In recent weeks we’ve reported on the largely unnoticed cyber warfare being fought among the Internet of Things (IoT) – “unnoticed” primarily because the IoT consists of devices which are meant to be left unattended, and as such are often compromised for long periods of time before someone realizes something is wrong. Another quiet war is being fought on another technology front that for many, many organizations is also left to run on “auto-pilot”: websites. I use the term “fought” loosely as the hackers aren’t really encountering much resistance from website owners. With a handful of exceptions, the majority of our clientele don’t rely on their websites for core operational or revenue generating processes, resulting in the site languishing in various states of disuse that could easily be envisioned as having gathered a thick layer of dust. As with any complex piece of equipment not maintained on a regular basis, this can result in malfunction ranging from inconvenient to downright dangerous.
What this means for you
In the most benign instance of a website being hacked, visitors may be presented with broken or malformed pages, or even a “not found” error. From there it only gets worse. Lately the variants have either been politically-driven defacement where legitimate content is replaced with radical ideology messages, or malicious hidden scripts that redirect visitors to spam sites that will attempt to further hijack your computer with malware and fake virus alerts. None of these situations bode well for clients or prospects, and even if visiting your compromised website doesn’t result in any harm to the visitor, it still damages your organization’s reputation.
Many organizations have built their web presence on one of a small handful of content management engines like WordPress or Magento, which, while powerful and flexible, are very complex and require frequent updates to patch security vulnerabilities. On top of this, the underlying technologies on which the engine relies also need to be maintained on a regular basis. Any lapse in the cadence of updates and monitoring can result in an opening that can (and will) be exploited, resulting in a hacked website. Recovering from this type of compromise isn’t trivial. Search engines like Google and Bing are now keeping track of sites that are hacked, and showing them as such in their search results, or even de-listing sites if enough people complain about getting infected from a compromised URL. Getting yourself off the blacklist is an exercise in patience, and if you miss even one bit of malicious code, can result in lengthy delays in getting an “all clear” from Google.
The take-away: don’t forget about that website, even if it isn’t a key revenue generator. Just like any other piece of equipment used to power your company, neglect could result in failure and even damage to the company itself. If you don’t want to budget for upkeep or bring a site to current security standards, it’s often better to decommission an old site to prevent it from being a future problem for your company.
Image courtesy of nuttakit at FreeDigitalPhotos.net