For today’s ‘Monday must’, we’re venturing into to the world of cybersecurity – well demystifying cybersecurity to be precise. Don’t run for the hills – you need to read this!
The very term cybersecurity sends a shiver down my spine. I hear it and feel a mixture of inadequate, stupid and a tiny bit terrified… do you? But don’t worry – this blog won’t make you feel like this…
I was chatting to a friend of mine about cybersecurity a while ago (it’s not completely random, the friend is Ruth Chappell from Dressage Anywhere who is married to Brian who wrote this blog!) and this is what came out of it. Well, Brian very kindly agreed to write this for me. I found it really interesting. I hope you do too. Now over to Brian Chappell…
Demystifying Cybersecurity – Part 1: Websites
So, you have a website. The first question you need to ask yourself is, “Is it secure?”, rather than “Does it reflect my brand and message?” It’s a hard question to answer. It’s particularly hard to know what’s important, what’s not so important and what to look for when trying to ensure your or your customers’ data is safe.
We hear about websites being hacked all the time but are you likely to be a target? The sad fact is that it’s yes. It doesn’t matter if you are a one-person company with a Wix or WordPress website or the largest multi-national, the rather dramatic statement seen at every Cybersecurity event is true; “It’s not if, it’s when.”
What’s a drive-by?
The vast majority of attacks on systems are the result of a drive-by. What do we mean by that? The drive-by is an opportunist attack, the result of a hacker stumbling upon a fault (commonly referred to as a vulnerability) that exists in your website that they already know how to use to break in (commonly referred to as an exploit). To understand this further, we need to step back and look at how we can identify those vulnerabilities before the hackers do.
There are many tools out there, ranging from free to eye-wateringly expensive (for a small business at least), that can scan your website and look for vulnerabilities. You can find many free tools such as OWASP ZAP (Zed Attack Proxy – this sounds more dangerous than it is) but be prepared to do some research as these are designed for people who have some understanding of vulnerabilities, that said, they aren’t incomprehensible; just remember, it’s not scary and it’s not rocket science. It’s worth taking a look at some of these tools, even if it’s just to get a feel for what hackers are using. Rest assured, they are using the very same tools looking for the very same vulnerabilities as you’ll find. What’s particularly interesting is the tools that hackers can use from the Dark Web that include fully featured services where with a credit card and a few minutes you can set up and launch an attack across the internet. These services have progress tracking with beautiful graphs and customer service that puts many regular companies to shame. But at their hearts, most of these tools are using the same scanning technology that you will use.
Can hacking attacks be prevented?
There is a shocking statistic that I speak about at many conferences, it’s been produced by some seriously clever people and it’s this: Between 2011 and 2016, ‘around 95% of successful hacking attacks were the result of well-known and entirely preventable vulnerabilities’; this figure includes all kinds of attacks, not just websites (and we’ll talk about the others in future articles), but it’s a concern nevertheless. Rest assured it’s not changed much over that period and it isn’t changing quickly since either.
Unfortunately, all the website-based vulnerabilities tend to be well-known and are attacked regularly. It’s important to simply start at the top of the list, with the high severity vulnerabilities and work your way down (or ask you service provider or web developer to work their way down) fixing each in turn. Many of the discovered vulnerabilities will look complex but often it’s just changing a setting to resolve the issue. I’ll reiterate, there really is no rocket science here, it’s just about knowing where to look or knowing where to find where to look. The user guide is often your best friend.
It’s important to let your service provider, hosting company, or WordPress provider, know you are going to scan your site and how frequently you are going to do it, it’s not a one-time activity, it should be regular, i.e. weekly or monthly. They should have monitoring systems that will be triggered by a scan so warning them allows them to eliminate your activity from the alerts they get.
If your provider doesn’t support scanning, they should be doing it themselves so ask for a copy of the results or notification of any issues that may affect your site along with confirmation when those issues are dealt with. If you are using WordPress or similar, I’d recommend talking to your provider about how frequently they apply updates and how you can be notified. I’ve heard of some providers expecting the customer to pay for updates, I’d push hard back on that. You didn’t subscribe to WordPress v4.9.6 (or whatever make/version your platform operates on), you subscribed to a WordPress service. If they won’t budge, move providers. It may be a little more expensive monthly but the peace of mind will be worth it.
Don’t be scared about cybersecurity
A few pieces of advice that I’m going to parrot in every article; don’t be scared about Cybersecurity/Website security. There is no rocket science here and no-one is going to expect you to be an expert. Similarly, no-one is going to think less of your for asking what you may feel are stupid questions. There are no stupid questions. Don’t be afraid to look at getting a professional Cybersecurity specialist to help you get started, or even provide you a regular service. Shop around but I wouldn’t recommend necessarily taking the cheapest. Like all suppliers, find someone you think you can work with and trust.
A bit about Brian Chappell
Brian has more than 30 years of experience in senior IT roles across a broad spectrum of organisations including Amstrad plc, BBC Television and GlaxoSmithKline plc. Brian has held senior roles in most IT disciplines across the entire IT delivery chain.
More recently, Brian has spent the past 6.5 years working for a leading cybersecurity software vendor, BeyondTrust, as the technical lead across EMEA and APAC. In this role he has delivered world-class solutions for both vulnerability and privilege management within financial, manufacturing, healthcare, retail and government markets. He’s now a product manager for one of the leading cyber security platforms in the world. Brian is a regular contributor to the press as well as a speaker at industry conferences and events.
A HUGE thank you to Brian for his blog on demystifying cybersecurity… now, I’m off to find out more about all of the above!