If your company has some sort of online presence, then yes you are at risk of getting hacked. No one is immune to the threat of hacking. Hackers don’t care if your site is big or small, has lots of traffic or none. They don’t care if you have an online store or your site is just an online brochure.
Any web space where hackers can dump scripts, malware or their own code is a target for them. That could mean a website hosted at Godaddy, a business account at Google or a cloud account at Amazon (AWS). They are all targets and the easier they are to hack into the better for attackers. So smaller, unprotected or outdated web applications are a primary target.
Myth: I’m not a target because I don’t have an online store
Most people think the goal of hacking is to capture customer financial data. And while that is something that hackers attempt to steal, they are also after non-financial data and control over the web site or server. So most of the people we speak with think they are not a target for hacking when actually they are, even though they don’t sell anything online or their site doesn’t collect credit card numbers. The hackers are looking for soft targets to collect non-financial data so that they can try to collect enough information to steal a person’s identity.
This has taken hacking to a new level since most web sites collect some customer data with a ‘contact us’ form or a ‘sign up for our newsletter’ form. All that form data is stored in the same database that holds your website pages and posts. Although not as good as financial data it’s still worth a lot to hackers, especially ones that share data and can cross reference it with other breached information.
Myth: If I get hacked, It’s no big deal I’m not liable for damages
If a web site intrusion occurs and customer data is stolen, it is the responsibility of the web site owner to report it. For example in the state of Pennsylvania the owner might be liable for up to $200 per customer to provide ongoing identity protection.
From Pennsylvania’s Breach of Personal Information Act – The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth. Good faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the entity and is not subject to further unauthorized disclosure.
So the form on the web site that has collected 400 names and email addresses for your newsletter might cost $80,000 in identity protection costs if stolen. Most companies carry around $5,000 in a cyber clause in their business insurance, which leaves a $75,000 liability for the web site owner. Ouch. And that doesn’t include the cost of tracking down and informing the customers, fixing the web site and paying to train the staff on how to handle this problem if it happens again. A typical web site hack might cost a company upwards of $200,000.
All I have is a small WordPress site, there is nothing in there to hack
There is a lot a hacker can do if they get access to your website, especially if it’s a Content Management System (CMS) like WordPress. The WordPress CMS is a perfect storm for hacking. Typically setup by amateurs or junior programmers with little or no security knowledge, they use themes and plugins that they didn’t develop, bought from overseas programmers through the internet. Most sites are put on low cost hosting plans that provide no security safeguards and have little or no oversight.
And since there are over 75 million WordPress sites, hackers scan the internet specifically for soft targets and attack them with bots and scripts. All sites big and small are under constant assault from these kinds of probing attacks. Even small companies we work with such as home inspectors, pizza shops and healthcare consultants see attempts from places like Russia, China and Brazil. Not to mention our larger partners that see thousands of attacks a day.