4 common beliefs – Small business websites and cyber threats

Even if you don’t really pay attention to the news, you probably did hear about some big brands this year that have been hacked.

Web security is a hot topic, and of course what newspapers report is big brands, big companies being hacked, not small businesses. Does it mean a small company if immune to attacks? Of course not, TV channels and newspapers just talk about what people know and what makes noise.

4 Common small businesses beliefs

1. We’re too small to be attacked

If you think attackers check how many employees you have or how much revenue you generate before trying to get into your website, you’re wrong.
I’ve even seen students attacking other student’s websites, so why would a small business be left aside?
Although attacking a big brand might be more attractive and “rewarding” for some attackers, what matters is what you host on your website, and firstly the fact that you have a website, whatever it is.

website = target

For many malicious organizations, a website is an opportunity to host a malware or any malicious content they want to host.

Too small to be attacked - illustration

Too small to be attacked?

In addition to being a target by themselves, small businesses often do business with larger companies, implying a deep integration of their technology and data into bigger companies.
Even if you’re a small fish, you’re probably connected with a big one.

2. My statistics do not show any sign of an attack

Well, it depends on which statistics you look at. Your Google Analytics or other web browsing statistic tools will not necessarily show attack traces.
Because Google Analytics and many others are based on some javascript code pushed on your pages, it will not report web requests made to other things than your web pages. And of course attackers do not let your statistics be filled in with their malicious requests, geographical location and other things you would like to see.
Server logs, however, should be able to show most of the activity, unless they are carefully deleted by the attacker himself.

3. We take no risk, have nothing to lose

This is a very common belief among small businesses and startups. Not dealing directly with money on your website does not mean there is no risk. In fact, a quick risk analysis would for sure show that you have very valuable and sensitive assets:

First, your brand reputation. Whether you consider your business as a brand or not, your business is impacted by what others think of it. Being blacklisted by antivirus companies or browsers as a “dangerous website” because you’ve been hacked and some malicious things are hosted on your website is a 100% loss of online business until the problem revolved.
Your brand would also be damaged if some harmful or unwanted (like Viagra ads or similar) is posted somewhere on your site.

Who would ignore this message?

Page reported as dangerous - screenshot from firefox

Page reported as dangerous

Then, think of your users or customers’ security. Because yes, your website security impacts your website visitors’ security.
Their credentials and more generally their personal data are very precious to attackers and used on phishing attacks, on other websites or resold on the black-market.

Your business: Being hacked does not only mean that your website will be defaced or that someone will steal some data. An attack can be performed with some larger objective, like spying your employees or business data. You may ask Huh, how is that possible?
Without going into the details, being able to push some malicious content on a website might allow an attacker to somehow take control over the browser of someone visiting the website, which can in turn be used to explore the internal network of the company.
This is not fiction, this is real life.

4. We can’t afford security

This one is also quite common among small business.
– What about securing your IT?
– No we don’t have budget for this.
Well, there is a difference between no budget for security and not being able to afford security. While testing the security of a full IT environment can indeed be overwhelming, focusing on key areas (most attacked) like web applications is something most companies can afford.
Considering that the majority of cyber threats come from web applications, it would be a pity not to handle them if you actually can.

This is all about Taking Risks

The reality is that small businesses often wait for an attack to happen before taking action.
Entrepreneurs do like taking risks, otherwise they wouldn’t be entrepreneurs. But taking smart risks is risky enough, isn’t it?

Managing risks can be split into two parts:

  • Increasing the likelihood of opportunities
  • Avoiding threats or mitigating them

Entrepreneur taking risks

When it comes to web security, many solutions are available to you.
Even if you’re a small business, security is affordable, with solutions matching your needs. You won’t have to spend millions like big companies do, but having no budget for security at all is a security issue!

Bonus: Quite interesting article on Forbes, about entrepreneurs and risks:
http://www.forbes.com/sites/cherylsnappconner/2014/07/08/how-to-take-smart-risks-as-an-entrepreneur/

Put your web application to a first test