminals to take advantage of customers under the guise of your company. Using this method, they can change the caller ID on the victim’s phone to resemble your company name. With a little research (or in the case of a data breach), it’s then easy for them to trick your customers, leaving little doubt that it’s actually you making the call.
A Word about WordPress
As WordPress powers roughly 30% of the web, owns the lion’s share of the CMS market, and is the fastest growing CMS, there’s a good chance you are using it for your website. If this is the case, I’ve got some bad news and some good news. The bad news is that just as WordPress’ user base is growing, so is its rate of infection.
According to Sucuri, WordPress experienced an 83% to 90% rise in malware infections (as a percentage of all CMS infections) from 2017 to 2018. This while many other platforms saw a drop. So, is it time to pack up your things and move to another CMS? Not necessarily.
WordPress’ biggest attraction, the fact that it makes it easy for anyone to build their own website, is also its biggest downfall. Most WordPress users fall prey to cyber attacks because they aren’t website developers or security experts who know the essentials of protecting themselves from cyber attacks.
In fact, Sucuri identified these as the most common reasons for infections on sites they surveyed:
- Improper deployment of plugins, themes, websites, etc.
- Security configuration issues.
- A lack of security knowledge or resources.
- A lack of overall site maintenance.
One of the biggest reasons why your WordPress websites may become vulnerable is falling behind on updates. 55% of hacked websites contained outdated software. Software updates usually include the latest security patches that hackers haven’t found a way to exploit yet.
The good news is that you can already dramatically reduce your chances of being hacked just by making sure you always update your WordPress version, plugins, and themes. This doesn’t only apply to WordPress, but to CMSs in general, such as Drupal, Joomla, Magento, etc.
There are other steps you can take that don’t require you to become a security expert:
- Install a trusted security plugin
- Maintain good password practices
- Have your site audited by professionals from time to time
- Always make sure you have an SSL certificate
- Use a trusted hosting provider
You can find some other great tips on how to improve your security here.
If your site recently got hacked, you can also find some recommended next steps here. The quicker you act, the better.
Unfortunately, the very fact that many CMSs are open source and are used mainly by non-technically skilled users will always make them a target. That’s why it’s so important for you to take responsibility and do what you can to improve your website security.
Act Now, Before You Become a Statistic
I’m not going to lie – the forecast for cybersecurity doesn’t look good. No matter how many ways we come up with to secure our websites, there always seems to be one too many opportunistic individuals out there just looking for a weakness.
As our online presence grows, so will cybercrime, leading to more damaging hacks, data breaches, and leaks. It’s also clear that everyone is at risk. Not all cybercriminals have the skills or resources to go after big corporations. Instead, they focus on easier prey, which is everywhere these days, thanks to platforms like WordPress.
However, it’s not all doom and gloom. While it may be inevitable that you get involved in some kind of cybercrime at some point, taking a few very basic steps to secure your website and staying vigilant will already reduce your risk. Not only that, but will probably be enough to send most hackers off looking for easier targets.
You can never be too vigilant. According to a report by the Ponemon Institute, businesses take up to 191 days to realize there has been a data breach — that’s a lot of time for issues to snowball.
That makes the key takeaway from all this to never take your website’s security for granted.