Learning from Others’ Mistakes: What Every Business Can Learn from the Equifax Hack

The Equifax hack was one of the worst cybersecurity breaches in American history. Here’s how it happened: hackers entered the Equifax servers through Apache Struts, a popular open-source development framework for Web applications. The hackers ultimately made off with the personal data of over 143 million people, or about half the U.S. population.

By now, we know that the disaster could have easily been avoided. Four months before the breach, the Apache Software Foundation issued an alert for the vulnerability. Equifax either ignored the alert, or never saw it in the first place.

Over 40% of WordPress websites are not up to date

While the Equifax hack is unique in terms of its scale, it’s actually not unusual at all in terms of its inaction. Even though WordPress powers about 75 million websites—over 25% of all websites, in fact—almost half of them are not up to date. Furthermore, recent studies show that over 51% of businesses have no budget whatsoever for cybersecurity. That means that, with no IT personnel in place, warning security announcements like the one Equifax should have seen are frequently missed or ignored.

Don’t be the next Equifax hack: How to protect your website’s data

In order to secure your data, there are two things you should seriously consider: ongoing, regular website maintenance; and professional IT services. IT professionals can scan your network for potential vulnerabilities and implement security measures which block potential threats. Many IT companies can also provide security awareness training that helps employees identify possible phishing scams.

Website maintenance can also help significantly reduce your risk of a cyberattack. With a quality site maintenance program, professional developers will regularly examine your website for out-of-date plug-ins, broken links, and other weaknesses that are known to increase the risk of a breach. Keeping your site routinely monitored and updated can help close the “gaps” which cybercriminals often target.

As a bonus, regular web maintenance will ensure your site delivers a better user experience, among other things.

An ounce of prevention vs. a pound of cure

On the surface, website maintenance and IT services might seem like too much of an expense to be worth it. But compared to the cost of a breach, it’s actually very low. For instance, think back to the Equifax hack: within four days of announcing its data breach, the company’s value tumbled by over $3.5 billion. Add that to the litigation costs and other expenses, and that’s just the tip of the iceberg.

Long story short: It’s much more cost-effective to be proactive than reactive. Fixing a compromised site (or rebuilding it from scratch) can cost ten times as much as monthly maintenance. And that’s not the worst that could happen: your company bank accounts could be emptied; your reputation could be damaged beyond repair; or your client data could be stolen, causing you embarrassment at best, and litigation at worst.

Then there’s the opportunity cost: while you scramble to try to bring your business back to speed, you’ll be losing out on sales. Every way you look at it, you’re much better off protecting yourself before a crisis than resolving one after the fact.

Interested in site maintenance?

We’ve worked with many businesses over the years, and we’ve seen first-hand the consequences of neglected website maintenance. It won’t surprise you to learn that we offer a site maintenance service, called OverSite™, to help protect our customers from breaches and slow performance.

Our OverSite clients benefit from our development team’s constant vigilance. For instance, when WordPress issued a critical security update a few months ago, our OverSite clients’ sites were immediately updated and the owners were notified.

If you’d like to learn more about OverSite, give us a call. It’s more crucial to protect your site now than ever before, and we’d love to help.

Red Letter Marketing is a branding, marketing, and advertising agency based in North Carolina. 

4 Reasons Why a Website Maintenance Service is a Good Idea

Your new website is finally launched. Time to kick back and relax, right? Unfortunately, it’s not that easy.

The moment your gleaming new site goes live, various forces are already starting to pick away at it. Hackers poke at your infrastructure. Updates bob around, promising to make things better, yet often failing to do so. Forms and links which once worked perfectly start sputtering. The truth is, without a website maintenance service plan, your website will inevitably start to suffer. Eventually, so will your profits. Below are 3 reasons why regular site maintenance is a smart idea.

Protect yourself from cyberattacks

Phishing, ransomware, Trojan horses: The modern hacker has no shortage of tools to make your life a living, er, heck. And according to Forbes, over 30,000 websites are hacked every day—meaning any website owner is at risk. Since many hacking attempts take advantage of outdated plugins and other inconsistencies, a website maintenance service can help greatly decrease your risk.

Keep your rankings in search engines

If your website is slow and outdated—or peppered with broken links and error pages—the Google gods notice, and are not impressed. To put it more technically, when search engine spiders crawl your site, they take a tally of any broken links, missing images, and 404 errors. If they conclude that your site is inferior to its better-maintained neighbors, you’ll be lowered on results pages, and customers who would have seen your offerings first will see your competitors’ instead.

Impress your customers

These days, your website is your business. If your website functions poorly, your visitors will assume that your business runs poorly, too. And when it comes time to make that crucial purchasing decision, they’ll take their money elsewhere. To win customers and keep them coming back, it’s crucial to schedule regular site maintenance so that everything is running as it should be.

Make changes incrementally

Of course, not all updates are for security purposes; some are just plain fun. Many updates promise to add jazzy new features to your site that can keep your user experience fresh and engaging.

However, if you make 10 months’ worth of updates at the same time, it can have seriously negative consequences. Firstly, your regular users will experience a dramatic change in what they’ve come to expect, which can cause frustration and loss of sales. And secondly, in the words of one of our developers, “A website is like a car engine—you don’t want to just throw a bunch of stuff in there without thinking about how it all works together.” If you make gradual updates on a regular, scheduled basis, you’ll experience less problems all around.

Why a website maintenance service is good for business

When you make a small investment in site maintenance, your business benefits in multiple ways. You diminish the chance of security breaches; impress your visitors; elevate your search engine rankings; and make sure that changes happen at an even pace. It’s a win-win-win all around, for just a small percentage of what you’d have to pay to fix an issue like a crash.

If you’re just learning about website maintenance, and would like to get started, you might consider Red Letter Marketing’s OverSite™ website maintenance service. OverSite goes beyond automated tools and software. Instead, our real, live human developers will personally inspect your site once a month and scan for any glitches and errors. We’ll shoulder the burden of your site maintenance so that you can focus on running your business. To learn more, give us a call.

You’ve Been Hacked!

You’ve Been Hacked!

A financial services company provides a website portal for their clients to access their investment accounts. Clients visit frequently to review their accounts and browse the company’s rich library of helpful information about saving and investing. One afternoon, while the company president is at lunch with a client, he receives a panicked message from his IT manager: the site has been hacked and an ISIS banner is prominently displayed on the home page. After the initial clean up and damage control, the president vows that they will never again risk such an event, and demands that marketing and IT do whatever it takes to make the site 100% secure.

It is not uncommon for business websites to get hacked, and vowing airtight security begs a host of questions:

  • How secure can any site really be?
  • What are the best practices for sites requiring strong security?
  • What are the additional costs of building a site with maximum security? Is there a point of diminishing returns?

 How Secure Can Any Site Really Be?

“The first thing I…tell website owners is that security is about risk reduction, not risk elimination. You must get your head around this simple fact…there is no such thing as a 100% solution to staying secure.”
-Tony Perez, Sucuri

Website attacks generally fall into two categories: an automated attack of opportunity (by far the most common type), or a targeted attack (the type more likely to occur on larger entities or governmental organizations). To be frank, at some point one of these will likely happen to your site. It’s not so much a matter of if a site will be attacked, but when. However, taking well-planned and reasonable tactics to prevent hacks puts the odds in your favor. Many of the horror stories we hear about, like the 2013 Target hack, are the result of human failure, not because of the software or applications themselves. Most commonly, people fail to follow processes and best practices in IT management, website maintenance, and updating.

What are the generally accepted best practices for sites requiring high security?

It begins with experienced developers who understand the current applications and best practices when building a site. They should know the most likely points of vulnerability, and how to write code that allows desired data to pass, but blocks potentially harmful data. They also should  understand how to plan and build for enterprise-level security, as well as hosting applications that can help manage security risks.

Once a site is built, it’s chiefly about who gets access. There are basic security precautions (e.g., making sure access information is not obvious, and is regularly refreshed) that should be implemented, and the site should be properly maintained as new software patches and updates become available. It’s also important to have the right hosting setup, and applications to monitor for security risk. Lastly, have a response plan for how to handle such threats, and worst case, a malicious hack. This includes having a separate backup to get your site immediately up to speed again.

There are costs to maximizing security when building the site. Is there a point of diminishing returns?

One can make the case that a more secure site is one that is custom built from the ground up. However, significant liabilities come with a custom built CMS (Content Management System), compared to off-the-shelf CMSs like WordPress or Joomla:

  • It’s much more time consuming, and thus more costly, to build
  • If your developer or IT person goes away, so does the one repository of the knowledge of your CMS and how it was built. Code can be as individual as people, so bringing in another developer would be time consuming and expensive
  • A home-grown system does not guarantee security. In fact, even if built perfectly, they are notoriously unreliable over time because owners fail to keep them updated

The advantage of going with an existing content management system (CMS) solution vs. custom development is the availability of the functionality that makes content management easier and less costly to implement and to keep updated. These systems are constantly improving because they are open source platforms. (Open source software is software whose source code is available for modification and distribution by anyone.) The White House, the FBI and the CIA all use open source software for their websites, rather than custom, built from scratch code. The core features to look for in decent Content Management Systems include:

  • Strong security
  • Theming functionality
  • Page templates
  • Menu systems
  • Blocks/widgets
  • User/role base authentication and access control
  • Revision control
  • Regular updates

Along with these core features, a CMS should have the capability to support modules, plugins, and extensions. There are various prominent open source and third party licensed extensions that bring enhanced functionality to a CMS. These enhancements include search engine optimization, tools for analytics, social network integration, etc. Of course, all should be added with the understanding that security is a priority.

