Hackers target small business websites in order to make money and gain exposure (and sometimes, just for fun). We read about large security breaches on websites of well-known brands, but please don't imagine your site is immune just because it is relatively modest in its size. Hackers can make good money from gaining access to your site and to your server to pursue their objectives. This post goes into more detail what hackers want from your site and the financial and reputational damage your business may suffer as a result.
The next post discusses what you can do to protect your website from attack.
When you go out of your house for any length of time, my guess is that you don't leave your front door wide open. That would just be inviting trouble. And yet, you may be doing something similar with your website.
Hackers are not targeting your business specifically, they have automated software scanning websites for security vulnerabilities. They don't care that you're a law firm or an accountancy practice or a biotech company or an online shop. They just want access to websites so they can make money from it or to gain exposure (which then allows them to make money in a different way). Leaving vulnerabilities on your website is equivalent to leaving your front door open.
The UK government has produced a report every year since 2016 called the Cyber Security Breaches Survey. The 2020 edition indicates that cyber attacks are on the increase. Let me give you a couple of quotes.
Almost half of businesses (46%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months.
Among the 46 per cent of businesses that identify breaches or attacks, one in five (19%) have experienced a material outcome, losing money or data. Two in five (39%) were negatively impacted, for example requiring new measures, having staff time diverted or causing wider business disruption.
These figures make sobering reading and, although it is true that larger organisations get attacked more than smaller firms, I would suggest that you cannot afford to ignore this risk even as a small or medium-sized business.
If you want to do a quick check on your website, just type your website address in this Site checker. It will run a quick scan for any obvious problems.
What do hackers gain from accessing your website?
I'm not going to go into detail here but I'll just focus on the main reasons why your site is a target.
If hackers can access your website, then they can add malicious adverts to your web pages. These will probably look like genuine adverts and so your site visitors may not be alerted to the fact that you did not put them on your site. Clicking on the advert may lead to a site trying to sell dubious products. However, it could be much worse if the advert destination a site that downloads malware on to the site visitors computer/phone.
If this happens, the reputation of your business could suffer badly.
Not the spam you get in your email but the automated and covert addition of hundreds (maybe thousands) of links on your website by the hackers. These may not even be visible as the link text may deliberately be the same colour as the background.
The reason the hackers do this is not so people will click on the links, but rather to fool Google into pushing the target websites higher up in the search results. One of the many factors which influence the search position of a web page is the number and quality of links to the page. However, this situation is unlikely to last very long as Google will soon spot that the site has been hacked and may remove it entirely from the search results until it has been cleaned.
For many business owners who suffer this type of attack, the first time they become aware of it is when they are told that their site cannot be found in Google any more.
Redirect visitors elsewhere
Hackers may hijack existing links on your site (e.g. links to other pages in the menu) to redirect your site visitors to their own sites. The objective may be similar to placing adverts on your site, as mentioned above. Instead, they may open other windows or tabs in the visitor's browser which display the hacker's sites.
In either case, the site visitors are unlikely to trust your organisation if your website behaves in this way, even if the you are unaware of what is happening.
In addition, this behaviour will not go unnoticed by Google who may remove your site from the search results.
If you store any customer or client data on your web server, then hackers will be delighted to steal this to sell on for the purposes of identity theft or a variety of other fraudulent purposes. You may have collected people's names and email addresses on your website to send them a report or simply to add them to a mailing list. If you allow people to pay for items on your website (23% of websites according to the UK government's 2020 survey), you may also be storing credit card details, address details etc, which may be even more valuable to hackers.
A friend of mine (a lady in her 70s living in Oxford) recently bought some shoes online. The following day her bank rang to tell her that there was a transaction on her VISA card for escort services in Hong Kong and asked her if this was this correct? Clearly it wasn't and the card was stopped but it was obvious that hackers had got hold of her credit card details from the website and used them. Is she going to buy from that website again? Certainly not.
Download malicious software to site visitors
Without your site visitors being aware of it, hackers can insert code into your site that gets installed on visitors' devices for various malicious purposes. This could be to try to steal data from the victim using information on their computer or phone. This could be financial or personal data which is then used for fraudulent activities. The installed software could log every keystroke on the computer and the data is passed to the hacker who can extract passwords etc to gain access to bank accounts etc. The user may remain oblivious to this unless they have good security protection on their device.
Make use of your server
If hackers can get into the server that your site runs on, then they can use that server for their own purposes. These could include,
- sending out phishing emails (trying to fool people into giving away personal of financial details)
- processing cryptocurrency transactions
- launching attacks on other websites
- Plus many others
The business owner is unlikely to be aware that this is happening, perhaps just frustrated that the website is a little slow. However, the search engines will become aware that this is happening and, in all probability, your site will be banned until the issues are resolved.
The use of excessive server resources may also lead to your site being taken down by the hosting company. This latter action may also mean that the business loses their email as well if it is hosted in the same location as your website.
That's just a brief summary of some of the bad things that can happen if security is lax on your website. It is possible (and highly recommended) to take action to stop hackers accessing your site, although there is never a 100% guarantee. Given that caveat, business should be taking regular backups of the website (and email) and storing these well away from the server so they can be retrieved intact after a breach and used to retire the site (and email).
If you would like us to carry out a more detailed security review of your website, we'd be happy to do so.
Our next post will go through actions you can take to protect your website from hackers.