We’re now closing in on nearly one billion websites worldwide, and with another 6 million new domains being registered daily. Yet it’s estimated that less than 3% of those websites are secure. And guess who’s really taking notice of this glaring absence of website security?
It’s nothing new that hackers are constantly changing their tactics. What’s troubling is how quickly they adapt and adjust to whatever security countermeasures they encounter, and how creative and sophisticated their workarounds have become. That’s what happens when a crime becomes a lucrative industry, and when things like website security get overlooked hackers won’t waste a moment exploiting it.
Why are hackers switching to websites in droves? There are lots of reasons for the switch of tactics. It’s much harder to deliver mass-infection malware by email, traditionally the most popular attack vector. Scanning systems are getting much better at detecting and blocking malware-laden email, and users are getting smarter at recognizing and avoiding them.
So hackers had to find news ways to keep their industry booming. And they found their savior in the millions of unprotected websites that make a cheap and easy way to spread malware and infect users.
What’s even more dangerous about this switch of focus is the amount of damage that can be done. Users, and especially customers, can be infected. Unprotected websites will help continue the spread of malware and the worrying uptick in DDoS attacks. Malware will be used to target corporate and customer data and thus result in costly data breaches. And all combined will continue to erode consumer trust in surfing and shopping.
And even your best efforts to protect your website are no guarantee that you’ll avoid malware. Malware was recently discovered on ad networks that serve thousands of websites including Yahoo! The malware was hiding in Flash banner ads and simply required a user to visit the infected page – not actually click on anything – in order to be infected
Only a couple of weeks ago Drupal, one of the most popular content management systems (CMS) on the planet, announced the discovery of a vulnerability that put more than 12 million websites at risk.
But with no legal or regulatory imperative to take action and lock down their websites, most website owners will continue to ignore the risk. Hackers know this too, which is why they’re escalating their exploitation of websites. And with little sign that business owners are going to change their habits any time soon, it might be time to discuss the idea of mandated website security. That’s right, I’m suggesting a PCI for websites.
If business owners won’t voluntarily make the decision to spend a few dollars a month to stem this critical threat, maybe the choice should be removed. Because if business owners are allowed to continue to enable the spread of malware, the launch of DDoS attacks, and the infection of millions of innocent consumers and customers, we may soon reach a point of no return.
SiteLock is discovering thousands of websites every single day that either have major vulnerabilities to malware infection or are already infected. And yet there is still no simple way to warn the owners of these websites or require them to take action. Which means that total will continue to grow and website security, or lack of it, will continue to be a hacker’s best friend.
Website security is good for everyone and not just the owners of the website. If business owners refuse to take that critical step towards better website security, perhaps a little nudge would help.