Small businesses are realizing that hackers aren’t snobs about who they attack.
They just want in.
And they’ve learned that small to medium sized businesses are easier prey. Easier because of the dangerous delusion that no cybercriminal would try to hack, say, The Kupcake Korner when they could be hacking Pillsbury and its vast, flour-begotten fortune.
Wrong. If you are a business, you are a target. (Not THE Target, retail giant—just “a” target.) The numbers are sobering, so hang on to them for the next time you’ve overindulged:
- 43% of site attacks are aimed at small businesses
- 46% of hacked sites had updated WordPress versions
- Last year, the number of data breaches jumped 44.7%
- 90% of today’s attacks are automated, seeking the low-hanging fruit
Small Business Trends.com 2017, SecurityWeek.com March 2018,
Sucuri November 2018, Identity Theft Resource Center January 2017,
//blog.sucuri.net/2017/10/website-hosting-security-awareness-can-reduce-costs.html
HTTPS is not really very secure.
HTTPS (Hyper Text Transfer Protocol Secure) is a must. It is also but one arrow in a quiver that should hold many, many arrows. All the “S” does is capture the user’s data from the user’s browser. It does not protect your site from hack attacks.
“The majority of high-profile hacks and data breaches come as a result of hackers gaining access to these unencrypted databases, so while HTTPS technologies mean our data gets to the databases securely, it isn’t then being stored securely.”
– Dan Taylor for SEMrush, //www.semrush.com/blog/https-a-modern-false-sense-of-security/
Hackers have so many tricks they need extra sleeves.
Here are just two of the most common hacker tricks. They look for outdated software, for one. They know that it’s a headache to update operating systems and browsers. So they count on your laziness, my laziness, and everybody’s laziness, which is about the surest bet there is. Another trick: they try and think of the stupidest password they can—it doesn’t take long—and then just see what happens. “Hey! Look! This guy used 12345!”
Don’t worry. Wait. Okay, go ahead and worry.
But you can worry less if you take precautions (and you take them seriously).
- Create an emergency plan that will be there when your site gets hacked. Even if you follow all the advice here, and everywhere else, there is never a way to guarantee security.
- Your site’s back end—the software in the background that does the heavy lifting—should be monitored closely and updated regularly. Actively manage access. (For example, when an employee leaves, change access privileges accordingly.)
- Make everybody use complex passwords—and make them change the complex passwords to new complex passwords regularly.
- Remove form auto-fill. If a user’s access information gets stolen—say, by the theft of the smart phone—auto-fill is like an engraved invitation to enter your site.
- Include ongoing site management and updates in your planning and budgeting.
Work with a partner that specializes in site maintenance and security. It takes the nagging task off your plate so you can focus on your own stuff. There are companies that do this kind of thing and they—okay, we—would be happy to tell you about it.