They're out there. The hackers, the bad guys, the black hats are after your personal information, your clients' personal information, and worse your identity. It can be a shock when it happens to you, because you've assumed that you were taking precautions. Unfortunately, you may have been living under the impression that some widely held myths about web security were true. Here are some myths and misconceptions that could put your website at serious risk.
Hackers aren't interested in me
Those are the words most hackers want to hear. They don't care about anything except the vulnerability of your computer or website. If they can get in, they can disrupt anything, and that's what they want to do. Banking credentials are just one of the targets in their sights. They can:
- Infiltrate corporate account credentials
- Gain access to the personal information of you, your clients, and your employees
- Hack into your server to use for any number of dirty schemes
- Or, simply ruin you.
They may even create a website that looks like yours, to send your visitors to a remote place where bad things happen.
It's all done with bots, and they will find you. Like search engines, hackers send out millions of bots to search the web. Once the bot arrives it almost instantly knows all about your website. It knows which software, and even which versions were used. It knows when your site was last updated and all about your server. They report this information back or maybe, based on the information gathered, they decide whether to attempt to break in or report back so some other bot can be sent your way. Go to www.builtwith.com and put in your website URL. The information you get back is what a bot retrieves. Scary isn't it?
My website was built a year ago and it was secure
Even though your website was built by professionals 365 days ago, and it was secure, it may not be today. The bad guys are always at work finding new ways to break in and do evil things. A good example of this is your PC. Security companies constantly update millions of PCs because what was safe yesterday isn't safe today.
I updated my website, so I'm all set
You may be up to date today, but how do you know they didn't break in while you were vulnerable? Once they get in, they create 'back doors'. Back doors are entry points where they can easily get in anytime they want. That way, if you update your website and eliminate the vulnerability, they have a way to get back in any time they want. The only way to find and eliminate back doors is to do a security scan and code audit. Your CMS code can be compared to original code to insure that they didn't change things.
If they break in, I will just have my website fixed
No, you may lose your whole investment, which might amount to tens of thousands of dollars. Hundreds of executives have called me over the years saying that their site has been hacked and their developer can't fix it. In fact most of our clients came to us this way. If your website developer didn't use a proper source repository and backup system, you probably lost your investment. Sometimes we can go in and solve the problem, but often there is so much damage it's cheaper to start over. Make sure your web developer is using a source code repository like GIT or SVN and has daily, weekly, and monthly backups. You may have to roll back and use and older versions that haven't been hacked.
I don't store customer data, so it won't affect my customers
This is not true. What if the bad guys take control of your site and you can't get it back? What if they duplicate your site and send some of the traffic to something that looks like your website, but is a scam? What if they just decide to mess with your customers? Sharp college kids could send bots out, break in and have fun with your customer. They get a kick out of destroying your business.
SSL keeps me secure
The Secure Socket Layer is a security protocol in place which encrypts information passing between a server and a browser. With limited time and motivation, this is perfectly adequate security as long as the server itself is secure. However, for the patient, determined villain, there are many instances of breaking through.
What should you do?
Don't lull yourself into a false sense of security. Use due diligence to check and recheck your security protocols. Secure your server from attack, identify any outdated and redundant security measures, and implement any repairs immediately. You need the following:
- Source Code repository and back ups
- Routine application maintenance where your CMS is updated with security enhancements
- Periodic security scans to test your website for vulnerabilities or 'back doors'
- Periodic security audits where penetration testing is done.