A couple of years back (time flies…) we ran a series of blogs about hacking – the likelihood of being hacked, why hackers hack and what you can do to avoid it. Hacking has taken on a much higher profile, almost political, role in more recent times. ‘Prestigious’ (or should that be ‘notorious’) hacking groups have focussed their attentions on high profile governmental or quasi-governmental organisations, and being a hacker is something that is aspired to. You might even say that hacking has been elevated to an artform, that it “… is the new graffiti’. With that in mind – and no doubt with questions of your own website’s security in these uncertain times, we thought it was about time to revisit the state of play of online security, and the role of hacking, in 2016, the extent to which your organisation might be at risk from hacking, and what you can do about it.
Who’s hacking now?
I had one of those impossible conversations with a child the other day; the sort where you feel like you might as well be talking a different language to each other. She was vociferously arguing that hacking wasn’t always illegal. Her: “Some people have jobs where they hack into websites to tell people where their weaknesses are” Me: “But then it’s not really hacking, is it, because they are ALLOWED to do the ‘hacking’. They are copying hackers, but they aren’t really ‘hackers’, are they?” Her: “Yes, they ARE hackers. They ARE hacking.” Stalemate. But it does raise the question – is there now ‘legitimate’ hacking? Can accessing a computer system with the permission of the owner ever be acceptable? And to what extent is your business or organisation at risk?
No doubt Anonymous felt they had a legitimate goal to pursue when members of the collective hacked into the social media accounts of ISIS members/supporters and gave them a fabulous ‘rainbow’ makeover in the wake of the appalling murders in an Orlando nightclub in June 2016. More recently, the World Anti-Doping Agency (WADA) is reeling from a cyber-attack in which a Russian hacking group, Fancy Bears accessed the medical records of US athletes competing at the Olympics and revealed details of ‘Therapeutic Use Exemptions’ granted to athletes such as Simone Biles, the Williams sisters and even Mo Farah. The WADA hack could be seen as being ‘in the public interest’, revealing the extent to which top athletes are permitted to use ‘performance enhancing drugs. Equally, this could be seen as a thinly veiled attempt to divert attention from the scandal of the wholesale sanctioning of performance enhancing drugs within the Russian sporting community. You choose. Another recent hacking attack brought down Iceland’s Prime Minister and led to investigations into UEFA. Ultimately, whatever the motivation, and whatever the results of hacking, it remains defined ‘unauthorised’ activity – and standing up to unlawful behaviour with more unlawful behaviour probably doesn’t make it right. Even if it makes a point and makes you feel better.
“No longer the preserve of a few lone technical geniuses trying to out-geek each other”
The important thing to take away is that while hacking remains unlawful, it is no longer the preserve of a few lone technical geniuses trying to out-geek each other. Hacking is organised (even if, as we imagine is probably still the case, it still takes place from isolated bedrooms around the globe), hackers are focussed. And you are as likely to be the focus of a hacker as the result of your unscrupulous behaviour (or perceived unscrupulous behaviour) as you are because someone wanted to prove their technical supremacy by hacking into your system or because of the potential monetary rewards hackers can reap from you.
So what is ‘hacking’
Although you may have read the headlines and been aware that ‘hacking’ goes on, it is not always as clear cut or as high profile as you might imagine – in fact in most cases, it’s almost certainly not. Despite my young friend’s insistence, hacking is still defined as “gaining unauthorised access to data in a system or computer”.
The high profile examples – the theft and then revelation of personal details; the overt changing of accounts, such as the Anonymous Twitter hack – are the exception rather than the rule. Your website might be hacked to obtain personal details from customer information you own, for the purposes of obtaining data that can be used elsewhere such as to access bank accounts. In other cases, the hacking is to add a rogue line or two of code to the website concerned, to achieve whatever the hacker’s goal is. It is not always clear that you have been hacked, and it may take days, weeks, months or even years before you discover that you have been hacked.
Is your organisation at risk from hackers?
This kind of large scale, ‘public interest’ hacking is, of course, relatively limited, confined to those organisations and large corporates against whom the big hacking groups have a point to make. For smaller businesses and organisations, even for individuals, the reasons you might be the victim of hacking are still mainly confined to monetary gain, the harvesting of personal information, or to cause disruption, the reasons for which can be myriad.
Monetary opportunities that hackers pursue come in a number of guises. Although online banking has brought a number of advantages for banking customers, it offers a great opportunity for hackers to access your accounts and essentially steal from you. The other major fear linked to hacking is the loss of personal information. A number of businesses and organisations have reported hacking attacks through which personal information that they hold – customer information – has been stolen. This information – National Insurance numbers, bank account information, even details such as dates of birth – is all personal information that can then be used by hackers to potentially infiltrate other websites. It’s also information that can be used to hold people to ransom. Remember when the ‘cheating’ introductions agency Ashley Madison got hacked last year?
What are the implications of a hacking attack for your business?
A little later on in this article, we’ll look at some steps you can take to protect against a hacking attack, and to protect your business if the worst happens. Some may look at the list and groan – “Not MORE work to be done with nothing to show for it?” In response, we ask you 2 questions: How much will it cost your business per day if your site is down? And: How will it affect your online brand if Google says ‘this site is unsafe to open’ or it has a Hacking Poster on the screen?
The reality is that you have already invested and will continue to invest in your business and its online presence – every post on social media, every Email newsletter you send out, every PPC, every carefully chosen SEO keyword. Being blunt about it, a hacker can completely destroy your reputation as a business – or simply destroy your online presence by taking everything – your website, social feeds – down. Looking more widely, there are the governance implications – how carefully were you securing customer data, what have hackers been able to do through your website to damage others. Looking at it from this perspective, we hope you’ll agree that the implications of a hacking attack make the steps you might take to prevent it part of the investment you make in your online business.
What can you do to prevent hacking?
Given the last paragraphs, hopefully you’ll appreciate that any website is a potential target for hackers, for a variety of reasons, but there are a number of steps you can take to protect yourself and put your business in the best position it can be should a hacking attack succeed. An analysis of the Mossack Fonseca hack revealed a number of fairly basic flaws in their computer systems – not least a complete disregard to keeping software and systems up to date. Online security should be of paramount concern to any business, organisation or individual. While there are no cast iron guarantees that you can keep the hackers away, there are a number of steps that can make life much harder for them.
- Keep your website and associated software up to date – make sure your content management system is running its most recent version, that plug ins are working properly
- Make sure you have a firewall in place and run regular checks on your website security.
- Keep on top of anti-virus software
- Guard passwords for your online platforms – website, social media profiles, email accounts – closely, and change them frequently
- Make sure your employees are up to speed on potential hacking dangers, keep them briefed on the benefits of choosing strong passwords, and in this age of flexible working, make sure that remain vigilant when working remotely
- Keep abreast of developments in online security, and new threats that may be a risk to your system
- Ensure your website is hosted with a reliable web hosting company that will run checks and protect against attack as part of your package.
- Have a safe off server site back up of your website at all times. Sometime the hacker will delete everything.
- Make sure you have a business process set up in case the worst happens. Your web development team can work with you to put this in place.
As with many aspects of the online world, this may seem like an onerous burden. It’s only onerous if it’s something you are unfamiliar with, so it may be worth investing in the services of a company that can assist you with online security measures. Many offer service level agreements that will ensure someone is on hand to help you if you suspect you are the subject of a hacker attack. It’s also not just a question of wondering what you might have to do – it’s a balancing act. You’ve no doubt invested – and continue to invest – in your business and your online brand, otherwise you wouldn’t be reading this article. The questions you need to ask yourself as a business owner are those we mentioned earlier on: How much will it cost your business per day if your site is down? And: How will it affect your online brand if Google says ‘this site is unsafe to open’ or it has a Hacking Poster on the screen?
Here at WebAdept, we have 20 years of website management experience and can assist you to ensure that your business stays protected and that you have a process and plan waiting in the wings should your site get hacked. Got any questions? We’re just a phone call away 01437 720033.