I was at a session on cyber security yesterday, presented by KPMG. It comprised presentations by leading experts on trends in cyber-crime and the steps large organisations should be considering in order to secure their IT systems.
While Abledragon does not deal with large corporates, the lessons around securing your website are as relevant, and the results of being hacked as devastating, as those for a corporate.
Potentially much more so, because it’s easier to put a small business out of business
A number of themes came out for me:
- Cyber-crimes are growing at an extraordinary rate (although this may be influenced by the increasing willingness of companies to admit when they’ve been hacked).
- The cyber criminals are generally in the driving seat: people with a cyber-criminal mindset will always find a way in to a company’s IT system if they are determined enough, so the enforcers are always in react mode
- The weakest link in the security chain is people
- There is not, and never will be, a silver bullet that protects a database once and for all
- Business managers should be thinking in terms of ‘when’, not ‘if’, they get hacked and take appropriate steps now
- Access and authentication, if performed properly, can greatly increase the inherent security of a system
I wrote back here about the importance of choosing strong passwords to control access to your WordPress website, and this was emphasised by all the presenters yesterday.
A weak password is one of the reasons why people are the weakest link in the security chain: so many people simply choose passwords like 123456, abc123, p445word or similar, and the scripts that hackers write to search for vulnerable WordPress installations will work out passwords like these in a flash.
One of the responses I get when I talk to people about the importance of vigilance, security monitoring and strong passwords is ‘why would anyone be interested in my little website?’.
Well, the answer to that is this: the cyber-criminals don’t care how big or small a website is. They want control of as many sites as possible so they can grow their botnets.
Or extort money.
One incident that was related yesterday referred to a small (10 person) company in the UK whose systems were hacked. The first they knew of it was when they received a message purporting to be from their bank telling them that their loan was being called in and they had to repay it in full or the bank would foreclose them.
When they emailed their bank to ask what was going on they got an immediate email back telling them that this was not the way to go. Pay up or be closed down (the email never went to their bank – it was intercepted and responded to by the hackers).
Long story short, they ended up paying (the hackers, not the bank) but it put the company out of business.
Another incident referred to a company in Australia that was told their database had been hacked and child pornography had been inserted into it. If the company didn’t pay them they would pass the tip on to the police. Again, the company ended up paying, although it didn’t put them out of business.
My point is this: it doesn’t matter how large or small your business (or, in the cases I deal with, your website) is – the hackers are becoming increasingly sophisticated at getting in and, in many cases, extorting money in order to release the system back to you.
- Strong usernames (WordPress users read this article)
- Strong passwords – read the same article
- Keep all your software up to date (WordPress core, themes and plugins)
- Make sure that all users who have access to your site use strong passwords and usernames
- If a user is no longer involved with your site delete their user profile
- If someone needs to access your site to work on it, create a profile with the appropriate privileges and then delete it as soon as they’ve finished. Never pass them the login details of an existing user
- Minimise the number of users with Administrator rights – the aim should be to have just one administrator, but don’t share login details if you need more than one.
- Backup, backup, backup. If your site is hacked and you have a clean backup you can delete the hacked site, clear out all the files and re-install the site from a clean backup. You will be back in business within an hour or so, but remember to change all your passwords!
Talk Talk, a UK based phone company, was attacked the day after I wrote this article. The initial press reports shed further light on the way cyber-crime is moving, including an apparent ransom letter to the Talk Talk CEO from the hackers.
In addition to building websites, Abledragon also offers an ongoing security monitoring, software updating and technical support service (full details here) – if you’d like to talk to us about helping to protect your WordPress based website please: