September 13, 2023
Have you had an internet outage recently? It can really be an eye-opening experience for businesses to see all the things that are now difficult — or downright impossible — without access to the web.
While internet outages can be scary and frustrating for companies, there are even bigger threats lurking around in the background. With modern businesses being more dependent on web services than ever, it is important that we are aware of the real-world risks associated with using these web technologies. Let’s take a look at some of the most common security risks out there today.
Use the quick links below to go directly to the part most relevant for you:
Top Web Security Threats for Businesses
When web servers are vulnerable, so are the websites they host, the devices that connect to those sites, and the people who use them. Unfortunately, attackers will exploit whatever vulnerabilities they can find to gather sensitive data.
The top cybersecurity threats for small businesses include malware, ransomware, phishing, and — believe it or not — basic carelessness. According to a Google survey, almost a quarter of all Americans admitted to using common weak passwords, like abc123, Password, Admin, QWERTY, and the like. What’s worse, 27% of Americans admitted they’ve tried to guess someone else’s password, and 17% succeeded.
How Big of a Problem Is Cybersecurity in 2023?
It’s a big, big problem. Unfortunately, most small business owners underestimate their risk…right up until something bad happens. While most cybercriminals aren’t unstoppable geniuses, there are a lot of them, and they now have automated tools and better organization. One attacker can target thousands of companies, which means even small-to-medium-sized businesses are at risk.
And unless you follow basic cybersecurity hygiene, you are probably making it easy for them to attack you.
Web Security Threat Prevention 101
As corporate cybersecurity increases, attackers are looking for different ways in. Even with the best software developers in the world spending millions on cybersecurity features, they don’t do much when they aren’t enabled. And all the firewalls in the world can’t always prevent an employee from clicking on a malicious link and entering their login credentials.
Get Serious About Passwords, Accounts, and File Sharing
The top cybersecurity threats for small businesses include malware, ransomware, and phishing. But some of the simplest things can significantly increase risks for companies large and small:
- Weak Passwords — Passwords that are easy for people to remember are frequently easy to guess. Hackers have gotten better at using social engineering and online research to crack weak passwords.
- Default Credentials — It is also not uncommon for default passwords to not be reset for wireless and networking hardware, internet-connected devices of all kinds, and even software and database admin accounts.
- Password Reuse — Employees are often found to be signing up for web services like fitness apps with their company-provided email. If this third party has a breach that exposes those passwords, and the employee has been reusing their company password for access to that app, your systems could be at risk.
- Onboarding / Offboarding Practices — When someone is brought on board as an employee or let go from the company, are there secure practices in place? Is HR and IT communicating to make sure that access is removed to all systems? How about access to those systems that HR and IT don’t manage?
- Insecure File Sharing — Are default file sharing settings configured to create links that anyone can access, even people who don’t work for your company? Are links for people outside your company set to expire? Review these common configurations to limit your risk. In addition, is your company using standard email to send confidential information? Without encryption, it is possible for attackers to intercept and steal sensitive information. Avoid sending social security numbers, scans of driver's licenses, or other such private documentation and information through insecure channels.
Make Time for Software Updates
For cybercriminals, past-due patches and updates are like an unlocked back door for them to access your data and take whatever they find. The longer that “door” stays open, the longer they have to find you and your data.
In 2023, 300,000 fresh malware instances are generated daily. 92% of them are distributed through email, where they typically remain for 49 days before being detected. Keeping your computers (and smartphones) updated with the latest bug fixes is a critical line of defense against these current web threats.
Yes, frequent updates can be annoying, but software developers are doing their best to be helpful. If you are allowing employees to use their own devices when connecting to company resources, this can open up a risk as well.
Treat Employee-Owned Devices With Caution
Evaluate the use of employee-owned devices and what they can access. If you aren’t able to move away from this at the moment, you may be able to add conditional access policies to ensure that these devices are at least updated to the newest version or have adequate anti-virus and anti-malware software installed.
Review Any Public-Facing Systems
Out-of-date public-facing systems are another common offender. When web servers are vulnerable, so are the websites they host, the devices that connect to those sites, and the people who use them. Unfortunately, attackers often exploit vulnerabilities related to popular web hosting solutions and web servers, such as WordPress plug-ins and out-of-data Apache servers. While reviewing your environment, be sure that your team reviews your SSL certificates to make sure they are renewed as well.
Help Your Staff Identify Malvertising, Phishing, and Other Scams
With the increasing popularity of an ad-supported internet, malvertising provides an easy way for hackers to gain access to users who frequent popular, high-traffic websites. Malvertising refers to online ads that promise something attractive — like free antivirus software — if you click on them and download their content. Instead, their “payload” usually contains something ugly, like spyware that can be used to access a user’s financial information.
Malvertising and other malware are relatively easy to avoid if no one in your organization clicks on them. But as with most things in cybersecurity, it’s a numbers game. While most people won’t click on malware links, just one or two careless clickers can really do a lot of damage. According to recent data, just 3% of employees were responsible for 92% of malware events.
Like malware, phishing is nothing new. But most people tend to be overconfident in their phish-spotting abilities. Unfortunately, according to KnowBe4’s 2023 Phishing by Industry Benchmarking report, workers across every industry, in organizations of all sizes, remain vulnerable to phishing scams.
Unfortunately, hackers are also evolving their techniques to take advantage of cognitive biases. Training is remarkably effective at helping employees recognize these malicious attempts, but only when it’s on par with modern phishing strategies. When evaluating training options for your organization, find a solution that includes modern examples of how social engineering tactics are specifically designed to lower the guard of an unsuspecting employee. The best solutions out there will also include the ability to perform your own internal phishing campaigns and provide users with training tailored to them when they accidentally click on one of your test phishing emails.
Protect Your Data From the Inside Out
Even with a heavy focus on digital efforts, businesses can leave themselves vulnerable when they assume the biggest threats are coming from hackers halfway across the world.
Cybersecurity threats can also be present in your own office. Investing in physical security hardware, like restricted points of entry that require badge swipes, can go a long way in keeping data and network endpoints secure. Furthermore, educating employees regarding physical security — like the risks associated with tailgating or a sticky note containing a password — can also go a long way in creating a culture that takes security seriously.
Web Application Pen Testing
OWASP Top 10 is a great free resource that highlights the most critical security risks to web applications. It is all too common that security is only applied in the software development lifecycle AFTER the product is built instead of being integrated within the development process. Many common web application vulnerabilities stem from this misalignment. Walk through the OWASP Top 10 with your development team to double-check these common vulnerabilities. If you don’t have the expertise or the time to do this in-house, we can help. Marco works with a number of third-party strategic partners to deliver pen testing services, including for web applications.
Get Quick Help With Web Security
The biggest tip I’d like to offer every IT pro or business owner out there is that technology changes every year, but cybersecurity threats evolve from month to month if not week to week. It’s completely understandable that most IT teams struggle to prioritize things like patch management and end-user security training, let alone keep updated with all of the latest cyber attack grounds and ever-changing vulnerabilities.
Luckily for business owners, there are some very high-impact things companies can do to significantly lower their cyber risk and increase their security posture.
That’s why we developed our comprehensive cybersecurity assessment — to uncover hidden areas of risk that exist in your environment. We use the findings from the assessment to make recommendations on what updates should be prioritized, identify unsupported systems, evaluate tools against industry best practices, and even determine what administrative controls or policies should be a top priority and what can safely wait. After we present our findings, what you do with that information is entirely up to you. And this certainly isn’t a “gotcha exercise” for internal IT teams. Actually, we often find that our recommendations include a few they’ve been trying to advocate for over many years.