Cyber criminals are experts at finding and exploiting website security weaknesses. Compromising your website means gaining entry to your site to get to your business network and data, or even taking your business offline altogether so that your customers can’t access your services.

You can discourage attacks by ensuring basic IT security hygiene is observed in order to prevent giving criminals ‘footholds’ in your website infrastructure.

Cyber attacks on websites

If you have a website you’re likely to be offering your customers online services. Your web applications may be collecting customer identification information, banking details and contact details. All of this data is worth money to cyber criminals.

Here are some motives of cyber criminals to gain access to your website:

  • Stealing data, such as intellectual property, for financial gain.
  • Service disruption.
  • Using your web server for email spamming, to conduct illegal activities or host illegal files.
  • Defacing your website.
  • Damaging your reputation.

Criminals may also attempt to knock your business offline via a Denial of Service Attack (DoS). A DoS attack is designed to disrupt a website in order to prevent legitimate users from accessing it. The attackers ‘flood’ the website with many connection requests, far too many for the website to handle, and as a result the website is knocked offline. If your hosting provider isn’t protected against a DoS attack, your business is at risk.

A DoS attack is an effective tool used by criminals for extortion. Cyber criminals may threaten an online business with a DoS attack unless the business pays a ransom.

Being unable to offer an online service even for a small time period can be crucially damaging for an organisation. The cost of a DoS attack goes beyond lost revenue; the cost of restoring an internet system can include many aspects, such as reconfiguring the server or replacing damaged infrastructure. Then there is reputational damage to your business’ brand – customers can lose confidence in the security of a business or service if it is inaccessible or labelled as a target.

How do cyber criminals target websites?

What most business owners don’t realise is that cybercriminals use automated hacking tools to scour the internet to identify vulnerabilities. Using automated tools, cybercriminals can scan websites anywhere in the world, quickly and at little cost.

Using these types of hacking tools, attackers can probe thousands of IP addresses, looking for weaknesses such as poorly configured websites, or internet-connected computers and servers using out-of-date technologies.

Check that your web hosting provider puts security first

The web hosting service you use to make your website available to the internet plays a significant role in keeping your business safe.

 If they’re hacked, your website may be exposed too.

Here is a list of questions to ask your web hosting provider:

  • How do they protect against a DOS attack?
  • How does their Business Continuity Plan ensure your website always stays online?
  • What controls do they have in place to ensure stability and access 24 hours by 7 day a week?

You’re likely to be sharing a hosting platform with other customers.  Ask:

  • How many other websites do they manage? And how do they prioritise responding to incidents?
  • How soon can they recover your website if there is an incident?
  • Do they have separate access credentials in place for each customer?

How to protect your website

While there is little a business can do deter a potential attack, you can take some precautionary measures to be prepared.

Understand what your online presence is

Some websites contain only static information, like service brochures and product descriptions. An attack on a brochureware site may cause reputational damage to your business. However, if your website is also transactional, that is, customers can purchase directly from  you, then an attack will impact both your revenue and reputation.

Don’t wait until something goes wrong

Understand who’s hosting your website, get to know the services your Internet Service Provider (ISPs) may offer, and any service level agreements that are part of your contract including monitoring of the performance and uptime of your website.

Some ISPs may partner with a cloud-based DDoS mitigation service, for example Telstra offers their Arbor solution, and Optus partners with Akamai. Cloud-based mitigation services are scalable to the size of the attack. The aim of cloud-based DDoS mitigation solutions is to ensure websites being attacked remain online and accessible for real customers.

Cloud-based DDoS mitigation services often offer their clients a detection service to alert if a website is being attacked, and because they are cloud-based, can be deployed quickly without hardware, software or web application changes.

Have an incident response plan in place

Follow your incident response plan and keep in close contact with ISPs and any other DDoS mitigation providers. The guiding objective through any response is to continue providing an accessible service to customers. Where that is not possible, the objective is to restore normal business function as soon as possible.

Ensure security patches are regularly applied

Regularly apply security patches and ensure websites run on separate infrastructure to critical business systems.

Install a web application firewall

A web application firewall sits between your website server and your data connection. It will block compromise attempts and filter out unwanted traffic like spam and malicious bots.

Toughen up website admin and access control

Your website admin pages are a way in to your network. Hide admin pages to discourage search engines from making them visible to web crawlers. Adopt strong password policies for website administrators and limit the number of login attempts that can be made within 30 minute blocks of time.

Add an SSL certificate to your website domain

Use a Secure Sockets Layer (SSL) certificate to transfer and encrypt data transferred between the website and your database. The data will be unusable to anyone that grabs it during a communication transfer.

Back up your website and test recovery regularly

Develop a Business Continuity Plan to cover what to do if your website is corrupted or if you need to change to a new hosting provider.

Depending on the size of your business and your budget, consider engaging a website security expert to regularly assess and manage your website security risks.

When it comes to protecting your website, up to date knowledge is your armour. Stay informed about the latest cyber security threats.

Deadlock the doors to would-be online criminals.

Helpful resources

How we can help

If you’re a NAB customer and you believe your business or personal accounts have been impacted by fraud or a scam, we’re here to help. Explore the immediate steps you can take to protect yourself and discover when you should get in touch with us to make a report.

Learn what to do in the event of fraud or scams

Get updates on the latest fraud alerts

IDCARE

IDCARE is Australia and New Zealand's not-for-profit counselling and support service set up to assist Australians impacted by identity theft and cyber-related crimes.

IDCARE can assist NAB customers to navigate through the process when identity details or credentials have been compromised through fraud or scams. IDCARE is a free service for all Australians.

Learn more about IDCARE, opens in new window

Australian Government | Australian Cyber Security Centre (ACSC)

The Australian Cyber Security Centre (ACSC) brings cyber security capabilities from across the Australian Government together in a single location. It’s the hub for private and public sector collaboration and information sharing to combat cyber security threats. ACSC provides topical, relevant and timely information on how home internet users and small businesses can protect themselves from, and reduce the risk of, cyber security threats such as software vulnerabilities, online scams, malicious activities and risky online behaviours.

Learn more about the Australian Cyber Security Centre, opens in new window

Australian Government | ReportCyber

ReportCyber is a secure reporting and referral service for cybercrime and online incidents which may be in breach of Australian law. The ReportCyber website provides a cybercrime reporting mechanism as well as helpful information about cybercrime.

Learn more about ReportCyber, opens in new window

Australian Competition and Consumer Commission | Scamwatch

Scamwatch provides information to consumers and small businesses about how to recognise, avoid and report scams using publications, videos and other online resources.

Learn more about Scamwatch, opens in new window

Australian Government | Office of the eSafety Commissioner

The Office of the eSafety Commissioner provides online safety education for Australian children and young people, a complaints service for young Australians who experience serious cyberbullying, and address illegal online content.

Learn more about the Office of the eSafety Commissioner, opens in new window

Australian Government | Attorney-General’s Department

The Attorney-General’s Department website provides helpful information and resources about your rights and protections in regards to identity security, freedom of information and cyber security. The Department has developed a range of resources to assist people protect their identity and recover from the effects of identity crime.

Learn more about the Attorney-General’s Department, opens in new window

Important information