In the busy world of online business, it is easy to let cybersecurity slip. Website security and fending off malware attacks may drop from the top of your priority list, especially in a busy period or high-stress time for your business. You may feel the urge to defer any tasks that aren’t strictly essential, leaving website security to wither in the background while you attend to more urgent matters. But that’s the thing about cybersecurity– it’s not urgent until it’s already too late.
Dangers of Malware Attacks
Malware attacks are a particularly insidious form of cybersecurity invasion. They can damage the most public and forward-facing aspect of your business, leaving your reputation or eCommerce base irreparably damaged. Dangers of inadequate security against malware include:
- Complete incapacitation of your website
- Insertion of false or misleading content; content deletion
- Ransom demands by malware hackers
- Blacklisting by search engines (particularly devastating if you’ve been working on SEO)
- Theft of user information
- Loss of trust, sales, and website traffic
Types of Malware Attacks
Malware attacks take many forms and are constantly evolving to keep up with anti-malware plugins and security strategies. Some malware attacks may not even appear suspicious at first glance; they may remain hidden or even masquerade as business-friendly software. There are five major types of malware that you should be aware of:
- Viruses: a type of self-replicating malware that can infect both your own website and your user’s computers.
- Adware: blocks access to your website until users interact with an ad.
- Spyware: does not change functionality of site but steals user information and website data.
- Trojan horses: masquerades as helpful software while performing more insidious functions in the background.
- Ransomware: blocks access to and use of your site until hackers receive payment.
Website Security 101
How can we protect against such a diverse array of attackers? Like much of cybersecurity, the answer depends on the content and complexity of your website; sites with self-developed software or eCommerce capabilities may require more intensive security than blogs or sites developed with available CMS platforms.
Tony Zafiropoulos, CISA certified systems auditor, owner of the Oversite Sentry blog, and author of “Too Late, You’re Hacked!”, summarizes these complexities, detailing Pfizer’s journey with its own website: “At Pfizer, around 10 years ago, much of the software was developed in-house, and required a quality assurance and security department to sign off on the website before it went live. The pentesters (people who tested the security) took several days and sometimes a week before signing off on the website.” On the other hand, simple websites like WordPress blogs may only need regular updates and a few security plug-ins. Despite this variation, there are a few rules of thumb that will aid most organizations in improving website security:
Just like going to the doctor for your yearly check-up, it’s important to your website’s health to regularly check in on cybersecurity. Set a reminder once every week or two to set aside time to use a malware scanner to check for the presence of hidden code or viruses. At this time, you can also run a full check on your website content. Have new ads or suspicious content popped up without explanation? Are any linked sites still routing to the correct locations? Are there any sections of your website that are slow, blocked, or have lost functionality? Any of these factors may indicate the presence of hidden malware and the potential for a serious security breach.
Backing up your website is just as important as backing up your hard drive. One of the most common methods of malware attacks is deletion, modification, or blocking of content, either for misinformation or ransom purposes. Keeping your content safe will allow you to identify any missing or modified content, as well as reducing your susceptibility to ransomware demands. Backups can also be automated to reduce your cybersecurity workload.
Password security is one of the most well-known examples of cybersecurity strategy, but its importance cannot be overstated. Choosing complex passwords, changing passwords often, and using two-factor authentication can help you avoid many cyberattacks without complex additional strategies.
Web application firewalls
Web application firewalls are another way to streamline your cybersecurity strategy and bolster your website defense. They function to allow “authentic” traffic while blocking malware. Of course, these systems aren’t perfect; many hackers have evolved to be able to bypass firewalls or create software smart enough to get around them. But this does not mean firewalls are not worth investing in; passively staving off the majority of routine malware attacks will allow you to focus on security strategies for more complex hacks.
Another excellent strategy for avoiding malware is always keeping your content management system (CMS) up to date. As Zafiropoulos explains: “updating your CMS is just as important as updating software (as discussed in my book). The problem with a CMS is that you might not notice a successful attack for months (or even years) while your system is being used by attackers.
“The most dangerous attacks are RCE (Remote Code Execution) attacks… In about a minute or two an attacker can be in the system and can execute commands. The key is there must be a vulnerability that has an RCE problem. So now you must scour the Internet to see if your adversary has this kind of tool in your arsenal.
“Or, you could just update your CMS as soon as possible, and have an anti-attack plugin– like Wordfence.”
Updating your CMS circumvents the problem that Zafiropoulos describes. If vulnerabilities exist in your system, hackers may be able to access your website in minutes, leaving you to play catch-up. Instead, update your CMS! This will keep attackers at bay by minimizing available vulnerabilities.
Finally, you can round out your security strategy by installing security plug-ins, which use a variety of approaches to block suspicious traffic and keep your website safe. In general, there are three types of plug-ins:
- Anti-malware/virus plug-in: often comes with anti-virus software
- Privacy plug-in: blocks third parties from tracking your online activity
- Anti-Ad plug-in: reduces your exposure to potentially dangerous ads
Though anti-ad plug-ins may seem unnecessary, Zafiropoulos makes a point to emphasize their importance: “This one is a must– some Google ads have been known to be malicious in unique situations, and it is a good idea to reduce your malware exposure if possible.” These plug-ins can function as another line of defense, bolstering your website safety and reducing risk for your users.
There are a wide variety of opinions about cybersecurity and website safety. Rather than diving deep into one strategy, employing a variety of basic techniques and a combination of firewalls and plug-ins will do wonders to keep your website safe. Remember– the most important aspect of cybersecurity is consistency. No matter how busy your workday is, make sure that you are regularly taking time to secure your website and protect yourself against malware attacks. By employing these strategies, you will be able to keep your users and your website safe, and finally secure some peace of mind.
To learn more about the vast and complex world of cybersecurity, check out Tony Zafiropoulos’s comprehensive book, Too Late, You’re Hacked!, available through the Publishing Concepts LLC.