Your brand reputation could be on the line if your site is hacked

With the rise in online marketing in recent years, websites have become shop windows for organisations of every description, whether or not the sites are used for e-commerce. It is the first place most of us go for information when looking for a service provider or researching a major purchase, even if we intend to make that purchase in a live environment (in other words, a store). Since the arrival of COVID-19 and lockdown restrictions, we’ve all been making many more purchases online, and thus websites have become even more important brand ambassadors.

Your website is a big part of your corporate identity. It is not the only representation of your brand, but increasingly it is the most visible, as conventional media and advertising lose share to the internet and social media.

What happens to your reputation when your website is hacked? You may be aware of the hard costs of a cyberattack, but how do you quantify the soft and hidden costs? How does a hacked website affect your business? We look at some of the common types of attack, and the impact hacking can have on your organisation. We’ll explore some preventive tactics you can use. In the next article, we’ll discuss the importance of penetration testing, and we’ll tell you how NEWORDER’s PEN-test can keep your company’s infrastructure secure.

Who is vulnerable?

You may think you run a small business or you are in an obscure market niche. No one will find you unless they are really looking, or you’re not big enough or important enough to attract a hacker’s attention. We hate to break it to you, but you’re wrong. Small businesses are actually more vulnerable, partly because there are so many of them, and partly because they tend to have weaker defences. Large multinational corporations can afford to have entire teams dedicated to cybersecurity. In a small, entrepreneurial company, the webmaster, head of IT, head of marketing, head of finance, and business owner are often all the same person. Looking after the website may be something this jack of all trades does after business hours are finished. And where budgets are tights (a particular feature of small businesses), corners may be cut on web security.

How does it happen?

We wrote recently about the most common cyber threats. Many of these use malware to access your organisation’s network via your website. There are other ways your site can be hacked. WordPress is currently the world’s most popular platform for websites. Up-to-date statistics show that WordPress accounts for ~32% of the entire web and 59% of websites built using content management systems (CMS). As a result, sites built on WordPress are also the most commonly hacked; but that’s a factor of scale, not an inherent weakness in WordPress.

Therefore, there is more data available on violation of WordPress websites than other platforms. The most common points of entry include:

  • 41% through vulnerabilities in the hosting platform
  • 29% through an insecure theme
  • 22% via a vulnerable plugin
  • 8% due to weak passwords

In addition to DDOS and malware, there are three common hacks cybercriminals use to penetrate WordPress:

Brute force attack

This is not dissimilar to the “infinite monkey theorem”: the notion that “a monkey hitting keys at random on a typewriter keyboard for an infinite amount of time will almost surely type any given text, such as the complete works of William Shakespeare”. In a brute force attack, the hacker inputs passwords repeatedly until they hit upon your password. This is not a manual process. Multiple scripts are run concurrently to “guess” passwords to a number of sites.

SQL injection hacks

In an SQL injection, a hacker enters malicious words and characters into an unsecured form to exploit the database. The SQL injection might collect usernames and passwords, retrieve credit card details, or alter/delete data.

Cross-site scripting

Cross-site scripting, or XSS for short, is when a hacker adds a malicious script to your site. The poisonous code is written into a form that adds the script to every page on the site. This may cause site visitors to be redirected without your knowledge to a site of the hacker’s choosing. There have been instances of site visitors being redirected to decidedly unwholesome sites, causing considerable embarrassment to the targeted business.

The business risk of a hack

If your website is penetrated, your business is impacted on multiple levels. The most obvious is the cost. In our last article, we covered some of the costs of recovering from a ransomware attack. But the direct financial costs are only part of the story. There are indirect costs, such as the opportunity cost of lost transactions while the site is down, and even more, intangible costs that are hard to quantify, such as damage to the value of your brand and lost customer confidence.

Let’s look at some of the most common consequences of a hacked website.

Lost search engine ranking

Google is smart (and to be fair, so are other search engines, but Google SEO rankings are the most sought-after because Google is the most widely used search engine). Google’s bots know when your site has been hacked, and it will be quarantined and cease to appear in search results until the problem is resolved. Unfortunately, there can sometimes be quite a delay between your remedial action and the restoration of your rightful place in the search engine.

