I’ve been going over a couple of websites recently checking there security settings and conducting some penetration attempts to find potential vulnerabilities.
Why is it worthwhile?
You may be thinking that your not a bank so what does it matter if someone hacks your website. There is no customer data or money to be stolen. Your not a big site why would anyone bother?
If you stop and think a bit there are several issues you want to avoid.
Reputational Risk
You don’t want someone adding content to your website because it makes you look bad, if there are suddenly links to inappropriate content.
It makes you look unprofessional you don’t want to lose a customer because your website isn’t under control. At the least it makes you look dopey because you have not noticed.
Loss of traffic
If your website hosts in appropriate content your visitors may not reach you, either because your site drops down in search engine results or perhaps visitors to your site will be redirected to someplace else.
I’ve seen this happen only to visitors who followed a link from a google search page so the owner of the website was completely unaware. You don’t tend to search google for your own domain name.
On the internet your competitors are just a click away, the customer doesn’t have to walk down the road to the next store so its very easy to lose customers.
Loss of service
If your website breaks down customers may not be able to access simple things like your telephone number.
Its a waste of your time sorting out the mess.
Your probably quite busy running your business, you don’t want to be tidying up after a break in. It never happens at a convienient time and it takes a while to sort out. Once its happened you can’t really trust the code and stored information on the website how do you know if whats been tainted and what hasn’t.
Do you have a clean copy of the code thats up to date or a recent copy of the database. You will probably end up paying someone to sort it out for you, which may be costly and perhaps not swift.
Your customers may expect it of you.
Several of my customers have been required to conduct security reviews/penetration tests as part of their own customers tick box supplier assessments.
Hackers often aren’t very targeted or concerted, its more a matter of ne’er-do-well consistently wandering around the neighbourhoods trying doors and windows to see if anyone has left theres unlocked.
Mostly automated attempts from bots and automated scripts. Often they are just looking for some place to host there code or expand there network. It doesn’t matter to them much how big or important your site is and the cost to them is so low its worthwhile probing loads of quite minor sites.
Its easy to forget about a site especially if you don’t use it often but worthwhile servicing it occasionally.