Learning from Others’ Mistakes: What Every Business Can Learn from the Equifax Hack

The Equifax hack was one of the worst cybersecurity breaches in American history. Here’s how it happened: hackers entered the Equifax servers through Apache Struts, a popular open-source development framework for Web applications. The hackers ultimately made off with the personal data of over 143 million people, or about half the U.S. population.

By now, we know that the disaster could have easily been avoided. Four months before the breach, the Apache Software Foundation issued an alert for the vulnerability. Equifax either ignored the alert, or never saw it in the first place.

Over 40% of WordPress websites are not up to date

While the Equifax hack is unique in terms of its scale, it’s actually not unusual at all in terms of its inaction. Even though WordPress powers about 75 million websites—over 25% of all websites, in fact—almost half of them are not up to date. Furthermore, recent studies show that over 51% of businesses have no budget whatsoever for cybersecurity. That means that, with no IT personnel in place, warning security announcements like the one Equifax should have seen are frequently missed or ignored.

Don’t be the next Equifax hack: How to protect your website’s data

In order to secure your data, there are two things you should seriously consider: ongoing, regular website maintenance; and professional IT services. IT professionals can scan your network for potential vulnerabilities and implement security measures which block potential threats. Many IT companies can also provide security awareness training that helps employees identify possible phishing scams.

Website maintenance can also help significantly reduce your risk of a cyberattack. With a quality site maintenance program, professional developers will regularly examine your website for out-of-date plug-ins, broken links, and other weaknesses that are known to increase the risk of a breach. Keeping your site routinely monitored and updated can help close the “gaps” which cybercriminals often target.

As a bonus, regular web maintenance will ensure your site delivers a better user experience, among other things.

An ounce of prevention vs. a pound of cure

On the surface, website maintenance and IT services might seem like too much of an expense to be worth it. But compared to the cost of a breach, it’s actually very low. For instance, think back to the Equifax hack: within four days of announcing its data breach, the company’s value tumbled by over $3.5 billion. Add that to the litigation costs and other expenses, and that’s just the tip of the iceberg.

Long story short: It’s much more cost-effective to be proactive than reactive. Fixing a compromised site (or rebuilding it from scratch) can cost ten times as much as monthly maintenance. And that’s not the worst that could happen: your company bank accounts could be emptied; your reputation could be damaged beyond repair; or your client data could be stolen, causing you embarrassment at best, and litigation at worst.

Then there’s the opportunity cost: while you scramble to try to bring your business back to speed, you’ll be losing out on sales. Every way you look at it, you’re much better off protecting yourself before a crisis than resolving one after the fact.

Interested in site maintenance?

We’ve worked with many businesses over the years, and we’ve seen first-hand the consequences of neglected website maintenance. It won’t surprise you to learn that we offer a site maintenance service, called OverSite™, to help protect our customers from breaches and slow performance.

Our OverSite clients benefit from our development team’s constant vigilance. For instance, when WordPress issued a critical security update a few months ago, our OverSite clients’ sites were immediately updated and the owners were notified.

If you’d like to learn more about OverSite, give us a call. It’s more crucial to protect your site now than ever before, and we’d love to help.

Red Letter Marketing is a branding, marketing, and advertising agency based in North Carolina. 

WordPress Cybersecurity Alert: Massive Attack Targeting WordPress Websites

“The most aggressive campaign we have seen to date”

Early Tuesday morning, WordFence, a WordPress cybersecurity service, posted an alert of a massive brute force attack campaign that was mounting by the second. By the time the world started waking up, the campaign had peaked at 14 million attacks per hour. This means that this WordPress cybersecurity breach is, according to WordFence, “the most aggressive brute force attack in WordPress history.”

In a brute force attack, automated software is used to generate a vast number of consecutive guesses for certain data (in this case, passwords). So far, the vast majority of attempts have been unsuccessful, but the scope of this particular attack sets it apart from the rest.

What to do

If you already have RLM’s OverSite™ website maintenance, there is no need to worry—we have already made the necessary updates for you.

If you do not have OverSite or a similar web patch and update service, it is important to quickly make the following changes.

  1. Update your password to something more complex. The password generator tool on the “Your Profile” screen is a great resource. Don’t use any password that you have used before on WordPress.
  2. If you have an admin-level account that has the default username “admin”, change it.
  3. Delete any unused accounts, especially unused admin accounts. The less “doorways” you have to your website, the lower the chance of an unauthorized entry.

Understanding WordPress Cybersecurity

As we continue to watch this attack unfold, it’s important to spread the word so that other web owners can take action. Be sure to spread the news via social media and similar channels, and investigate firewalls and other security measures which can strengthen your security. Finally, consider investing in a regular website maintenance service. When your site is regularly patched and updated, your risk for a cyberattack significantly decreases.

A note: WordPress is the most popular content management system in the world, and supports more than 60 million websites. WordPress cybersecurity breaches of this kind are usually due to poor website management, not the platform itself.

If you would like to discuss the status of your website, please feel free to give us a call.

You’ve Been Hacked!

You’ve Been Hacked!

