“Websites are the one IT asset you want to be publicly available. You want the customer to engage and interact. But you still need it to be safe.” – Neill Feather, President at SiteLock
October is National Cybersecurity Awareness Month (NCSAM), a month dedicated to raising awareness around the importance of cybersecurity. At SiteLock, we strive to make the Internet a safer place by protecting websites and educating users about cybersecurity risks and solutions.
As part of our commitment to cybersecurity, SiteLock has developed a report in conjunction with Crowd Favorite to distinguish key website features that increase the likelihood of a website compromise. The report also includes five basic security steps all organizations should take to protect themselves from exposure and mitigate cyber risks. You can read a brief summary of the report below.
Cyber Risks Today
According to the March 2016 Beazley Breach Insights Report, the Beazley Breach Response Services unit responded to 60 percent more data breaches in 2015 than 2014. With the rise of data breach incidents, comes the rise of costs. A 2015 Ponemon study found that the mean annualized cost of cyber crimes ranges from $310,000 to $65 million per year. And the U.S. military spends more than $14 billion on cyberwarfare each year alone.
Many enterprises try to combat cyber threats by monitoring their web vendors with application inventories and vendor risk assessments. However, plugins are often left unmonitored and unprotected.
WordPress and Open-Source Programs
Open-source programs, such as WordPress, are widely popular among enterprises. In fact, more than 75 million websites are powered by WordPress. The platform is relatively easy to manage, and more importantly, it’s safe. But even with a safe open-source platform, enterprises are still at risk of cyber threats because many platform add-ons and plugins are vulnerable.
Plugins and Vulnerabilities
By using plugins, enterprises are able to extend and expand the functionality of their websites. They help to capture and track valuable data and allow for personalization, among other things. There are more than 29,000 WordPress plugins, which have been downloaded a total of approximately 290 million times. Despite their popularity, many plugins are never updated, which exposes the end-user to risks.
Failing to update plugins is not the only thing that makes a website vulnerable. The more plugins a website has, the more vulnerable the website will be. Research conducted by SiteLock, in partnership with the faculty from the University of Pennsylvania’s Wharton School of Business, found that the key feature of a website that predicted its likelihood for compromise was its overall complexity. Websites with the highest complexity were more than 12 times more likely to be compromised than websites of the lowest complexity.
Five Basic Security Steps for All Organizations
Follow these five basic – yet essential – steps to help avoid risk and website compromise.
1. Audit your Site
Conduct a detailed code audit to understand what plugins are putting your site at risk. SiteLock TrueCode static application security testing can proofread an enterprise’s code to point out all the places a cybercriminal is able to sneak in.
2. Patch Software Vulnerabilities
Be sure to virtually patch identified vulnerabilities in software or plugins. These patches can be virtually added through web application firewall (WAF) rules. The SiteLock TrueShield web application firewall automatically deploys these rules for newly-identified vulnerabilities.
3. Prevent Brute Force Attacks
Enterprises need to protect against brute force attacks, especially on admin login pages. SiteLock TrueShield allows two-factor authentication to be enabled on any page that allows privileged access to your web applications with just one click.
4. Monitor Server Uptime and Performance
It is crucial that enterprises monitor their site speed and performance. This can be done through the use of a content delivery network. A CDN can quickly deliver content to an end-user, regardless of their location. The SiteLock TrueSpeed content delivery network ensures minimum latency to reduce server load time.
5. Develop an Incident Response Plan
It’s necessary that enterprises plan for data breaches in advance by developing a comprehensive incident response plan. A well-composed response plan will walk through the lifecycle of an attack or breach. It’s important to note that over-reacting to a breach can be as damaging as under-reacting.
It’s important to follow these basic steps to save your enterprise from a damaged reputation and money. According to Ponemon, companies that invested in website security saved an average of $1.9 million when compared to companies that did not.
Check out our popularity infographic to learn more about a website’s complexity and your website’s likelihood of compromise.