Why security matters right now for your web footprint and your business
You’re a business owner, and you’ve been told for the better part of two decades that you need a website. But times are getting tougher for some people, and cybercrime is a real threat. You paid for the website. Probably more than once. You’ve created content. You may have even gotten some value out of it, some additional phone calls or maybe even some decent new customers. So far you haven’t been hacked, but this article is going to make the case for starting the security-centric journey for your internet footprint now. Sure, you haven’t been hacked, but security is important now, because you haven’t been hacked YET.
So why, if the threat isn’t advanced, persistent, or already at the gates, does security matter for your company now? Because security isn’t about a single solution, it’s about a comprehensive, proactive set of solutions that keeps you safe through a multi-layered, multi-faceted approach that changes over time, as risks evolve. Security is about a mindset and an approach, not a single solution. But the threat is coming for us all.
Why security is hard to see as a tangible thing; why security is often seen as a liability and a cost, instead of an important, business building expense
Security requires people, systems, monitoring and constant upgrades in both methodology and technology. It’s expensive because it’s still built on the back of enterprise systems and enterprise pricing models – mostly because enterprise organizations were the only ones historically targeted for a financial or data driven purpose. They aren’t the only targets now, though.
Security is also seen as a mysterious, “come-at-you-from-any-angle” threat, that is both lurking in the shadows and unpredictable. But, as we’ll explain later, that is rarely true for SMB’s (small and medium businesses) in mainstream security-related scenarios.
Security costs money. It requires a lot of attention and it requires skilled, often certificated employees, and expensive consultants or oversight. This is true for a lot of enterprise level solutions and for organizations that house internal data on thousands, or hundreds of thousands of clients or end users. In the sense of SMB’s (small and medium businesses) there are some costs associated, but they can be lower than the costs associated with traditional security solutions for larger businesses.
Security is hard to understand because small and medium businesses were not often targeted historically, or at least not in ways where the actual threat is easy to understand. So, business owners, consultants that aren’t security-focused, and web development partners or digital agencies aren’t usually up to speed with the changing face of security concerns for those types of businesses.
You can hire a team to make your website, but they may not be utilizing the right code level security practices, or testing to ensure best practices at the time of deployment and in the future. Many development teams don’t constantly remain in place to secure the code level infrastructure over time as threats change and best practices evolve to protect the code structure.
Most digital agencies aren’t equipped to help you be secure in your web footprint
Wait, are you saying that even advanced, highly reputable digital agencies aren’t equipped to handle security concerns for my small or medium sized business?
Yes, that’s exactly what’s being said. Digital agencies have usually been focused on SEO, marketing and basic development, and have transitioned into more profitable template driven websites, basic technology architecture and social media marketing, to improve bottom line revenue.
That isn’t the case for all digital agencies, but, generally speaking, digital agencies try to go after low hanging fruit (things like WordPress and WooCommerce websites), and easy to implement, repetitive cash flow based services, with high profit margins (like social media posting, basic content creation and simple SEO work that can generally be outsourced). That’s not necessarily a bad thing, considering content, and social media work, and SEO baselines are all contributors to expanding a business’ digital footprint. This means you see results without a ton of in-house payroll, and an easy to understand, easy-to-sell service offering.
We’re a sort of a digital agency, too. And, we do similar work. It’s effective, and a digital agency isn’t necessarily incompetent if they focus on these mainstream types of offerings (listed above).
But, make no mistake: you are not protected with solutions that don’t incorporate security best practices, and more exposure, more traffic, and better digital footprint will be a lush target to a hacker.
Hackers are real, but other threats exist too
But am I really supposed to worry about a “H4ck3r” all the time? How realistic is the threat?
Hackers aren’t the only threat. But it’s a threat that can be especially devastating to a small or medium sized business, because, instead of taking data about their customers, or accessing bank accounts, financial information, or proprietary/strategic information, like enterprise organizations have to protect against, a website can be taken down or destroyed by a hacker very easily.
Denial of service, or sabotage of web presence can be devastating
So, even if you aren’t housing proprietary data in large quantities, or trying to maintain sensitive databases of customer data, or connecting financial information to your internet enabled implementations, hackers may still be a legitimate threat.
Also, it’s not all about “Mr. Robot”, and other Hollywood style hacking concepts. There are a lot of different types of hacking threats. Some are automated scripts designed to just attack known vulnerabilities. If you have a WordPress website, say, you might have any number of vulnerabilities at any given time. You need to protect the attack vectors for automated, script-driven threats, as well as actual human hackers that are attempting to compromise your website in real-time.
Why is WordPress highlighted? Guess what? WP installations for business websites are extremely common, especially if you work with a digital agency and have a small or medium sized business. As approachable and easy to use as a WP website is, it has become a convenient solution for a lot of businesses, even when it may not even be ideal for their situations or needs. It’s a bit of a “round hole square peg” scenario for a lot of businesses (Learn about why a WordPress Website may not be your best bet), but that doesn’t mean it cannot be optimized.