A financial services company provides a website portal for their clients to access their investment accounts. Clients visit frequently to review their accounts and browse the company’s rich library of helpful information about saving and investing. One afternoon, while the company president is at lunch with a client, he receives a panicked message from his IT manager: the site has been hacked and an ISIS banner is prominently displayed on the home page. After the initial clean up and damage control, the president vows that they will never again risk such an event, and demands that marketing and IT do whatever it takes to make the site 100% secure.

It is not uncommon for business websites to get hacked, and vowing airtight security begs a host of questions:

  • How secure can any site really be?
  • What are the best practices for sites requiring strong security?
  • What are the additional costs of building a site with maximum security? Is there a point of diminishing returns?

 How Secure Can Any Site Really Be?

“The first thing I…tell website owners is that security is about risk reduction, not risk elimination. You must get your head around this simple fact…there is no such thing as a 100% solution to staying secure.”
-Tony Perez, Sucuri

Website attacks generally fall into two categories: an automated attack of opportunity (by far the most common type), or a targeted attack (the type more likely to occur on larger entities or governmental organizations). To be frank, at some point one of these will likely happen to your site. It’s not so much a matter of if a site will be attacked, but when. However, taking well-planned and reasonable tactics to prevent hacks puts the odds in your favor. Many of the horror stories we hear about, like the 2013 Target hack, are the result of human failure, not because of the software or applications themselves. Most commonly, people fail to follow processes and best practices in IT management, website maintenance, and updating.

What are the generally accepted best practices for sites requiring high security?

It begins with experienced developers who understand the current applications and best practices when building a site. They should know the most likely points of vulnerability, and how to write code that allows desired data to pass, but blocks potentially harmful data. They also should  understand how to plan and build for enterprise-level security, as well as hosting applications that can help manage security risks.

Once a site is built, it’s chiefly about who gets access. There are basic security precautions (e.g., making sure access information is not obvious, and is regularly refreshed) that should be implemented, and the site should be properly maintained as new software patches and updates become available. It’s also important to have the right hosting setup, and applications to monitor for security risk. Lastly, have a response plan for how to handle such threats, and worst case, a malicious hack. This includes having a separate backup to get your site immediately up to speed again.

There are costs to maximizing security when building the site. Is there a point of diminishing returns?

One can make the case that a more secure site is one that is custom built from the ground up. However, significant liabilities come with a custom built CMS (Content Management System), compared to off-the-shelf CMSs like WordPress or Joomla:

  • It’s much more time consuming, and thus more costly, to build
  • If your developer or IT person goes away, so does the one repository of the knowledge of your CMS and how it was built. Code can be as individual as people, so bringing in another developer would be time consuming and expensive
  • A home-grown system does not guarantee security. In fact, even if built perfectly, they are notoriously unreliable over time because owners fail to keep them updated

The advantage of going with an existing content management system (CMS) solution vs. custom development is the availability of the functionality that makes content management easier and less costly to implement and to keep updated. These systems are constantly improving because they are open source platforms. (Open source software is software whose source code is available for modification and distribution by anyone.) The White House, the FBI and the CIA all use open source software for their websites, rather than custom, built from scratch code. The core features to look for in decent Content Management Systems include:

  • Strong security
  • Theming functionality
  • Page templates
  • Menu systems
  • Blocks/widgets
  • User/role base authentication and access control
  • Revision control
  • Regular updates

Along with these core features, a CMS should have the capability to support modules, plugins, and extensions. There are various prominent open source and third party licensed extensions that bring enhanced functionality to a CMS. These enhancements include search engine optimization, tools for analytics, social network integration, etc. Of course, all should be added with the understanding that security is a priority.

The most widely used CMS platform is WordPress, and with proper development and maintenance, businesses experience minimal security problems. The New York Times, CNN, Sony, UPS and IBM all use WordPress. For companies with extreme security concerns, there are other CMS platforms, such as Drupal, that are solid candidates for consideration. Drupal has strong coding standards and a rigorous community code review process that gives it security and stability.

“Security is hands down the biggest differentiator between WordPress or Drupal. Drupal has enterprise level security and site scale. Numerous government websites are built with Drupal, with the most famous being Whitehouse.gov.”
Adam Hermsdorfer, Big Tuna Interactive

Currently The Economist, Cisco, Voya Financial (formerly ING U.S. Inc.), Novartis, GE, Pfizer, U.S. Department of Transportation, The White House, and many more entities are using Drupal.

Ultimately, there is no 100% secure system. A mature CMS with a proven track record provides the best return on investment, due to the amount of existing development that can be leveraged. Following the best practices for maintenance and updates is a practical and effective way to keep your site secure, without having to re-invent the wheel in an effort to maintain full ownership of the codebase. In addition to the CMS platform, there are content delivery networks (CDNs) that can be placed in front of your site to reduce the workload, as well act as a website firewall. (But that’s another blog.)

The best website security is proactive prevention.

Hire the right experts to help you implement best practices, including the initial site development, proper hosting, and ongoing maintenance. Have a smart access and content management process, and make sure your team has an action plan in place to manage a security emergency. Follow these tips to reduce your risk of being hacked.

Does your site have the proper security built in? Do you need to learn more about proactive maintenance to minimize risks? Just click the button below.