Personal data is very valuable and infinitely more accessible - likely the reason data breaches increased by 40% in 2017 compared to 2016.1 In 2017, over 170 million records were compromised, and cost businesses an average of $3.3 million per breach.2,3 If you’re not sure what vulnerabilities your business has, let our security experts perform an audit for you.
Is your website vulnerable?
Yes. Every website is vulnerable because every website has valuable resources. While hackers might hack a website just for fun, it’s most likely to steal personal data or resources for repurposing or resale.
Why do hackers want to hack websites?
- For fun
- Steal server resources
- Host malicious content or software
- Steal user data and personal information
- Steal financial information
- Send spam/phishing emails
You might think because your website is small or doesn’t get much traffic that a hacker wouldn’t waste time with it. Not necessarily. In fact, this might be an ideal website for a hacker looking to steal server resources as it might go unnoticed for a longer period of time.
Once into the server or back-end of the website, a hacker can run malicious software, send phishing emails, or host content under the cover of your domain name and reputation. This is a very common practice with open source website platforms such as WordPress, Drupal, and Joomla! websites as these are easily compromised.4
Data breaches are only going to increase, especially with the expansion of the web into new areas of the world. So what steps do we take to ensure we protect our information and any left behind by our website’s visitors? Continue reading to learn more about protecting data on the web.
How to reduce the chances and impact of a data breach:
Security isn’t always top of mind within an organization, although, ideally security would be part of the fabric of company culture. There are many steps that you can take to improve security throughout your organization. Here’s how to get started.
Document how and who handles and processes data within your organization
Documentation of how and who is handling and has access to your organization’s data is key. If there were ever a data breach, this might be one of the first questions from the auditor. This might be minor information, such as info gathered from a basic contact form on the website or more fragile information like credit card or social security numbers.
Documentation is the foundation of some recent major changes to the GDPR in the EU. Essentially, having contingencies and procedures in place for responding to a breach or hack are just as important as any preliminary security hardening effort you might make to lock down your company’s information prior to a breach.
Secure the connection between your website and the user by installing SSL
If you haven’t already, install SSL on your website. We’ve made a huge push to get all of our clients to use SSL as this has become one of the quickest, cheapest, and easiest ways to improve your website’s security and protect the data transmitted by users while on your website.
You can purchase an SSL certificate from a number of vendors (we typically purchase ours through LetsEncrypt), and install the certificate to your website’s server.
Ensure security of any third-party vendors
Most websites rely on third-party services to manage specific assets or functionalities, and in many cases, these services store valuable information. This information is much more vulnerable if the services where it is stored are outdated and filled with security gaps.
Version updates are a common way of a service to combat known security vulnerabilities. Moving forward with these types of updates as soon as they are available and stable will help to protect data from malicious attacks. If your plugins, CMS, etc. are behind, we can get you up to date pretty quickly.
Improve employee security awareness
According to information posted by the Identity Theft Center, more than 10% of data breached in 2017 was due to employee negligence or improper handling of secure information. Establishing security protocols and investing in employee security training is a great way to ensure everyone understands how information should be handled.5
Some other considerations to help improve information security:
- Disable/remove flash from your website
- Encourage use of newer up-to-date browsers (Chrome, Firefox, Safari)
- Regular password changes for account directories and admin centers
- File backups
- Wipe and remove of old user/employee accounts from internal/external systems
- Surveillance and notifications
Improving security is a small investment compared to the cost of data breach
IBM’s Cost of Data Breach Study from 2017 reports a decrease of 10% in the average cost of a data breach when compared to 2016’s $3.62 million average. The cost per record also decreased from $158 to $141, but the number of records compromised per breach grew 2%.3
Although it is great to see these numbers decreasing, the investment to improve security and avoid a breach in the first place would be pennies to the potential penalty for a breach, not to mention, these internal procedures wouldn’t gain any negative attention from the press and provide any detriment to brand reputation.
Take for example the largest recorded data breach in history, which occurred in 2014 when Home Depot’s credit card terminals were compromised and over 50 million emails and credit card numbers from unsuspecting customers were hijacked. The company is still feeling the effects, most recently in March of 2017, agreeing to pay $27.5 million to affected financial institutions. Ultimately, the breach has cost the retailer $179 million in total, including payments to credit card companies, individual lawsuits, and various fines.6
Since the breach, Home Depot has begun using a risk-exception process to track and manage its data security. As well as conducted annual reviews of service providers and vendors that have access to payment card information, and implemented a security-control framework. Home Depot has also hired a Chief Information Security Office (CISO) and now applies enhanced encryption to payment card data.6
Information security should be a top focus in 2018
Increases in security breaches year over year, coupled with the widened availability of the web and use of web-based tools, should make information security a top priority in 2018. At the very least, your company should be taking the fundamental precautions, including installing SSL to company’s website, regular password changes, and updating any third party services used to help run the business.
Of course, more in-depth and long-term actions can be taken to improve information security. Employee security training, documentation of data movement and processing, as well as contingencies for reacting to a breach or hack attempt are excellent ways to avoid and combat an attack.
Whatever the approach, there should be someone on your team proactively dedicated to ensuring the security of the company’s information.
Our security experts will work alongside your team to ensure you’re doing all you can to protect your business and your users. We can also perform security audits to locate where your biggest vulnerabilities might lie, and provide recommendations on how to patch them. Get in touch.