While large businesses get the most publicity as victims cyberattacks, smaller businesses are also receiving the same attention from bad actors. On average, organizations of all sizes face about 50 cyberattacks on websites a day, an increase of 14% from Q4 2017, according to a SiteLock report of 10 million websites and 250 website owners from Q1 2018. But unlike their larger counterparts, 59% of small business owners handle their sites and only 42% update applications monthly.
There are 113 million websites around the world that have a security flaw and only 17% of infected websites were blacklisted by search engines. Popular content management systems required numerous security patches, including WordPress (29), Joomla! (77) and Drupal (637).
About 88% of bots used to maliciously scrape websites for vulnerabilities were tracked and blocked by firewalls. But website owners can adjust their web application firewall to blacklist any country, including ones where cyberattacks originate, but nearly 4% of the mitigated traffic came from countries already blacklisted.
Websites can be a gateway for malware and because so many websites are managed in-house, protecting a company from a cyberattack is more burdensome. Malware attacks were the cause of 60% of website incidents in the last year, according to the report. Businesses are strapped for resources and therefore leave websites vulnerable.
Businesses are unintentionally "making their websites the low hanging fruit," Jessica Ortega, web security analyst at SiteLock, told CIO Dive in an interview. And website security, when not properly maintained, offers bad actors sizeable profit with little effort.
For example, 44% of websites infected by malware contained a backdoor, according to Ortega. In the past, hackers left a type of notice of infection, or website defacement. Additionally, because there are no outwardly facing changes to a website, organizations need to be aware that visitors to a website would be "passively attack[ed]."
Cybercrimes cost the U.S. more than $19 billion last year and bad habits, including ignoring updates, contribute to the rising costs. Even website developers cannot be solely responsible for maintaining a website's security, said Ortega. Attacks, like cryptojacking, are taking place on undetectable levels and "a lot can get missed by the naked eye." Millions of malware variants are created daily and expecting a developer to keep pace with them is unrealistic.
Using firewalls, updating plugins for CMS platforms and using two-factor authentication is simply the "cost of doing business on the internet," said Ortega. Because attacks are getting sneakier and more quiet, according to Ortega, organizations need to address the fact that "their website could potentially be a liability."