Your marketing team has bent over backwards to conduct keyword research and optimise each page of your site. Immediately that effort is overridden, and your ranking takes a nosedive. If you do appear in a search, visitors will be warned away. You may repair the breach the same day, but by then those users have moved on to the next search result and taken their enquiry and/or their business elsewhere.

Lost traffic

The consequence of losing your search engine ranking is obviously lost traffic. Prospective customers won’t find you or will be warned off. Arguably more damaging is the red flag a hacked website represents to existing customers. They may start to have doubts about your integrity, your ability to safeguard customer data and/or your own legitimacy as a business. They may start to look for alternative suppliers. This will, of course, depend on the nature of your product or service offering and the complexity of the engagement.

But even if you have high-value, high-trust customer relationships, some of that trust is likely to be destroyed. Winning it back will take time…time that might have been spent winning new business…and possibly money, in the form of incentives or discounts. Furthermore, in our connected world, the news gets out quickly. Existing and prospective customers may be deterred, and competitors may use it against you.

In a Wordfence survey, 45%  of respondents said their search traffic dropped following a hack. A small but not insignificant percentage (9%) said traffic had dropped by more than 75%.

Lost public trust

In addition to their trust in you as a well-run organisation, customers will also be concerned about the security of their personal data, particularly if you hold their credit card or banking details. You must tread carefully. Customers deserve to know if there is any risk to them, but you want to avoid causing panic. Effective message management is critical. You need to be seen to be transparent, but if you are able to contain the attack quickly and secure your data, you don’t want to raise the alarm to a wide audience. Tell those who need to know as and when they need to know it, but equally don’t put up a smokescreen.

Opportunity cost

The indirect financial effect of lost traffic to the site will depend on how you use your website. If you are an online retailer, even a day’s trading losses could be considerable. If you sell a commodity, such as pet food or wine, and you have an established customer base loyal to your product, most of those customers will probably stand by you. But inevitably you may lose a proportion of them. How well you manage the attack, and the follow-up communication will determine how many. If you use your site to generate leads, the impact will be more subtle but could be more long-lasting. If traffic drops by 75% for more than a day, that’s a lot of lost prospects.

There is also the opportunity cost of the resource you devote to repairing the site that might otherwise have been spent on product development, site enhancements, etc.

Access to other systems

If you have integrated your website to your internal accounting system, you may be exposed to unauthorised access by the hacker to this system. This could lead to other serious problems.

Files and databases

Depending on the nature of the attack and the sophistication of the hacker, you could find that files and database entries are removed. This could destroy your site, potentially permanently if you don’t have back-ups.

Prevention is better than cure

While hackers are forever upping their game, there are steps you can take to protect your site.

  1. Quality hosting. Not all hosting providers are the same. Before signing on the dotted line, check if yours will create daily back-ups of the site, scan for any unusual activity, avoid shared servers and ensure your CMS version is always up to date.
  2. Maintain themes and plugins. These should be updated regularly. When adding new plugins, check they are trusted. Unsecured code could make you vulnerable to attack.
  3. Fortify your login. Don’t allow unlimited logins. Lock users out after three failed attempts. Consider using two-step authentication for added security. You can also whitelist certain IP addresses so they are the only users who can access the login page.
  4. Change them frequently and ensure they are strong, i.e. they contain a mix of upper and lower case letters, numbers, and special characters. Don’t use web-based password generators (unless the generator belongs to the server producing the passwords).

A word about social media

Social media is an increasingly important component of a company’s marketing strategy. You probably use Facebook and Instagram to drive traffic to your website, and Twitter to communicate key messages in real-time. Be aware that these sites are also prone to being hacked. Very recently Twitter suffered a major security breach, with hackers assuming control of the accounts of major public figures and businesses, such as Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos and Apple. Although the hackers did not penetrate websites or capture personal data via Twitter, they used the hijacked accounts to post tweets promoting a bitcoin scam: followers were offered double their money back if they transferred cryptocurrency to a specific bitcoin wallet. High-profile figures like these have millions of followers. It would only take a tiny proportion to be sucked in, trusting in the source of information, for the hackers to become very rich indeed. Meanwhile, the reputations of these figures are compromised.

Be as vigilant with the security of your social media sites as you are with your website, and be particularly scrupulous about strong passwords and frequent changes.