If you own a website, you’ve hopefully already learned that you need to do everything you can to keep it secure from hackers. You may not, however, ever have stopped to ask yourself the question “Why do hackers hack websites?”. It’s actually an interesting one.
Why do hackers hack websites?
There are basically two possible answers to the question “Why do hackers hack websites?”. One is to cause damage and the other is to make money. Although hackers can use very sophisticated techniques to cause damage, it’s unlikely that the average SMB is likely to experience this kind of attack. Most of the time, hackers out to make mischief will be deterred by straightforward security precautions.
This leaves hackers who are out to make money. They are often prepared to put more effort into attacks, as they stand to gain a financial payout. This means that in addition to thinking about standard security defenses, you also need to think about training your staff so they know how to protect themselves against social engineering tactics.
Your website and local devices must have robust anti-malware protection
Your website needs a website vulnerability scanner. Different products will have their own options but any decent product should have an anti-malware scanner and a web applications firewall. Just having these will go a long way to keeping your website secure.
You also need a robust anti-malware product with an integrated firewall to protect your local devices. That means all of them including mobile devices. This will help to stop hackers compromising the devices you use to connect to your website and stealing the administrator login details.
You need to keep all your software up-to-date
Again, all software means all software, not just the software you use on your website. You need to stop hackers using your computers and mobile devices as a way to access the details you use for your website. That said, if you’re using one of the open-source content management systems, you do have to be particularly careful about any third-party extensions you use.
Although there are some really great add-ons you can use, many of which are available for free, there’s also a lot of malware and just generally buggy software out there. Do your research thoroughly and ideally test out any add-ons before you install them in production.
It’s important to limit the number of users, especially administrators
Quite bluntly, every user account you create is a point of vulnerability for your website. It, therefore, follows that you want to keep them to a minimum. Obviously, this has to be put into context. You need enough administrators to keep business processes moving at a reasonable speed. This will involve ensuring that there is cover for staff absences. You should, however, work on the assumption administrator accounts should only ever be created where there is a clear need for them and should only be kept active for as long as there is a need for them.
Although it’s important to keep administrator accounts to a minimum, it’s also important to be able to monitor who is doing what. This means that each administrator needs their own login credentials and sharing credentials must be explicitly banned. Implementing two-factor authentication will help to deter this and will also improve security.
You can also use software-based functionality to enhance your security. For example, most CMSs will let you change the default login page, block users after a certain number of failed logins and log out users automatically after a certain period of inactivity. These measures make it harder for hackers to steal a user’s login credentials.
Last, but definitely not least, monitor your administrator accounts and take action immediately if you see any account you don’t recognize as authorized. It means either that you have been hacked and a hacker has created an administrator account for themselves or a genuine internal user has been created without following the correct procedure. Either way, you need to investigate.
You need to keep your database encrypted
If you adhere to the security measures outlined so far, you have a very good chance of making yourself more hassle than your worth to hackers who just want to cause mischief. You should also deter hackers who want money, but you won’t necessarily put them off completely. The reason for this is that although the average SMB may not have a lot of spare cash, it might have a lot of valuable data.
If that sounds like you, then you need to keep your database encrypted, not just in production but also in backups (and archives). This is the only way to ensure that it is kept safe from anyone who gains access to your systems.
Please click here now to have your website scanned, for free, by cWatch from Comodo.
