People read or hear about breaches in the press on a regular basis, and website breaches are one of the largest categories of breaches that take place. These don't just affect large corporates, they affect Small Organisations as well, especially since they don't not have the expertise to secure their websites. Here we look at what Small Organisations can do to secure their websites.
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Director of Boolean Logic.
Introduction to Website Security for Small Organisations
Today we're looking at website security for Small Organisations. For many Organisations, their websites are the first point of contact for their customers to find out about what they do and anything and everything about it. And because it's the shopfront for the world, it's an important to get the security right.
Small Organisations’ Website Risks
Let’s have a quick look at why it is that Small Organisations websites are possibly at greater risk than larger Organisations. Small Organisations often base their thinking on a lack of information or inaccurate information, rather than a risk assessment of their website, some of the examples of this thinking include:
- The mistaken belief that they won’t be a target because they are not large enough to be of benefit to attackers. In the belief that they won’t be targets, small organisations often don’t even put in the very simple security measures that they should. Without some of the very simple security measures, websites are more open to being identified as lacking simple security by the automated reconnaissance tools used by attackers. Once identified, automated attack tools often have the related tools to test and identify other simple vulnerabilities.
- Some Small Organisations which have static websites (which means that the website information is stored like pages in a word document rather than using a database to store all the data) assume that because they only have a simple website they won’t be attacked. What is misunderstood is that attacker tools are just looking for any vulnerabilities on any IP address – and that the simplest of websites can have these just as easily as dynamic websites.
- The belief that “we don’t need security now, we’ll just add it later, as we grow”, is misplaced faith when it comes to websites. Many years ago, there used to be studies identifying how long a computer connected to the internet would remain free from any automated probing. This magic number came down to a few seconds before the usefulness of the exercise was abandoned. We know that IP address connected to the internet are now scanned by automated tools continuously by both legitimate and criminal actors. The assumption that a website won’t be attacked until it has grown is wrong, leading to either the Organisation being put out of operation due to the effects of an attack, or it could be spreading malware to its visitor.
- Another mistaken belief we hear often, is that “since we are not an ecommerce site selling anything, we won’t be attacked”, is wrong. It is true that often attackers want to monetise their efforts, but a compromised website can provide multiple opportunities to do so.
- Next, there is the belief that no security is required to protect the website because “we don’t collect any personal data”.
- “Our hosting services deals with all our security” is another mistaken statement we have come across. Hosting companies often only provide hosting space rather like renting out a room, the occupants still have to have their own insurance for the contents of the room and lock it after use – the landlords responsibilities are often very limited, just like those of hosting providers.
What many Small Organisations fail to understand is that attackers view a prospective compromised website as an asset which enables them leverage either on the popularity or opportunities to rent out the use of that server for storing other stolen data, or for use for attacking other targets, or for hosting spamming services, etc.
Small Organisations must understand that a website is an asset, since it is their asset, they are responsible for protecting it. If it is not protected, it will be taken over and become an asset that belongs to criminals who will probably generate more revenues from its use than the real owner. The risks to the service should be considered before the website is commissioned to go live – rather than as an afterthought.
A good approach is to understand the risks to the website, and to ask someone who is a professional in this field, and able to explain the various security features that can add real value over the lifespan of the website.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.