How hackable is your website? Let us count the ways.
Wander around a conference geared toward small businesses, and you’ll probably start to pick up on a lot of different patterns and trends. Stop and talk to a few of the people selling shiny new tools, software, and technologies and you’ll likely get an elevator pitch about great user journeys, seamless flows, high conversion rates, and whatever other buzzwords happen to be trending at that moment. What you’ll almost never hear about, on the other hand, is security.
This is also true if your website was built by a third-party agency. Often, we’ve found that most web design agencies prioritize good-looking design and a smooth user experience over strong security. This lack of awareness throughout the industry has led to an unprecedented number of websites that are chronically vulnerable to even the most basic of vulnerabilities — techniques that even someone with no more technical experience than a schoolchild could use to wreak havoc on an individual website.
On the flipside, many of these vulnerabilities can be fixed with just a few minutes of work and next to no monetary cost. So why isn’t anyone doing anything about them? We believe it’s because there’s never been an easy way to find them all in one place — until now.
We’ve written about Common Exposures and Vulnerabilities (CVE’s) in the past. CVE’s are public repositories of critical vulnerabilities within the web’s most common products, systems and software. Essentially, they’re ready-made blueprints detailing how to damage or take control of a target website or other system — often without a need for any kind of sophisticated tools or expertise. They exist primarily so that developers and manufacturers can be aware of new vulnerabilities in the systems they’ve designed, and issue patches and software updates that protect their customers by fixing those vulnerabilities.
The good news is that these and many other common security holes can likewise be plugged by the small business with a minimum of time, effort and technical know-how. The bad news is that for some reason, most website owners and builders have neglected to do so, creating a smorgasbord of tempting targets that any half-rate cybercriminal can take advantage of.
A few months ago, CybrQ built a totally non-invasive, surface-level scanner designed specifically to help small businesses identify holes in their security setup. We used that tool to scan a random sampling of small business websites in Switzerland, and found that nearly every website we scanned had at least one vulnerability that attackers could use to compromise the website. For many, it was much, much worse. Here’s a sobering statistic: Of all the small business websites we surveyed that use Wordpress, nearly half of them (47%) have at least ten — Ten! — different, documented vulnerabilities that attackers could use to compromise their website today.
We’ve done other scans since then, and we can tell you with certainty that these issues are not confined to websites hosted in Switzerland.
Fix the Easy Stuff First
We believe that the biggest reason behind this current crisis of website security is a lack of visibility. Small businesses are notoriously underserved in the security space, and have relatively few tools at their disposal to even identify these vulnerabilities in the first place. We’re trying to change that, which is why we’ve built our myWebsite solution. It’s the first tool designed explicitly for small business owners to quickly identify security concerns about their website and reduce their exposure across a multitude of potential vulnerabilities. In short, we took the scanner described above, and made it available to anyone who wants to use it to scan their own website and identify the hidden entrances attackers could use to sneak in.
Functionally, myWebsite is about as simple as it gets: you put in your web address, and a minute or two later you see a full report of every vulnerability we were able to identify. myWebsite scans your site for hundreds of vulnerabilities in five major categories — outdated software, first-party exposure (i.e. you are exposing yourself), third-party exposure (i.e. you are exposing your visitors and customers), business continuity, and GDPR compliance — then presents you with an instant, easily-understandable breakdown of the areas within these categories where your website might be vulnerable to attack, so that you can either fix it yourself or hand it over to the team that designed the site in the first place. And it saves your past reports, allowing you to monitor progress over time as each of these low-hanging vulnerabilities is addressed and resolved.
Go Continuous Or Go Home
Scanning a website once is a good place to start. However, your website is constantly changing. With every update that occurs automatically or every new tool or plugin that’s activated on the site, new potentials for vulnerabilities are created. This is why continuous monitoring of your websites security status is so important. Every time you scan, you get a snapshot of your security status at that point in time. The more snapshots you add to that, the clearer the picture of your overall security starts to become. Watch out for expensive solutions that charge extra for additional scans. Odds are you’ll end up trying to hoard your scans in order to save a few bucks — and miss critical vulnerabilities that could cost you thousands.
When choosing a website monitoring system, there are three major differentiating factors to keep in mind. First, there should be no additional effort required to implement a continuous versus a static monitoring system. All you should need to do as the user is to tell the system which targets to scan. Second, you shouldn’t have to log in and check to find out you have a vulnerability, because by then it might be too late. Instead, if the systems detects a new vulnerability, it should notify you directly, quickly, and securely so that you can immediately take whatever action is necessary to mitigate the threat.
Finally, know which product is best for your business. The world of web scanners is full of products that issue massive reports that a time-pressed small business owner is most likely never going to read. Do they give you massive amounts of useful information? Sure. But if it’s too much information for your business to act upon, or if it’s so technical as to only be understood by a specialist, then all that information is effectively useless. You’re much better off with a cheaper, more accessible solution.
In short, whether your website was built by an agency, a third-party contractor, or yourself, the odds are that there are plenty of little vulnerabilities to fix. And the happy reality is that each of them takes very little effort to actually resolve, once you know where it is. So with that in mind, we’re offering you a choice: Spend a few bucks finding the holes in your systems, then spend five minutes fixing them — or spend dozens of hours and thousands of dollars (at least) recovering from a data breach or ransomware attack.
The choice is yours. We just hope you choose wisely.
CybrQ myWebsite is the first solution designed specifically for small business owners to automatically surface security concerns about their website, helping them reduce their cyber exposure across a multitude of potential vulnerabilities. Whether your website was built by a third party or yourself, myWebsite will help you find holes in your security before the bad guys do. No extra effort or technical expertise required.
Find out more, at https://mywebsite.cybrq.com