Security breaches are costly for small and midsize businesses (SMBs). If attackers manage to compromise corporate sites, they may be able to access protected network services, in turn putting business data at risk.
These compromises are potentially costly — recent research found that the average data breach cost for businesses with fewer than 500 employees is $2.98 million. New websites are one common pathway to compromise; if growing companies don’t take the time to secure website operations properly, malicious actors can use web security weaknesses as a jumping-off point for more significant network compromise.
The challenge? Many new website owners aren’t sure where to start. What threat vectors are the most dangerous, and how do they effectively close down attack pathways? Here’s a look at the top 10 security mistakes new owners make — and what they can do to limit overall risk.
1. Poor password policies
Easily guessed passwords are one of the most common website attack pathways. If malicious actors can easily guess administrator login and password details, they can gain access to website infrastructure.
These passwords stem from poor policies — without clear requirements in place, staff will default to simple, easy-to-remember passwords that provide no defensive value, such as “123456” or “password.”
Potential consequences
If attackers can guess or brute-force login details, they can gain access to website administrative functions. This allows them to create, delete, or modify posts, download plugins, or upload malicious code. Attackers may also be able to move laterally into business networks, in turn granting them access to mission-critical files and functions.
In a best-case scenario, small businesses notice the compromise immediately and take steps to shut down affected accounts and remediate the issues. In the worst case, attackers may exfiltrate data or encrypt files and demand ransom payments.
Preventative measures
To prevent password problems, businesses need to implement strong password policies. Common examples include requirements that passwords must be at least eight or ten characters long, contain a mix of letters, numbers, and symbols, and not be a repeat of any previous passwords.
It’s also important to ensure that passwords are regularly changed. Ideally, site owners should require users to change their passwords every three to six months.
2. Ignoring updates
Both website hosting providers and software companies regularly provide and distribute updates. While some of these updates add new features and functions, others address newly discovered security flaws or vulnerabilities. If website owners fail to update their sites to the newest software version they could put themselves at risk of compromise.
Potential consequences
Potential consequences of ignored updates include attackers gaining website access without owners’ knowledge. Consider a website plugin that helps streamline content creation and blog posting. If attackers discover a vulnerability they can exploit, they can gain site access. If plugin creators discover the problem and issue a patch, the risk is eliminated. If, however, site owners don’t up plugins, they could be unknowingly exposed.
Preventative measures
To reduce the risk of compromise, SMBs should create a regular patch schedule. For example, they might check for new patches every second Tuesday, or ensure that all apps and services are up to date at the first of every month.
3. Forgetting 2FA
Two-factor authentication (2FA) requires users to provide an additional factor of verification along with their logins and passwords, such as a one-time code or a USB token. Forgetting to add 2FA opens companies to security risk.
Potential consequences
If attackers obtain usernames and credentials via phishing attacks, they can use this data to access website admin tools. 2FA prevents this attack vector by requiring cybercriminals to provide something they don’t have — a second authentication factor.
Preventative measures
Companies should research 2FA providers and select a service that matches their needs and budget. Some tools are available for free and take the form of authentication apps that provide single-use passcodes. Others are part of larger for-pay security suites.
4. Avoiding security audits
Security audits help IT teams identify potential issues with tools, technologies, or access policies. Failing to carry out regular audits can prevent companies from pinpointing key points of compromise.
Potential consequences
If SMBs don’t carry out audits, they won’t identify possible attack pathways. This means they won’t be looking for attacks from these tools or services. As a result, it could take weeks or months for businesses to identify and remediate attacks, which gives attackers weeks or months to infiltrate systems and install malicious programs.
Preventative measures
Businesses should create a regular audit schedule, such as one per quarter or once every six months, and partner with a reputable IT support solutions and security provider to carry out this audit.
5. Using insecure addons or plugins
Addons and plugins from website hosting providers or content management systems (CMS) can improve site functionality and streamline operations, but can also introduce security risks.
Potential consequences
Insecure plugins or addons can act as vehicles for malicious software or malware payloads, which can encrypt key data or conduct long-term reconnaissance.
Preventative measures
Companies should always download addons and plugins from verified sources and approved marketplaces. In addition, they should run all new software through antivirus programs to reduce potential risk.
6. Keeping employees out of the security loop
Employee training plays a key role in effective security. Failing to keep staff in the loop increases the potential for compromise.
Potential consequences
If employees don’t receive regular training on how to spot risks such as phishing emails or malicious apps, they may inadvertently download infected files or provide their login details to cybercriminals.
Preventative measures
Businesses should create a regular security training schedule that includes both theory and practice. For example, it’s worth reviewing new and emerging threats, as well as testing staff on their ability to recognize phishing emails and other threats.
7. Storing and transmitting data insecurely
If data is not secured during transit or in storage, attackers may be able to access, exfiltrate, and then sell or delete key digital assets.
Potential consequences
Several consequences are possible. In the case of customer data, consumers may lose trust in an organization and take their business elsewhere. In the case of protected data, companies may face regulatory fines or penalties.
Preventative measures
Encrypt everything. Strong, thorough encryption significantly reduces attack risk. Even if attackers gain access to data, strong encryption prevents them from reading or using the data.
8. Relying on outdated security tools
Older security tools may be familiar, but if they are outdated they can introduce security risks.
Potential consequences
Tools designed for in-house environments or that cannot handle cloud-based data sources create significant security blind spots. If attackers exploit these blind spots, businesses may not realize what’s happened until data is stolen or malware is deployed.
Preventative measures
Businesses should take the time to review available solutions and choose a security provider capable of both meeting current needs and future-proofing websites against emerging threats.
9. Failing to create backups
Backup data sources allow companies to “failover” in the event of a data breach and keep critical operations up and running. Without backups, companies could face days or weeks trying to restore key operations.
Potential consequences
Despite best efforts, data loss happens. This could be the result of a malicious attack, due to misconfigured IT services, or because of a widespread power outage. Whatever the reason, if companies don’t have backups, they can’t access critical information and must shut down operations until they identify and solve the issue.
Preventative measures
Solutions such as cloud-based backup tools or physical storage media like tapes or flash drives help reduce the risk of unexpected downtime.
10. Not developing an incident response (IR) plan
When incidents happen, stress runs high. Incident response plans provide a clear framework for action that helps users focus on what needs to happen. Without an IR plan, even simple issues can become complicated challenges.
Potential consequences
The stress of attacks can create panic, which in turn makes it hard for staff to remember what comes next and what they’ve already done. This can lead to redundant work and time wasted or can cause teams to miss red flags and allow attackers more time to work.
Preventative measures
SMBs should create and test a detailed IR plan. This plan should define who is responsible for what action under what circumstances, along with target objectives for recovery and remediation. These plans should be field-tested regularly to ensure they still work as intended.
Conclusion: Safety (and Security) First
Security is never a “solved” problem. Attackers are constantly looking for new ways to breach networks, and while evolving technologies offer improved options to combat security threats, they may also introduce potential vulnerabilities.
As a result, companies must adopt a multilayered approach that effectively targets top security threats to reduce overall risk. For example, while employee education plays a critical role in network protection, it’s ineffective if security policies allow the creation of weak passwords. Excellent access control helps limit total risk, but can only do so much if businesses don’t regularly update software solutions.
Bottom line? While there’s no way to eliminate digital threats, website owners can significantly reduce their risk of compromise by taking a layered approach to the 10 most common security threats.
Written by Amelia Suarez
Amelia Suarez is Marketing Manager for Worksighted, a managed IT services provider. She has over seven years of experience in the technology industry with a deep passion for helping businesses leverage technology to achieve their goals and streamline their operations.