Securing Your Business from Web Attacks

Pragma - Cyber Security Consultancy

June 6, 2022

The current risk …

There is a clear distinction between being attacked and getting hacked: you are going to be the target of attackers, whether or not they succeed is up to you.

It is inevitable that any business operating a website, be it an online store, blog, or service-based website, will be attacked. The cyberattack process is predictable: First, an attacker will attempt to find vulnerabilities in a website by manually testing functions or by using free tools to scan a site for vulnerabilities. After locating a vulnerability, the attacker will exploit the vulnerability either by placing malware on a website hosting server or by downloading and stealing information.

At this point, the website being attacked has been hacked.

Once a website is hacked, the disruption to business will appear quickly but vary in severity. Business disruptions as a result of being hacked may include but are not limited to:

Incapacitation of an affected website, to the point where it is inaccessible to customers.
Exportation of client and customer data, which could be either held at ransom or published online, bringing about regulatory fines and dissatisfied clients.
Appropriation of cardholder data or credentials, which can lead to further investigation by governing bodies.
Exploitation of the hacked website to host malware or adware that can monetise a business’ web server and cause increased usage of hardware.

Many owners of small to medium-sized businesses mistakenly assume their enterprise will escape the attention of online criminals. However, to some extent, these are the businesses under increased threat of security breaches. This is because owners of small to medium-sized businesses often use content management systems, such as WordPress, to efficiently and inexpensively establish a website without having to design a site from scratch.

While convenient, this widespread use of content management systems can create opportunities for cybercriminals. Currently, roughly 43% of all websites use WordPress as a content management system. Even though WordPress is constantly being updated and reviewed for security, plugins that extend the open-source project are frequently vulnerable and lack proper security features. Attackers know about these vulnerabilities and will scan hundreds of thousands of sites looking for them.

This situation is why small to medium-sized businesses need to be aware of common website vulnerabilities and attacks in order to best protect themselves and their customers. They’re not deliberately attacking you: they’re looking for anyone they can find, and you need to make sure they don’t find you.

What you can do …

While most businesses outsource the hosting and development of their websites, often the developer is chosen based on price or availability. Security can appear more expensive in the short term, but it’s cheaper in the long run: you will get attacked eventually, and it’s much cheaper to guard against it now than it is to fix it later. Most competent developers know how to develop securely, but often they need to know it’s also a priority for you.

Here are three questions to ask your developers about their security practices:

Do you hold any accreditation that identifies secure cyber business practices?
What frameworks do you follow to ensure you create secure products?
What are the models you use to secure sensitive data?

What more you can do …

In addition to seeking the above information, here are our recommendations to enhance the security of your website and protect your data. Following these recommendations will enable you to defend against most automated attacks and begin to defend against targeted attacks. Our next line of defence is to:

Perform quarterly external and internal Vulnerability Assessments (VA) to identify and remediate vulnerabilities. If you use cloud-hosted services, ensure this is also included.
Perform a Penetration Test (PT) annually against any owned website and database.
Implement patching and update management to ensure systems are not using vulnerable older versions.
Protect against XSS and SQL Injection by validating all user input forms to conform with considered acceptable input.
Install and regularly run more than one antivirus software. These should include PHP malware scanners to ensure that files are not malicious.
Integrate File Integrity Monitoring (FIM) to monitor all changes to the files on your website, allowing you to detect any malicious modifications.
Anonymise customer data by only storing customer ID numbers. This important step will avoid unnecessary Personally Identifiable Information (PII) exposure in the event of a breach or leak.
Move any admin pages to a custom path that is randomised and shared only with relevant administrators.
Maintain proper logging for all website functionality and monitor logs to identify potential attacks. Pragma recommends backing up all logs once every six months.
Maintain backups of the web server and any database servers. This is best done by implementing the 3-2-1 backup rule: Keep 3 copies of data. Store 2 backup copies on different storage media. Have 1 of them located offsite. Test the backup recovery process regularly to ensure it works. A frequency of every three months is recommended.

It is no surprise that the increased digitisation of business operations has prompted an increase in cybercrime. The benefit of having business websites publicly accessible 24/7 for customers and clients carries with it the drawback of being constantly probed and vulnerable to the exploitation of cybercriminals. However, just because attacks are inevitable, the chance of a successful hack can be prevented by being knowledgeable and prepared.

About Pragma

Pragma is a global Cyber Security and Regulatory Consulting firm that helps leading businesses, governments, and not-for-profit organisations strengthen cyber and regulatory resilience with a pragmatic approach.

Learn more about Pragma’s Cyber Security Consulting Services