Websites are sometimes referred to as the “shop windows” of the digital era for a good reason. They have the power to positively influence the way customers view your company or product, help create the perfect first impression, or build trust in your service. Or, they can do quite the opposite, especially when poorly secured. Have you ever considered that your website might be a business risk?
Imagine this: a user finally decides to purchase your product – but your e-shop is down. Or, even worse, your customer’s credit card credentials are stolen due to a vulnerability in your website. As a result, information that users submit to the website lands directly in the hands of the perpetrator.
Similarly, the attacker might display inappropriate or malicious content that could endanger or offend your customer, for example, on your homepage. “Data leaks, as well as compromised or dysfunctional websites, can harm the brand’s trustworthiness. The equation is simple: poor brand equals poor business potential,” says Martin Cambal, ESET global web development manager. Particularly when you use the website not just for presentation purposes, but to sell your products and services online, then the impact of a cyberattack might be even more significant.
What are the Top 10 security vulnerabilities?
See the OWASP chart, a standard awareness document for developers and web application security.
While most experts recommend that businesses communicate transparently about cyberattacks, and regulations demand that in some cases of data breach, businesses decide to rebrand in the belief that they wouldn’t be able to restore the brand image. In 2015, for example, the dating site Ashley Madison, belonging to the social entertainment company Avid Life Media, which connected clients searching for (extramarital) affairs, was attacked. Hackers exposed the personal information of nearly 37 million users, including their names, addresses, and secret sexual fantasies.
As Karen Robson and Leyland Pitt state in a study published in 2018: “In the aftermath of the attack, Avid Life Media and Ashley Madison have undergone a number of changes in an effort to rebuild and rebrand.” A few weeks later, the CEO of Avid Life Media stepped down, and in 2016, the company rebranded to Ruby Corp., changing the signature tagline as well as the brand imagery. Interested in more details? Read the story that analyzed the key events of the breach.
Lesson learned: Whereas sometimes hackers aim only to shut down the website, in most cases, they want to steal accounts with customer data, and possibly sell it. Since data breaches are widely talked about and the information tends to be published all over the media – or on specialized websites like HaveIBeenPwned – brand credibility suffers.
Blacklisted by search engines
“This site may be hacked” – ever seen this message in Google search results? The search engine can identify potentially harmful pages. Your website, if compromised, can appear among them.
What is more, Google has been removing hacked sites from the search results. Apart from search engines, antivirus software also detects potentially hacked websites and discourages its users from visiting them.
The uninvited spy
Whereas some cybercriminals let you know that they hacked your website, others stay undercover. “Spying on the competitor, monitoring the number of orders on particular e-shops, stealing crucial data … There can be many reasons why they break into your website. I’ve seen situations when, for example, a price comparison portal received an anonymous email with contacts of 30,000 business owners of e-shops in the Czech Republic. Obviously, the company did not pay anything and ignored the offer. But this experience shows that monetizing data can be one of the motivations for hackers to secretly spy on your site,” recalls Cambal. “Also, attackers sometimes scan your website for vulnerabilities, and if they find some, they tell you more only if you pay – which should be out of the question.”
And there are also the so-called script kiddies who can harm your company website too – these relatively unskilled individuals take advantage of scripts or programs developed by others, using them to crawl through the website’s code, looking for vulnerabilities. When able to upload documents into it, they can also change the visual appearance of the site or its content. “This can cause servers to overload, so the website shuts down, and customers can’t – among other things – purchase any products,” adds Cambal. This may result in lost earnings and an unpleasant customer experience – and extra costs that are necessary to fix the trouble.
More sophisticated attacks might disable only a part of the website, for example, the paywall. “When not monitoring the server log files properly, companies might not think the problem was caused by a cyberattack and thus start looking for the error in the website apps they develop,” explains Cambal. “In this manner, they’re losing time and money too – the longer the paywall’s down, the longer it is impossible for visitors to shop.” Remember that by securing your website, not only do you protect your brand’s reputation, but also your customers.
“The traffic on ESET’s website is very high, that’s why the proportion of bot traffic may seem quite low. But in the case of companies with websites that have around 1,000 visitors per day, the proportion of bot traffic on servers can climb up to 80%. The number of visits you see, for example, in Google Analytics, does not provide an overall picture of the total number of requests. Therefore, monitoring access logs is very important,” Martin Cambal, ESET global web development manager.