Cyber criminals are experts at finding and exploiting website security weaknesses. Compromising your website means gaining entry to your site to get to your business network and data, or even taking your business offline altogether so that your customers can’t access your services.

You can discourage attacks by ensuring basic IT security hygiene is observed in order to prevent giving criminals ‘footholds’ in your website infrastructure.

Cyber attacks on websites

If you have a website you’re likely to be offering your customers online services. Your web applications may be collecting customer identification information, banking details and contact details. All of this data is worth money to cyber criminals.

Here are some motives of cyber criminals to gain access to your website:

  • Stealing data, such as intellectual property, for financial gain.
  • Service disruption.
  • Using your web server for email spamming, to conduct illegal activities or host illegal files.
  • Defacing your website.
  • Damaging your reputation.

Criminals may also attempt to knock your business offline via a Denial of Service Attack (DoS). A DoS attack is designed to disrupt a website in order to prevent legitimate users from accessing it. The attackers ‘flood’ the website with many connection requests, far too many for the website to handle, and as a result the website is knocked offline. If your hosting provider isn’t protected against a DoS attack, your business is at risk.

A DoS attack is an effective tool used by criminals for extortion. Cyber criminals may threaten an online business with a DoS attack unless the business pays a ransom.

Being unable to offer an online service even for a small time period can be crucially damaging for an organisation. The cost of a DoS attack goes beyond lost revenue; the cost of restoring an internet system can include many aspects, such as reconfiguring the server or replacing damaged infrastructure. Then there is reputational damage to your business’ brand – customers can lose confidence in the security of a business or service if it is inaccessible or labelled as a target.

How do cyber criminals target websites?

What most business owners don’t realise is that cybercriminals use automated hacking tools to scour the internet to identify vulnerabilities. Using automated tools, cybercriminals can scan websites anywhere in the world, quickly and at little cost.

Using these types of hacking tools, attackers can probe thousands of IP addresses, looking for weaknesses such as poorly configured websites, or internet-connected computers and servers using out-of-date technologies.

Check that your web hosting provider puts security first

The web hosting service you use to make your website available to the internet plays a significant role in keeping your business safe.

If they’re hacked, your website may be exposed too.

Here is a list of questions to ask your web hosting provider:

  • How do they protect against a DOS attack?
  • How does their Business Continuity Plan ensure your website always stays online?
  • What controls do they have in place to ensure stability and access 24 hours by 7 day a week?

You’re likely to be sharing a hosting platform with other customers. Ask:

  • How many other websites do they manage? And how do they prioritise responding to incidents?
  • How soon can they recover your website if there is an incident?
  • Do they have separate access credentials in place for each customer?

How to protect your website

While there is little a business can do deter a potential attack, you can take some precautionary measures to be prepared.

Understand what your online presence is

Some websites contain only static information, like service brochures and product descriptions. An attack on a brochureware site may cause reputational damage to your business. However, if your website is also transactional, that is, customers can purchase directly from you, then an attack will impact both your revenue and reputation.

Don’t wait until something goes wrong

Understand who’s hosting your website, get to know the services your Internet Service Provider (ISPs) may offer, and any service level agreements that are part of your contract including monitoring of the performance and uptime of your website.

Some ISPs may partner with a cloud-based DDoS mitigation service, for example Telstra offers their Arbor solution, and Optus partners with Akamai. Cloud-based mitigation services are scalable to the size of the attack. The aim of cloud-based DDoS mitigation solutions is to ensure websites being attacked remain online and accessible for real customers.

Cloud-based DDoS mitigation services often offer their clients a detection service to alert if a website is being attacked, and because they are cloud-based, can be deployed quickly without hardware, software or web application changes.

Have an incident response plan in place

Follow your incident response plan and keep in close contact with ISPs and any other DDoS mitigation providers. The guiding objective through any response is to continue providing an accessible service to customers. Where that is not possible, the objective is to restore normal business function as soon as possible.

Ensure security patches are regularly applied

Regularly apply security patches and ensure websites run on separate infrastructure to critical business systems.

Install a web application firewall

A web application firewall sits between your website server and your data connection. It will block compromise attempts and filter out unwanted traffic like spam and malicious bots.

Toughen up website admin and access control

Your website admin pages are a way in to your network. Hide admin pages to discourage search engines from making them visible to web crawlers. Adopt strong password policies for website administrators and limit the number of login attempts that can be made within 30 minute blocks of time.

Add an SSL certificate to your website domain

Use a Secure Sockets Layer (SSL) certificate to transfer and encrypt data transferred between the website and your database. The data will be unusable to anyone that grabs it during a communication transfer.

Back up your website and test recovery regularly

Develop a Business Continuity Plan to cover what to do if your website is corrupted or if you need to change to a new hosting provider.

Depending on the size of your business and your budget, consider engaging a website security expert to regularly assess and manage your website security risks.

When it comes to protecting your website, up to date knowledge is your armour. Stay informed about the latest cyber security threats.

Deadlock the doors to would-be online criminals.

Helpful resources

The basics of computer security

There are simple measures every business can put in place to avoid the risk of cyber-attacks.

How to protect your business from cyber security threats

Cyber threats don’t have to turn into cyber incidents with security controls in place.

Managing cyber security as a business risk

Ensure you are aware of, and managing your cyber safety risks.

Understanding the value of your business data

Protecting valuable business data from cyber crime is everyone’s business.

Cyber Safety

Stay informed

Report a suspicious NAB message