Since the middle of 2015, cyber attacks on receivables management industry websites have been occurring more frequently. There has been a sharp spike in these types of attacks in Q4 2016 and Q1 2017 causing firms to better protect their public-facing websites. The attacks have taken various forms including everything from “brute force password” attacks that try to break in through your login page to “denial of service” (DDoS) attacks that are designed to make your website unavailable to visitors who are trying to access your website.
Understanding the Problem
Branding Arc, a company specializing in web development for the receivables management industry, has logged more than 500 minor attacks (no countermeasures required) and another 50+ major attacks (requiring countermeasures to be deployed to protect the attacked site) in the past 6 months. The minor attacks originate from various countries and IP addresses which gives the impression that they are unrelated attacks and the sites are most likely being chosen at random. Some of the more major attacks appear to be determined hackers that are intent on attacking the site of a particular collection agency or debt buyer. In one instance, they claimed the agency had called their cell phone to collect a debt and they “did not like it.”
With these attacks on the rise, it is easy to fall into a reactive role: running from incident to incident, restoring backups, and responding to the attacks. However, it can also be viewed as an opportunity to better prepare your business and your technology to defend against these cyber attacks.
Consequences of an Attack
The effects of a cyber attack depend on the type and success of each attack. Attacks may be intended to do something simple like in the case of DDoS attacks, make your website inaccessible for a period of time. But when the attack ends, the site comes back online. Other types of attacks may be intended to create SPAM pages on your site or infect visitors with malware when they visit your site or click one of the links. These types of attacks can be far more complicated to manage and generally require the website to be restored to a previous version.
Preparing Your Website
There are many different types of websites. Websites can be coded as straight HTML code or use a Content Management System (CMS) like WordPress or Dupral. For the purposes of this article, we will concentrate on the WordPress platform as the most popular web development platform. WordPress is the most popular website backbone, being used to on more than 25% of US business websites.
Preparing your website for cyber attacks requires a multi-faceted approach. Since not all attacks are of the same type, you should review various aspects of your site to provide complete site protection.
Regular Site Backups
The best defense for your online technology is frequent backups that are stored in a different place than your website server. Having frequent copies of your website gives you options when responding to an attack. For example, during a DDoS attack, a copy of your site could be deployed to another server (with additional countermeasures) with your domain redirected to the new server. Without site backups, or if your backups are stored on the same server, you would have to sit and wait for the attack to end before assessing damage or restoring backups.
Defense Plugins (WordFence)
WordPress is an open source web development platform. As an open source platform, the foundational code for the platform is made available to everyone. This gives hackers an opportunity to find and exploit system bugs. To help defend the WordPress platform, there are 3rd party plugins and tools available to defend your site against known types of attacks. These tools come in various shapes, sizes, and costs, with WordFence being one of the most popular.
The WordFence tool protects your WordPress website by creating a firewall around your site files and monitoring the traffic coming into your site. It looks for patterns or activities that could indicate an attempted attack. For example, if a visitor tries to log into your site with the username “admin,” but that user does not exist, the site will automatically block the user’s IP address, stopping them from continuing to try passwords and crack your login credentials.
Those sites experiencing frequent attacks should consider the advanced paid version of WordFence which provides additional levels of security and malware scanning for your website.
Keep Sensitive Info Off the Website
A great defense for your website is simply not putting any data on your website that could pose a security risk! It sounds like a simple solution and it definitely is. Don’t process payments directly through WordPress, don’t store any sensitive data on your website, and don’t keep copies of any form submissions directly on the website. By not having this information stored on your site, you are removing a key motivator for hackers to attack your site in the first place.
To be clear, that does not mean that you should not take payments on your website. It just means that you should be using a third-party application or service to process the payments on a server other than the one where your website is hosted. The same thing is true for storing sensitive information. Simple solutions like ShareFile can be used to secure and protect your data. Services like ShareFile can be integrated directly into your website so it looks and feels like part of your site, but in reality, all the sensitive information is being hosted and stored on a separate computer with higher levels of security than your web server.
Using secure passwords may seem like another really simple solution to prevent cyber attacks, but most of the successful attacks we have seen over the past 6 months have been related to a weak password. If your password is “password,” then chances are you are going to get hacked. Be conscious of your password and make sure that you are using letters, numbers, and special characters to avoid password crackers from being able to easily break into your site. If you need help creating and remembering your important passwords, consider a password management tool like “1Password” that allows you to manage your passwords across different devices. Tools like 1Password enable you to use unique passwords for each of your logins, keeping all your passwords in an encrypted file that you can access with your 1Password master password.
Helping your website avoid a cyber attack begins with simple steps such as these, but it is important to keep in mind that no defense strategy you deploy is too small. Something as simple as a strong password or fundamental as a defense plugin can make a significant impact when a cyber attack occurs.