Website security updates can be frustrating to implement, but they ultimately prevent cyber criminals crow-barring their way into your online business and causing damage.
The longer you neglect your site’s security, the more open your site and business is to damage, no matter how big or small your company is.
What are security updates?
Security updates fix vulnerabilities in systems to prevent them being exploited by unauthorised users. Phones, tablets, computers, browsers and indeed websites or content management systems (CMS) such as WordPress or Drupal use code to function, and it’s weaknesses in the code that hackers exploit.
As technology is always being improved and functions added, the hackers follow suit by looking for new loopholes and vulnerabilities in the coding. These holes need to be ‘patched’ and it is the security updates that provide these patches to keep your systems secure.
Why would hackers want to target my small business?
There are plenty of high profile hacking stories in the news where thousands of customers’ details have been stolen, or where websites have been brought down with DDoS (Distributed Denial of Service) attacks, and to the small business owner this can seem like a very unlikely scenario to happen to them.
However, hackers don’t care if your business is large, small or medium-sized. They are simply after easy pickings, and are constantly working on new ways to breach your security. Their automated ‘bots’ scour the internet looking for weakness, and they don’t make a distinction on whether you are a small family business or an international bank. If your website is insecure, they can break in.
We haven’t done security updates before, so why now?
Many organisations do not make security updates to their websites because there is:
- little time to update or there are other priorities in the business
- no expertise in the company to make the site more secure
- a fear of the update causing site downtime
- no perceivable benefit to the updates
Particularly for small businesses it is understandable that security updates can be overlooked or considered a low priority. However, regularly updating your websites security is essential, because new ways of exploiting site security are constantly being discovered, and organisations are not always fully aware of the risks involved.
What damage can cyber-criminals do to my business?
To understand the risks, it helps to understand how hackers operate, and what they gain from their activities. The main cyber-criminal activities can be grouped into the following themes:
- Defacing involves editing or replacing content on your site and is sometimes known as ‘digital graffiti’. This could be a targeted attack to undermine your clients’ trust in your business, or perhaps something politically motivated to further someone else’s message.
- Spamming sends out emails, sometimes with advertising and sometimes with phishing scams. Messages are often sent out repeatedly and in bulk, and it could be to any email address including those associated with your website or hosting. Your server can be blacklisted because of spamming, preventing you from sending legitimate emails.
- Phishing exploits the trust of a user to obtain login details, personal details or financial information. This can be used to gain access to email inboxes or other password protected areas.
- Malware is designed to infect a system and cause it harm, making changes against the user’s will and knowledge. It’s a general term covering anything from viruses to advertising software (adware). It can force the user into a network of other hacked devices controlled remotely by the hacker. These networks are often used for DDoS attacks.
- DDoS attacks use the network of devices behind them to bombard a site or system with waves of traffic or requests that overwhelm the system and take it offline. Your site could be a victim of this, or if it is part of the network used to attack others, it could be taken offline by your host or server provider when it is detected. Some of these attacks, e.g. DDoS, will also affect other websites on the same server. So when you are considering your hosting options please check if your provider applies security updates to all the software.
- Content injection is a black hat SEO technique (Search Engine Optimisation in violation of the search engine guidelines) that involves inserting links to other websites into your site. This could be to increase the traffic of another website or to generate click-through revenue. Some of these will be visible and some of them won’t be, but search engines will be able to find them and may blacklist your website from SERPs (Search Engine Results Pages) meaning your customers wouldn’t be able to find you.
- Interception of data perhaps containing credit card numbers or addresses is a possibility on insecure sites. The data is used by criminals to sell on, make purchases and all sorts of other criminal activities. If your site handles this kind of information, and you have not taken appropriate measures, such as installing security updates and implementing HTTPS (SSL) to encrypt data for all sites that take payment online, then you could be prosecuted under the UK Data Protection Act (under paragraphs 18-27).
Any of these types of attacks are bad for business. Your site could go down completely or your customers could become confused or annoyed at suspicious emails or advertising emails not related to your brand. In extreme cases personal details of your clients or commercially sensitive data could be stolen. Your website could also suffer a fall in traffic and rank due to search engine algorithms no longer classing your site as trustworthy.
Can cyber attacks cause damage to the server?
Certain cyber attacks have the potential to overload the server, which would effectively shut it down, resulting in all websites on it going offline.
If a server is hacked, the worst case is that the cyber criminal can do what they like with any website on it. That would be a very targeted attack however, and can be prevented by good hosting providers configuring the site properly.
What security measures can help against these threats?
- Strong password security helps to strengthen what is often the weakest link in a system. Alberon’s article Keeping passwords secure gives advice on what steps to follow. Password managers are a good way to keep track of the different passwords you use.
- Security updates help keep your website secure from known vulnerabilities in the CMS software. Additionally, the server software should be updated regularly. This is the responsibility of the company hosting your website – so be sure to check your hosting company has these measures in place. Alberon do these as a standard part of our hosting package.
- Monitoring Google Analytics could highlight any negative trends in your site traffic or other statistics that may be the result of hacking activity. Naturally any negative trends could also be down to your own site design and content or changes in market demand.
- Implement HTTPS (SSL) to encrypt data as it travels between your server and the browser, making it useless to hackers if intercepted. Our article Protecting your website with HTTPS explains more.
- Only using trusted plugins by well-rated developers in the community will avoid the risk of poor code changing other features and functions on your site and invalidating them.
Are there any disadvantages to security updates?
Updating one area of your website or one plugin can break others where the functionality interacts in the coding. Problems can also occur when a bad update has new bugs in it.
To mediate these risks, it is always best to get an experienced developer or a web development agency to implement and carefully test the updates in a controlled environment, before moving the changes to your live site.
What should I do now?
If you want to increase your website’s security beyond the steps outlined above, it is worth talking to Alberon’s team of developers. We can offer the expertise to help protect your website from threats, including updating and monitoring them on an ongoing basis.
Get in touch to find out how we can help keep your website safe and secure.