SME Web sites increasingly under attack

WordPress sites are two times more likely to be infected by malware than non-CMS sites.
WordPress sites are two times more likely to be infected by malware than non-CMS sites.

Small businesses are progressively becoming the favoured target of cyber criminals, and even more alarmingly, these small businesses don't know they are being targeted or compromised.

This is according Web site security solutions provider SiteLock's Web site Security Insider Q1 2018 research, which analysed over 10 million Web sites globally and surveyed 250 Web site owners to identify threats to small businesses.

Approximately 6% of Web sites, up to 113 million Web sites globally, have a security vulnerability, says the study. Web site attacks increased 14% in Q1 2018 compared to Q4 2017, as cyber criminals set their sights on independent Web sites and small businesses, it adds.

Content management systems (CMS), commonly used to run small business Web sites, are

being left unpatched, opening them to cyber attacks, notes the report.

Over 29 million Web sites worldwide use one of the three biggest CMS platforms: WordPress, Joomla and Drupal, it adds.

Although these platforms make building a small business Web site more accessible, open source applications and self-built Web sites require periodic core, theme, and plugin updates, says SiteLock.

However, not all Web site owners are aware that their CMS-run site requires regular updates to remain secure, it explains.

Word Press sites were two times more likely to be infected than non-content management system sites, says SiteLock. Only 68% of WordPress sites were running the latest core version updates, meaning nearly one third, or up to 6.3 million WordPress sites globally, were potentially vulnerable to attack, says the research.

The vast majority of WordPress installations have been seen as low-hanging fruit for cyber criminals for several years, says Sucuri. Virtually every WordPress installation today has some third-party plugins, custom code or missing security patches, it notes.

WordPress has recently been under the security spotlight. In February, over 2 000 WordPress sites were infected with a malicious script that contained a keylogger designed to steal users login credentials, and mined the Monero crypto-currency.

Prior to that in December 2017, another threat infected 5 500 WordPress sites with malware dubbed cloudflare[.]solutions.

"Engaging with the open source community and following the developer's blog for your CMS is an easy way to stay ahead of potential security vulnerabilities and plan for patching," says Jessica Ortega, SiteLock cyber security expert.

Small business owners surveyed (59%) reported they were responsible for the upkeep of their Web site, but only 42% updated their applications monthly or more frequently, says the study.

An alarming 9% of respondents admitted they were unsure how to update these applications, it adds.

The average Web site today is attacked 50 times per day, with the vast majority of attacks coming through automated means, says SiteLock. By casting a very wide and automated net, attackers stand to compromise a huge volume of sites, it adds.

About 1% of sampled sites studied by analysts are infected with malware, notes the report. This means at any given moment, 18.7 million sites around the world are infected by some form of malware, it adds.

Despite the rising vulnerability to cyber security breaches, a lack of awareness and high investment costs remain the two immense challenges faced by small and medium enterprises, says Cisco. A 2018 report by American company Verizon found that 61% of data breach victims were small businesses.

About 58% of malware attack victims are categorised as small businesses, says the Verizon report.

Meanwhile, in 2017 a single cyber security incident cost large businesses around $861 000 on average, while small and medium businesses ended up paying an average of $86 500 per incident, says Kaspersky.

This indicates a clear need for stronger Web site security and easily accessible information about the risks to businesses owners, says Ortega.

"As cyber attacks become more sophisticated, small businesses will need to keep up by taking a proactive, holistic approach to Web site security.

"Unfortunately there's no such thing as a no-risk Web site: it's inherently risky. But with the right precautions in place, like implementing a Web application firewall to keep out malicious traffic and creating a response plan, it is easy to protect your Web site from cyber criminals. Being aware of the risks and potential for attacks is just the beginning."

Have your say
Facebook icon
Youtube play icon