A WordPress website is still a very well documented threat magnet, because it’s popular, and has a bit of a loose infrastructure when it comes to theming and plugins. This means it can be particularly susceptible to attacks.
There are a lot of different types of “hackers” too, including script kiddies *(a term used to describe unsophisticated hackers that use other more sophisticated or high quality concepts and pre-written scripts to try to cause problems for websites or applications that are readily available online).
Another type of hacker is a hacktivist – an individual or group that has a political or ideological opposition to a specific type of business or industry, and uses their zealotry as a catalyst to continue to pressure companies or concepts they disagree with. They may be unsophisticated, generally, but their drive to cause you problems is significant.
You may also see more advanced threats that could target you depending on the type of work you provide or the industry or affiliations you may have. While many small or medium businesses wouldn’t be attacked by “state actors” or “advanced persistent threats”, it’s entirely possible if they are affiliated with government contracts, the energy sector, healthcare, or other industries or organizations.
Here is why security matters now – before you are hacked, threatened with ransomware or breached
Security must be a proactive endeavor, not a reactive one. It’s hard to have appropriate, completely air-gapped backups if you don’t have the proper infrastructure in place prior to a breach, or going offline.
You cannot react easily after you already have compromised endpoints, plugins or native files. Sometimes, simply having a backup and restoration procedure is not a realistic solution.
Sometimes, the threat isn’t even from the outside. Some threats are disgruntled employees with a bit too much access. Sometimes it’s a breach at the service provider, sometimes it’s about poor security configurations. Some breaches (and probably more like a majority of them), are a result of simple mistakes or human error. [You need a partner that helps you stay protected at a reasonable cost, and can help you navigate restoration of your footprint and beyond.]
Security is of little value, if the entire structure of your “stack” is not built with best practices in mind, and if it is not flexible or able to be modified to adapt to new threats. Furthermore, you have to have a capable team to adapt and transition to meet evolving threats and best practices.
You’re likely to have a ton of threats lurking now – in Windows machines, Linux machines, file servers, NAS systems, or even things like Google drive, Dropbox, or AWS. Why? Because the service provider doesn’t have a vested interest in forcing you to implement secure practices. They want to sell you a product/service, not tell you how to use it, necessarily. Even though solutions exist, you have to opt into them, and many of the decision makers don’t have the training to do it in the most optimized way.
So, while you may not intend to have lax security postures, existing workflows, lack of understanding the full threat spectrum or “settings neglect” can be simple ways your security fails you.
You need some advice, training about security awareness, and the ability to mitigate real-world threats. And you need to have those structures in place BEFORE something negative happens.
One of the biggest threats to you could be uninformed employees, or those that handle important functions in your business that aren’t thinking as a business owner. “Not my problem” is a common concern – and scarier than it seems on the surface. Most employees clock in at 9 and work until 5. They aren’t “paid well enough” to worry about advanced issues facing the business – especially those that remain hidden until they are manifested as an issue.
This isn’t to knock existing employees – they were hired to do a job and they are likely to be very good at that job, but that job may not also be security-centric.
At the point when a concern is real, and there is a need to mitigate it, employees may be overwhelmed, undertrained, or completely inexperienced in the threat mitigation protocols or needs, even if they are willing to help and willing to go out of their comfort zone.
Real world threats abound – even in places you may not think are affecting you
Right now, as this article is being written, Windows is facing a ZERO-DAY threat. That means: the operating system for Windows commercial products (some of them) have a vulnerability that could cripple the software, for all users, that was unknown until very recently. More specifically, a zero-day threat is a threat that is unknown to the mainstream, or only known to a handful of people that could cause major disruptions in a particular piece of code or infrastructure. It is a particularly dangerous concern, that is both unpredictable, has no current foolproof solution or patch, and can be deployed by a bad actor at any time.
Missing even a single patch with a zero-day lurking can mean that your business or a portion of the business that is reliant on that hardware or software solution can be taken down immediately, and you are at the mercy of the patch being released, or the firmware or hardware being fixed, which may or may not solve the problem soon, or comprehensively.
Does your company rely on windows machines? They are at risk right now. There is not a proposed solution yet at the time of this article’s writing.
But, Microsoft and Windows are not the only vendor/commercial service facing zero-day threats, or other types of concerns. The supply chain is constantly under pressure (that has been enhanced in the COVID Era), and at risk for threats that can be implemented years down the road in some cases.
Threats exist at the commercial level in thousands of different channels. There are probably at least dozens of publicly available attack vectors in your business right now. And your digital agency, and probably even your IT person haven’t had that conversation with you.