The most widely used CMS platform is WordPress, and with proper development and maintenance, businesses experience minimal security problems. The New York Times, CNN, Sony, UPS and IBM all use WordPress. For companies with extreme security concerns, there are other CMS platforms, such as Drupal, that are solid candidates for consideration. Drupal has strong coding standards and a rigorous community code review process that gives it security and stability.

“Security is hands down the biggest differentiator between WordPress or Drupal. Drupal has enterprise level security and site scale. Numerous government websites are built with Drupal, with the most famous being Whitehouse.gov.”
Adam Hermsdorfer, Big Tuna Interactive

Currently The Economist, Cisco, Voya Financial (formerly ING U.S. Inc.), Novartis, GE, Pfizer, U.S. Department of Transportation, The White House, and many more entities are using Drupal.

Ultimately, there is no 100% secure system. A mature CMS with a proven track record provides the best return on investment, due to the amount of existing development that can be leveraged. Following the best practices for maintenance and updates is a practical and effective way to keep your site secure, without having to re-invent the wheel in an effort to maintain full ownership of the codebase. In addition to the CMS platform, there are content delivery networks (CDNs) that can be placed in front of your site to reduce the workload, as well act as a website firewall. (But that’s another blog.)

The best website security is proactive prevention.

Hire the right experts to help you implement best practices, including the initial site development, proper hosting, and ongoing maintenance. Have a smart access and content management process, and make sure your team has an action plan in place to manage a security emergency. Follow these tips to reduce your risk of being hacked.

Does your site have the proper security built in? Do you need to learn more about proactive maintenance to minimize risks? Just click the button below.

Websites, like cars, require maintenance.

At Red Letter we specialize in helping our clients get the right site for their needs. That might require building a new custom site, a templated site, or updating their existing site. But no matter what, we also know every site requires regular maintenance, and we want you to understand why.

Website functionalities are constantly changing.

Clients are often under the impression that once their site is built, it will function flawlessly forever. Sadly, there is no such thing (because if there was, we’d build only that). The fact is websites need routine upkeep and adjustment, much like cars, to keep things running smoothly. The environment in which your site functions changes every day, and that means your code and software require regular maintenance to stay on pace.

Because we’re familiar with cars, we know better than to think that driving one off the lot means it won’t need gas or oil. But where the web differs from the road is that it’s not the car that’s slowly changing, but the road. Essentially, you need to adjust your vehicle to the landscape –a landscape that, for better or worse, you’re constantly navigating. You wouldn’t dare take your heavy, bald-tired pickup down a rainy Seattle highway, even though it’s perfectly fine to drive 300 days a year in Arizona. Transfer that attitude to your site, and it seems obvious you’d want to keep everything safe and smooth.

Invest a little on regular maintenance or spend a lot to recover after you’ve lost prospects.

The expectation that a fresh site should never require care comes from 1) the want to save money, and 2) unfamiliarity with the way sites work. The first can be dismissed easily using our car metaphor. Refusing to replace your wiper blades because your car still runs is absurd. Driving has many other facets than a solid vehicle. There’s a user to consider, and if that user faces complications, your running engine is useless.

The latter is simply a matter of being unacquainted with site function. Most of the websites you use and visit everyday –particularly those utilizing databases (like Google and Amazon)– contain countless lines of code, and rely on software that runs on your web host. The strength of each system varies, but odds are the code within was written by several developers at different times, and with different skill sets. Much of this is “open source,” or code made available to the general public for use and/or modification from its original design, completely free of charge. Needless to say, this code changes often and drastically, and results in malfunctions within your site. Pages load slower, links break without warning, and most importantly, it’s a security risk.

The familiar threat to neglected sites are hackers (and other digital villains) who search for vulnerabilities in code, and don’t mind throwing kinks in yours to get at desired information. If you’re even vaguely familiar with code, you know that, like Christmas lights, one glitch can cause the whole shebang to go dark. The fallout from a site hack is devastating, and reinstalling from a backup won’t always cut it. Whatever data processed between the fallout and reinstall is likely lost to the ether. For businesses that can mean lost leads, or in the ecommerce world, missing orders.

You must understand and address exactly how your site was exploited –that means fixing existing damage, and upgrading the code (and themes, and extensions) to run the latest software so it doesn’t happen again. And if you were worried about the expense of initial maintenance, these fixes can cost. Put that on top of the lost revenue during downtime, and you’re looking at a hefty bill.

Regular website maintenance assures smooth and secure operations for both you and your site’s visitors. Without it, things will start to chip away –and that’s if nothing bad happens. At its worst, unmaintained sites get exploited through outdated source code, bringing down the castle walls.

Users expect everything to function predictably, and they will quickly leave your site if it’s not working as expected.

To keep everyone happy, and your business well represented, get that oil changed methodically, and adjust your equipment to the road. Invest in website maintenance.