My IT person can handle this security stuff, though, right?
Sure, a lot of IT professionals are very good at what they do and have broad credentials or experience, but not all of them are capable or comfortable handling security work. IT is more about generalist hardware and software solutions, and is less sensitive to the rapidly changing environment of cyber threats.
An IT person MAY be able to provide real solutions, or point you in the right direction, but many of them aren’t specialists in that arena, and a lot of the threats or concerns may be “above their pay grade”. You’re paying for IT specific labor and knowledge, not highly specialized security related cyber defense work, or offensive security testing.
Specialized security training is something that costs a lot of money, and while an IT professional can absolutely pivot to meet such requirements, they are not always inclined to do so, and may not have the time or other resources to be operating at a high level, security-wise.
Dedicated employees for Security are a great solution, but may not be realistic for your business
The average lower level SOC (Security operations center) employee can cost more than $50,000 USD. Usually an employee at that level is at the very entry level and will not be able to handle advanced concerns, or know how to mitigate significant or fast moving threats.
Most employees at that payroll threshold are analysts and ticket system types of employees that are not familiar with advanced solutions, even if you had immediate access to those types of solutions for them to use.
To get an employee at the level a business might need to identify, and react properly to an advanced or fast moving threat to keep a business insulated from negative impacts would cost more than $125k in Southern California, for instance, and even then, the tools they need to operate efficiently will cost another $200k or so per year (there are some open source or lower cost solutions, btu they will require additional employees, automated services, or someone with DEV/SEC/OPS experience, which could increase the salary).
SIEM (Security Incident and Event Management) and SOAR (Security Orchestration, Automation and Response) solutions are expensive (even open source “free” solutions are expensive to build and maintain), and they alone are not a comprehensive solution for many security concerns.
Even if you have a capable, experienced employee and the tools to mitigate threats, there are only so many hours an employee can work in a 24 hour period. They will have to sleep at some point. The bad guys don’t take a break when your security person gets sleepy. Most advanced threats will be using advanced automation, sophisticated attack types and manipulating several different areas of your infrastructure.
A bunch of “what-if’s” still exist after a security event
Let’s say your in-house (or outsourced “MSSP – Managed Security Service Providers) SOC employees can handle the identification of the threat and even mitigate the threat temporarily:
- What happens when code has been modified, removed, or breached by a worm or malware that the Security professional doesn’t understand?
- Does your development team know how to fix it?
- What is the “RUSH” price to fix it?
- How do you know it isn’t still compromised?
- Do you have the oversight capabilities to know that the solution was proper?
- How long can your website be down?
- What is the long-term damage to credibility, customer data, proprietary knowledge or Intellectual Property?
- When will it happen again?
- In many cases, a host like a GoDaddy, or a Blue Host, might be able to secure, and even replace your site files, but can they protect against a new threat? Can they guarantee the threat is not embedded in the files?
- What happens when you need to remove a top level employee or partner from access to your business website, or other proprietary application or public facing infrastructure, or important private infrastructure?
Even the best MSSP cannot generally offer development solutions that can natively adapt quickly to needs identified or affected by sophisticated security events. MSSP’s (Managed Security Service Providers) don’t typically offer real-time, code-level solutions to adapt for changes as needed, or upgrade infrastructure on-demand. Solutions need to be in place to ensure that you have business continuity. Furthermore, MSSP services may cost upwards of $125k/year for basic coverage, and do not provide full solutions for many small businesses. That type of expense is not sustainable for most SMB’s.
Security is a problem right now for your business. Even before something happens. It’s something that needs to be addressed at the broad level at minimum. It’s a problem because you don’t know what you don’t know. It’s a problem because there is a VERY LOW likelihood that your existing digital agency has any real capacity to secure your footprint. It’s potentially an expensive concern. The average cost of a breach of data, or a website being down, is creeping up as businesses focus on building their revenue through internet related channels.
Security concerns require the right solution – you should explore your options – vet solutions providers properly
We haven’t even talked in-depth about internal threats, or ransomware concerns. Partially because the threat is less likely, but it is still a consideration; a concern that can be proactively mitigated.
We invite you to reach out to us for a security audit, consulting services to help you build something in-house, or for turn-key security solutions.
If you are running a WordPress website, we can securitize your site significantly better than it currently is for a very minimal cost. Many solutions, if implementing best practices, utilizing high quality solutions from a properly equipped service-oriented company can be easy to implement and relatively inexpensive. We provide such services in a quick, affordable way, let’s chat.
We will continue to write about security related concerns on this blog, and link to important resources that can help you stay protected, or improve your security posture. We can also help you build a realistic solution. It’s never too early to start talking about, and engaging in proper security practices – but it can always be too late to fix problems easily. Being forced to be reactionary as a first line defense to a security threat, is not a good place to be in.